Analysis
-
max time kernel
51s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
19/11/2024, 18:03
Behavioral task
behavioral1
Sample
ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe
-
Size
121KB
-
MD5
1343c85c7251debfb9f9540a7ff10bcc
-
SHA1
67ae7cb34f0b447f43b1a0587f0966f5dac0cf9c
-
SHA256
ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5
-
SHA512
de6ece9534f892bb87f246bb0d49b10d64b300b14bb25275f68b6cca54552a10ac4163c4cd2a2b1f2984b80c54aac6e5d990d19a0341b2f92e90d4a2d5d6274d
-
SSDEEP
3072:IXwftBwi6ve2sik//TvnR1MvhO7AJnD5tvN:I/a2W7nROvhOarvN
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkekmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pikaqppk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phckglbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlnmjkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccloea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmgnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poddphee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peaibajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppqqbjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcekkkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obakli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaaalep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekeiel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajaagi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakcan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alqplmlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhlnahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbaide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgbmoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncbkenba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilceog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lojjfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpoppadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cakfcfoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degobhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onfadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkffohon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lamkllea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imkeneja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepghe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndaao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boifinfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblbpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lelljepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpcbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpicfdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdaal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edkahbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbkoabf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbckagm.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2524 Ifhgcgjq.exe 2932 Iiipeb32.exe 2952 Ieppjclf.exe 2896 Ikmibjkm.exe 2752 Imkeneja.exe 2476 Idgjqook.exe 3028 Jidbifmb.exe 1340 Jnpoie32.exe 2092 Jkdoci32.exe 3036 Jdlclo32.exe 2756 Jjilde32.exe 1264 Jgmlmj32.exe 236 Jljeeqfn.exe 1504 Jfbinf32.exe 2052 Jllakpdk.exe 2096 Khcbpa32.exe 2408 Komjmk32.exe 828 Kghoan32.exe 1880 Kkckblgq.exe 1536 Kbncof32.exe 1624 Kdlpkb32.exe 2156 Kbppdfmk.exe 2392 Kqemeb32.exe 2328 Lmlnjcgg.exe 2836 Lojjfo32.exe 2132 Lbkchj32.exe 1568 Ljbkig32.exe 2736 Lckpbm32.exe 2712 Lelljepm.exe 2728 Lfkhch32.exe 2224 Lgmekpmn.exe 948 Milaecdp.exe 1392 Mnijnjbh.exe 2136 Mecbjd32.exe 3048 Mlmjgnaa.exe 2908 Majcoepi.exe 2100 Mchokq32.exe 1132 Mpoppadq.exe 1616 Mfihml32.exe 2024 Mbpibm32.exe 2240 Mjgqcj32.exe 628 Ndoelpid.exe 944 Nepach32.exe 2108 Nmgjee32.exe 2504 Npffaq32.exe 1628 Nebnigmp.exe 2368 Nokcbm32.exe 1668 Naionh32.exe 2880 Niqgof32.exe 2936 Nlocka32.exe 3068 Nbilhkig.exe 2720 Ndjhpcoe.exe 2744 Noplmlok.exe 2424 Nanhihno.exe 2492 Ngkaaolf.exe 3000 Okfmbm32.exe 2460 Opcejd32.exe 2440 