Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 02:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe
-
Size
96KB
-
MD5
c1c08c4443fa44aa780806bac69b5260
-
SHA1
95d66b20428d1caff4f35998c01b55ee6da755fe
-
SHA256
353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2a
-
SHA512
1cd0c8a5ecb82072b76deb9a70830005152168f56c77967352bb6fdde3b56476e6600af0bf7abc0a38e7979e6b86ce2aff90bc9ede686655fe0bf38007a95e94
-
SSDEEP
1536:ylpawAExLWUKw6z47pphF8Ygzkn+0mYAzDNcSkzy/BOmuCMy0QiLiizHNQNdq:opqDUFpphKtzknPmYAzJP5OmuCMyELiY
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baefnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifolhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehnfpifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igebkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jipaip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmpdioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfcgbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkggmldl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eihjolae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkgoff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhkopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmlhbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqiqjlga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphiqbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnleiipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihcog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifmimch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgionie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdphjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkbdabog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gamnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oimmjffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknjfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpgionie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Leikbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imaapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbnjjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkdnqhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llepen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llepen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdppqbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jikhnaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfclo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaclfgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eihjolae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nihcog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnhjjml.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2692 Ifpcchai.exe 2680 Iphgln32.exe 2712 Icfpbl32.exe 2600 Ijphofem.exe 2672 Imaapa32.exe 2296 Jpajbl32.exe 2920 Jhmofo32.exe 2796 Jhoklnkg.exe 592 Jmlddeio.exe 1140 Jhdegn32.exe 1892 Kdkelolf.exe 2536 Kkdnhi32.exe 1996 Kijkje32.exe 1848 Kljdkpfl.exe 900 Kechdf32.exe 1212 Lhcafa32.exe 1708 Laleof32.exe 860 Ldmopa32.exe 3028 Lkggmldl.exe 2980 Lljpjchg.exe 888 Ldahkaij.exe 2352 Mphiqbon.exe 1568 Mcfemmna.exe 2744 Mfgnnhkc.exe 2732 Mbnocipg.exe 2724 Mkfclo32.exe 2624 Mbqkiind.exe 3068 Mnglnj32.exe 2924 Mdadjd32.exe 2852 Nnjicjbf.exe 636 Ndcapd32.exe 2264 Nknimnap.exe 2848 Nnleiipc.exe 1712 Ndfnecgp.exe 1840 Ngdjaofc.exe 1748 Nnnbni32.exe 2200 Nqmnjd32.exe 2152 Nckkgp32.exe 692 Nfigck32.exe 2096 Nihcog32.exe 1292 Ncmglp32.exe 1460 Nijpdfhm.exe 2328 Nlilqbgp.exe 1900 Ofnpnkgf.exe 1412 Oimmjffj.exe 1936 Opfegp32.exe 2300 Obeacl32.exe 2776 Oecmogln.exe 2272 Ohbikbkb.exe 1968 Obgnhkkh.exe 2572 Oiafee32.exe 2596 Ojbbmnhc.exe 2936 Objjnkie.exe 3044 Oehgjfhi.exe 1600 Olbogqoe.exe 2728 Onqkclni.exe 1224 Oaogognm.exe 2944 Ohipla32.exe 2996 Ojglhm32.exe 2228 Paaddgkj.exe 340 Pdppqbkn.exe 856 Pjihmmbk.exe 1532 Pacajg32.exe 2176 Pdbmfb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2644 353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe 2644 353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe 2692 Ifpcchai.exe 2692 Ifpcchai.exe 2680 Iphgln32.exe 2680 Iphgln32.exe 2712 Icfpbl32.exe 2712 Icfpbl32.exe 2600 Ijphofem.exe 2600 Ijphofem.exe 2672 Imaapa32.exe 2672 Imaapa32.exe 2296 Jpajbl32.exe 2296 Jpajbl32.exe 2920 Jhmofo32.exe 2920 Jhmofo32.exe 2796 Jhoklnkg.exe 2796 Jhoklnkg.exe 592 Jmlddeio.exe 592 Jmlddeio.exe 1140 Jhdegn32.exe 1140 Jhdegn32.exe 1892 Kdkelolf.exe 1892 Kdkelolf.exe 2536 Kkdnhi32.exe 2536 Kkdnhi32.exe 1996 Kijkje32.exe 1996 Kijkje32.exe 1848 Kljdkpfl.exe 1848 Kljdkpfl.exe 900 Kechdf32.exe 900 Kechdf32.exe 1212 Lhcafa32.exe 1212 Lhcafa32.exe 1708 Laleof32.exe 1708 Laleof32.exe 860 Ldmopa32.exe 860 Ldmopa32.exe 3028 Lkggmldl.exe 3028 Lkggmldl.exe 2980 Lljpjchg.exe 2980 Lljpjchg.exe 888 Ldahkaij.exe 888 Ldahkaij.exe 2352 Mphiqbon.exe 2352 Mphiqbon.exe 1568 Mcfemmna.exe 1568 Mcfemmna.exe 2744 Mfgnnhkc.exe 2744 Mfgnnhkc.exe 2732 Mbnocipg.exe 2732 Mbnocipg.exe 2724 Mkfclo32.exe 2724 Mkfclo32.exe 2624 Mbqkiind.exe 2624 Mbqkiind.exe 3068 Mnglnj32.exe 3068 Mnglnj32.exe 2924 Mdadjd32.exe 2924 Mdadjd32.exe 2852