Ogmngn32.exe 1096 Omgfdhbq.exe 492 Odanqb32.exe 776 Okkfmmqj.exe 1552 Omjbihpn.exe 2648 Odckfb32.exe 1816 Oeegnj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2776 ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe 2776 ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe 2524 Ifhgcgjq.exe 2524 Ifhgcgjq.exe 2932 Iiipeb32.exe 2932 Iiipeb32.exe 2952 Ieppjclf.exe 2952 Ieppjclf.exe 2896 Ikmibjkm.exe 2896 Ikmibjkm.exe 2752 Imkeneja.exe 2752 Imkeneja.exe 2476 Idgjqook.exe 2476 Idgjqook.exe 3028 Jidbifmb.exe 3028 Jidbifmb.exe 1340 Jnpoie32.exe 1340 Jnpoie32.exe 2092 Jkdoci32.exe 2092 Jkdoci32.exe 3036 Jdlclo32.exe 3036 Jdlclo32.exe 2756 Jjilde32.exe 2756 Jjilde32.exe 1264 Jgmlmj32.exe 1264 Jgmlmj32.exe 236 Jljeeqfn.exe 236 Jljeeqfn.exe 1504 Jfbinf32.exe 1504 Jfbinf32.exe 2052 Jllakpdk.exe 2052 Jllakpdk.exe 2096 Khcbpa32.exe 2096 Khcbpa32.exe 2408 Komjmk32.exe 2408 Komjmk32.exe 828 Kghoan32.exe 828 Kghoan32.exe 1880 Kkckblgq.exe 1880 Kkckblgq.exe 1536 Kbncof32.exe 1536 Kbncof32.exe 1624 Kdlpkb32.exe 1624 Kdlpkb32.exe 2156 Kbppdfmk.exe 2156 Kbppdfmk.exe 2392 Kqemeb32.exe 2392 Kqemeb32.exe 2328 Lmlnjcgg.exe 2328 Lmlnjcgg.exe 2836 Lojjfo32.exe 2836 Lojjfo32.exe 2132 Lbkchj32.exe 2132 Lbkchj32.exe 1568 Ljbkig32.exe 1568 Ljbkig32.exe 2736 Lckpbm32.exe 2736 Lckpbm32.exe 2712 Lelljepm.exe 2712 Lelljepm.exe 2728 Lfkhch32.exe 2728 Lfkhch32.exe 2224 Lgmekpmn.exe 2224 Lgmekpmn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mqefea32.dll Bpfgke32.exe File opened for modification C:\Windows\SysWOW64\Gknfaehi.exe Ggbjag32.exe File opened for modification C:\Windows\SysWOW64\Mfchgflg.exe Mcekkkmc.exe File created C:\Windows\SysWOW64\Mckpba32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fnelmb32.exe Fkgpaf32.exe File opened for modification C:\Windows\SysWOW64\Lmfjcajl.exe Ljhngfkh.exe File opened for modification C:\Windows\SysWOW64\Aaogbh32.exe Aoakfl32.exe File opened for modification C:\Windows\SysWOW64\Lnmfpnqn.exe Lkoidcaj.exe File created C:\Windows\SysWOW64\Mkljhe32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Odckfb32.exe Omjbihpn.exe File created C:\Windows\SysWOW64\Febmfcjj.exe Process not Found File created C:\Windows\SysWOW64\Jelcgfbk.dll Process not Found File created C:\Windows\SysWOW64\Nmkklflj.exe Process not Found File created C:\Windows\SysWOW64\Kghoan32.exe Komjmk32.exe File created C:\Windows\SysWOW64\Cfbhlb32.exe Chohqebq.exe File opened for modification C:\Windows\SysWOW64\Hehconob.exe Hjcoaeol.exe File opened for modification C:\Windows\SysWOW64\Opbopn32.exe Omdbdb32.exe File opened for modification C:\Windows\SysWOW64\Icjmpd32.exe Ilceog32.exe File created C:\Windows\SysWOW64\Lgbdpena.exe Lphlck32.exe File created C:\Windows\SysWOW64\Nffhad32.dll Pmjaadjm.exe File created C:\Windows\SysWOW64\Khdgabih.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cjikaa32.exe Chkoef32.exe File created C:\Windows\SysWOW64\Ahlghold.dll Boifinfg.exe File created C:\Windows\SysWOW64\Oenmkngi.exe Obopobhe.exe File opened for modification C:\Windows\SysWOW64\Jpigonhd.exe Jaffca32.exe File created C:\Windows\SysWOW64\Bojcalcl.dll Cpcpjbah.exe File opened for modification C:\Windows\SysWOW64\Fkmfpabp.exe Fdcncg32.exe File created C:\Windows\SysWOW64\Gobhkhgi.dll Oenmkngi.exe File created C:\Windows\SysWOW64\Ldhpen32.dll Process not Found File created C:\Windows\SysWOW64\Kpkocpjj.exe Process not Found File created C:\Windows\SysWOW64\Ejhhcdjm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cejfckie.exe Cnpnga32.exe File opened for modification C:\Windows\SysWOW64\Oepghe32.exe Obakli32.exe File created C:\Windows\SysWOW64\Fopjnd32.dll Cakfcfoc.exe File created C:\Windows\SysWOW64\Glgpqf32.dll Fkocfa32.exe File created C:\Windows\SysWOW64\Difikhen.dll Process not Found File created C:\Windows\SysWOW64\Kanhdp32.dll Kgjelg32.exe File created C:\Windows\SysWOW64\Lglnajjb.exe Lqbfdp32.exe File created C:\Windows\SysWOW64\Mdcadn32.dll Bokcom32.exe File created C:\Windows\SysWOW64\Lelnjj32.dll Process not Found File created C:\Windows\SysWOW64\Edhkpcdb.exe Emncci32.exe File created C:\Windows\SysWOW64\Lnipgp32.exe Lkkckdhm.exe File opened for modification C:\Windows\SysWOW64\Ekeiel32.exe Edkahbmo.exe File opened for modification C:\Windows\SysWOW64\Mjgclcjh.exe Mgigpgkd.exe File created C:\Windows\SysWOW64\Mlnccahb.dll Fldbnb32.exe File opened for modification C:\Windows\SysWOW64\Gfhikl32.exe Gcimop32.exe File created C:\Windows\SysWOW64\Pikaqppk.exe Pjhaec32.exe File created C:\Windows\SysWOW64\Jgqmmiph.dll Process not Found File created C:\Windows\SysWOW64\Fkecpl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gednek32.exe Gbeaip32.exe File created C:\Windows\SysWOW64\Dqffpm32.dll Memncbmj.exe File created C:\Windows\SysWOW64\Elcpdeam.exe Eidchjbi.exe File created C:\Windows\SysWOW64\Eiajmgka.dll Process not Found File created C:\Windows\SysWOW64\Okcnkb32.dll Aalaoipc.exe File created C:\Windows\SysWOW64\Dmcgik32.exe Dkekmp32.exe File opened for modification C:\Windows\SysWOW64\Fjcfco32.exe Fbloba32.exe File opened for modification C:\Windows\SysWOW64\Oaiglnih.exe Ollncgjq.exe File opened for modification C:\Windows\SysWOW64\Pjhaec32.exe Pbaide32.exe File created C:\Windows\SysWOW64\Aoecelol.dll Bfpkfb32.exe File created C:\Windows\SysWOW64\Jbgbjh32.exe Process not Found File created C:\Windows\SysWOW64\Fabcfg32.dll Fnplgl32.exe File created C:\Windows\SysWOW64\Hkcbgbdo.dll Cnjbfhqa.exe File created C:\Windows\SysWOW64\Gmkaphmi.dll Process not Found File created C:\Windows\SysWOW64\Gppoqa32.dll Nbinad32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5528 5020 Process not Found 1442 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkeneja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidbifmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcbpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibpdico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbolhoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfckbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgdfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbepplkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omddmkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komjmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqanke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkekilg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmehdpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmimif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjahfkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhanp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimlmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahioobed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnaonia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqngjcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkbkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joqdfghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpnjkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkafib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmiea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaalom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ododdlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojdem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjbchnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnojjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgclcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnhfhoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjcfco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbhphie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imchcplm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaaaiobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplhooec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkckdhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpiombe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkoef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancdgcab.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekbjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnjekdon.dll" Hliieioi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpllpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdaeb32.dll" Mjgclcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjfpmp.dll" Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnllf32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oafhmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jllakpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cccnbp32.dll" Jeofnpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Incgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkaehem.dll" Bocfch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkaljdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laeqgcbl.dll" Gghloe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaeacppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdbhcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfajgn32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqjehngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iipnge32.dll" Nnpofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edidcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjaimek.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjgbmoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bfblmofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njopgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbbbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahlghold.dll" Boifinfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkgnkbkk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndcgd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gndebkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqngde32.dll" Npdkdjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdkjqpq.dll" Ngkaaolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkficd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgqod32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egikle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bclcfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjppmlhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edkopifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pojdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fghbnm32.dll" Dadehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obeapbcg.dll" Peaibajp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qckcdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkonkpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eghdanac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifhgcgjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eeeanm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlodea32.dll" Fdpjcaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaffca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhbqqlfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgjhbpic.dll" Aklefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppldje32.dll" Caepdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imfeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgpbfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flbehbqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdlialfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljhngfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjbhgolp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kokppd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkndiabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmmbajg.dll" Pfaopc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2524 2776 ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe 30 PID 2776 wrote to memory of 2524 2776 ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe 30 PID 2776 wrote to memory of 2524 2776 ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe 30 PID 2776 wrote to memory of 2524 2776 ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe 30 PID 2524 wrote to memory of 2932 2524 Ifhgcgjq.exe 31 PID 2524 wrote to memory of 2932 2524 Ifhgcgjq.exe 31 PID 2524 wrote to memory of 2932 2524 Ifhgcgjq.exe 31 PID 2524 wrote to memory of 2932 2524 Ifhgcgjq.exe 31 PID 2932 wrote to memory of 2952 2932 Iiipeb32.exe 32 PID 2932 wrote to memory of 2952 2932 Iiipeb32.exe 32 PID 2932 wrote to memory of 2952 2932 Iiipeb32.exe 32 PID 2932 wrote to memory of 2952 2932 Iiipeb32.exe 32 PID 2952 wrote to memory of 2896 2952 Ieppjclf.exe 33 PID 2952 wrote to memory of 2896 2952 Ieppjclf.exe 33 PID 2952 wrote to memory of 2896 2952 Ieppjclf.exe 33 PID 2952 wrote to memory of 2896 2952 Ieppjclf.exe 33 PID 2896 wrote to memory of 2752 2896 Ikmibjkm.exe 34 PID 2896 wrote to memory of 2752 2896 Ikmibjkm.exe 34 PID 2896 wrote to memory of 2752 2896 Ikmibjkm.exe 34 PID 2896 wrote to memory of 2752 2896 Ikmibjkm.exe 34 PID 2752 wrote to memory of 2476 2752 Imkeneja.exe 35 PID 2752 wrote to memory of 2476 2752 Imkeneja.exe 35 PID 2752 wrote to memory of 2476 2752 Imkeneja.exe 35 PID 2752 wrote to memory of 2476 2752 Imkeneja.exe 35 PID 2476 wrote to memory of 3028 2476 Idgjqook.exe 36 PID 2476 wrote to memory of 3028 2476 Idgjqook.exe 36 PID 2476 wrote to memory of 3028 2476 Idgjqook.exe 36 PID 2476 wrote to memory of 3028 2476 Idgjqook.exe 36 PID 3028 wrote to memory of 1340 3028 Jidbifmb.exe 37 PID 3028 wrote to memory of 1340 3028 Jidbifmb.exe 37 PID 3028 wrote to memory of 1340 3028 Jidbifmb.exe 37 PID 3028 wrote to memory of 1340 3028 Jidbifmb.exe 37 PID 1340 wrote to memory of 2092 1340 Jnpoie32.exe 38 PID 1340 wrote to memory of 2092 1340 Jnpoie32.exe 38 PID 1340 wrote to memory of 2092 1340 Jnpoie32.exe 38 PID 1340 wrote to memory of 2092 1340 Jnpoie32.exe 38 PID 2092 wrote to memory of 3036 2092 Jkdoci32.exe 39 PID 2092 wrote to memory of 3036 2092 Jkdoci32.exe 39 PID 2092 wrote to memory of 3036 2092 Jkdoci32.exe 39 PID 2092 wrote to memory of 3036 2092 Jkdoci32.exe 39 PID 3036 wrote to memory of 2756 3036 Jdlclo32.exe 40 PID 3036 wrote to memory of 2756 3036 Jdlclo32.exe 40 PID 3036 wrote to memory of 2756 3036 Jdlclo32.exe 40 PID 3036 wrote to memory of 2756 3036 Jdlclo32.exe 40 PID 2756 wrote to memory of 1264 2756 Jjilde32.exe 41 PID 2756 wrote to memory of 1264 2756 Jjilde32.exe 41 PID 2756 wrote to memory of 1264 2756 Jjilde32.exe 41 PID 2756 wrote to memory of 1264 2756 Jjilde32.exe 41 PID 1264 wrote to memory of 236 1264 Jgmlmj32.exe 42 PID 1264 wrote to memory of 236 1264 Jgmlmj32.exe 42 PID 1264 wrote to memory of 236 1264 Jgmlmj32.exe 42 PID 1264 wrote to memory of 236 1264 Jgmlmj32.exe 42 PID 236 wrote to memory of 1504 236 Jljeeqfn.exe 43 PID 236 wrote to memory of 1504 236 Jljeeqfn.exe 43 PID 236 wrote to memory of 1504 236 Jljeeqfn.exe 43 PID 236 wrote to memory of 1504 236 Jljeeqfn.exe 43 PID 1504 wrote to memory of 2052 1504 Jfbinf32.exe 44 PID 1504 wrote to memory of 2052 1504 Jfbinf32.exe 44 PID 1504 wrote to memory of 2052 1504 Jfbinf32.exe 44 PID 1504 wrote to memory of 2052 1504 Jfbinf32.exe 44 PID 2052 wrote to memory of 2096 2052 Jllakpdk.exe 45 PID 2052 wrote to memory of 2096 2052 Jllakpdk.exe 45 PID 2052 wrote to memory of 2096 2052 Jllakpdk.exe 45 PID 2052 wrote to memory of 2096 2052 Jllakpdk.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe"C:\Users\Admin\AppData\Local\Temp\ad2c72741ab5a48c972044bdd796252c588da256b5fc8c7196541dafb0bce2b5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ieppjclf.exeC:\Windows\system32\Ieppjclf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ikmibjkm.exeC:\Windows\system32\Ikmibjkm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Imkeneja.exeC:\Windows\system32\Imkeneja.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Jnpoie32.exeC:\Windows\system32\Jnpoie32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Jjilde32.exeC:\Windows\system32\Jjilde32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Jljeeqfn.exeC:\Windows\system32\Jljeeqfn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Khcbpa32.exeC:\Windows\system32\Khcbpa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Komjmk32.exeC:\Windows\system32\Komjmk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Kghoan32.exeC:\Windows\system32\Kghoan32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Kbncof32.exeC:\Windows\system32\Kbncof32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Kqemeb32.exeC:\Windows\system32\Kqemeb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Lojjfo32.exeC:\Windows\system32\Lojjfo32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Lbkchj32.exeC:\Windows\system32\Lbkchj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Ljbkig32.exeC:\Windows\system32\Ljbkig32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Lckpbm32.exeC:\Windows\system32\Lckpbm32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Lgmekpmn.exeC:\Windows\system32\Lgmekpmn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Milaecdp.exeC:\Windows\system32\Milaecdp.exe33⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe34⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe35⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe36⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Majcoepi.exeC:\Windows\system32\Majcoepi.exe37⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Mchokq32.exeC:\Windows\system32\Mchokq32.exe38⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Mpoppadq.exeC:\Windows\system32\Mpoppadq.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Mfihml32.exeC:\Windows\system32\Mfihml32.exe40⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Mbpibm32.exeC:\Windows\system32\Mbpibm32.exe41⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Mjgqcj32.exeC:\Windows\system32\Mjgqcj32.exe42⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ndoelpid.exeC:\Windows\system32\Ndoelpid.exe43⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Nepach32.exeC:\Windows\system32\Nepach32.exe44⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Nmgjee32.exeC:\Windows\system32\Nmgjee32.exe45⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe46⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Nebnigmp.exeC:\Windows\system32\Nebnigmp.exe47⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Nokcbm32.exeC:\Windows\system32\Nokcbm32.exe48⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe49⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe50⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe51⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe52⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ndjhpcoe.exeC:\Windows\system32\Ndjhpcoe.exe53⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Noplmlok.exeC:\Windows\system32\Noplmlok.exe54⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Nanhihno.exeC:\Windows\system32\Nanhihno.exe55⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe57⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe58⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Ogmngn32.exeC:\Windows\system32\Ogmngn32.exe59⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe60⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe61⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Okkfmmqj.exeC:\Windows\system32\Okkfmmqj.exe62⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Odckfb32.exeC:\Windows\system32\Odckfb32.exe64⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Oeegnj32.exeC:\Windows\system32\Oeegnj32.exe65⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Olopjddf.exeC:\Windows\system32\Olopjddf.exe66⤵PID:2112
-
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe67⤵PID:1916
-
C:\Windows\SysWOW64\Oibpdico.exeC:\Windows\system32\Oibpdico.exe68⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Oheppe32.exeC:\Windows\system32\Oheppe32.exe69⤵PID:2828
-
C:\Windows\SysWOW64\Oophlpag.exeC:\Windows\system32\Oophlpag.exe70⤵PID:2704
-
C:\Windows\SysWOW64\Piemih32.exeC:\Windows\system32\Piemih32.exe71⤵PID:2868
-
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe72⤵PID:2260
-
C:\Windows\SysWOW64\Pobeao32.exeC:\Windows\system32\Pobeao32.exe73⤵PID:1428
-
C:\Windows\SysWOW64\Pelnniga.exeC:\Windows\system32\Pelnniga.exe74⤵PID:1968
-
C:\Windows\SysWOW64\Phjjkefd.exeC:\Windows\system32\Phjjkefd.exe75⤵PID:2900
-
C:\Windows\SysWOW64\Podbgo32.exeC:\Windows\system32\Podbgo32.exe76⤵PID:2684
-
C:\Windows\SysWOW64\Penjdien.exeC:\Windows\system32\Penjdien.exe77⤵PID:2348
-
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe78⤵PID:1248
-
C:\Windows\SysWOW64\Pkkblp32.exeC:\Windows\system32\Pkkblp32.exe79⤵PID:1972
-
C:\Windows\SysWOW64\Pqhkdg32.exeC:\Windows\system32\Pqhkdg32.exe80⤵PID:2244
-
C:\Windows\SysWOW64\Phocfd32.exeC:\Windows\system32\Phocfd32.exe81⤵PID:1660
-
C:\Windows\SysWOW64\Pjppmlhm.exeC:\Windows\system32\Pjppmlhm.exe82⤵
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Paghojip.exeC:\Windows\system32\Paghojip.exe83⤵PID:1588
-
C:\Windows\SysWOW64\Pchdfb32.exeC:\Windows\system32\Pchdfb32.exe84⤵PID:1952
-
C:\Windows\SysWOW64\Qnnhcknd.exeC:\Windows\system32\Qnnhcknd.exe85⤵PID:2800
-
C:\Windows\SysWOW64\Qmahog32.exeC:\Windows\system32\Qmahog32.exe86⤵PID:2740
-
C:\Windows\SysWOW64\Qdhqpe32.exeC:\Windows\system32\Qdhqpe32.exe87⤵PID:2988
-
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe88⤵PID:1772
-
C:\Windows\SysWOW64\Qqoaefke.exeC:\Windows\system32\Qqoaefke.exe89⤵PID:2676
-
C:\Windows\SysWOW64\Qcmnaaji.exeC:\Windows\system32\Qcmnaaji.exe90⤵PID:2068
-
C:\Windows\SysWOW64\Ajgfnk32.exeC:\Windows\system32\Ajgfnk32.exe91⤵PID:2892
-
C:\Windows\SysWOW64\Aijfihip.exeC:\Windows\system32\Aijfihip.exe92⤵PID:2236
-
C:\Windows\SysWOW64\Aqanke32.exeC:\Windows\system32\Aqanke32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Afnfcl32.exeC:\Windows\system32\Afnfcl32.exe94⤵PID:2884
-
C:\Windows\SysWOW64\Amhopfof.exeC:\Windows\system32\Amhopfof.exe95⤵PID:2444
-
C:\Windows\SysWOW64\Aofklbnj.exeC:\Windows\system32\Aofklbnj.exe96⤵PID:264
-
C:\Windows\SysWOW64\Aeccdila.exeC:\Windows\system32\Aeccdila.exe97⤵PID:2924
-
C:\Windows\SysWOW64\Amjkefmd.exeC:\Windows\system32\Amjkefmd.exe98⤵PID:1708
-
C:\Windows\SysWOW64\Aoihaa32.exeC:\Windows\system32\Aoihaa32.exe99⤵PID:2732
-
C:\Windows\SysWOW64\Afbpnlcd.exeC:\Windows\system32\Afbpnlcd.exe100⤵PID:2856
-
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe101⤵PID:2264
-
C:\Windows\SysWOW64\Anndbnao.exeC:\Windows\system32\Anndbnao.exe102⤵PID:764
-
C:\Windows\SysWOW64\Aalaoipc.exeC:\Windows\system32\Aalaoipc.exe103⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Agfikc32.exeC:\Windows\system32\Agfikc32.exe104⤵PID:2468
-
C:\Windows\SysWOW64\Akbelbpi.exeC:\Windows\system32\Akbelbpi.exe105⤵PID:2972
-
C:\Windows\SysWOW64\Ablmilgf.exeC:\Windows\system32\Ablmilgf.exe106⤵PID:2176
-
C:\Windows\SysWOW64\Bghfacem.exeC:\Windows\system32\Bghfacem.exe107⤵PID:2588
-
C:\Windows\SysWOW64\Bjgbmoda.exeC:\Windows\system32\Bjgbmoda.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Baajji32.exeC:\Windows\system32\Baajji32.exe109⤵PID:2332
-
C:\Windows\SysWOW64\Bcoffd32.exeC:\Windows\system32\Bcoffd32.exe110⤵PID:2928
-
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe111⤵PID:2960
-
C:\Windows\SysWOW64\Bmhkojab.exeC:\Windows\system32\Bmhkojab.exe112⤵PID:2088
-
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe113⤵
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Biolckgf.exeC:\Windows\system32\Biolckgf.exe114⤵PID:1224
-
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe115⤵PID:2180
-
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe116⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Bjnhnn32.exeC:\Windows\system32\Bjnhnn32.exe117⤵PID:1608
-
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe118⤵PID:560
-
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe119⤵PID:2144
-
C:\Windows\SysWOW64\Claake32.exeC:\Windows\system32\Claake32.exe120⤵PID:2724
-
C:\Windows\SysWOW64\Cnpnga32.exeC:\Windows\system32\Cnpnga32.exe121⤵
- Drops file in System32 directory
PID:2528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-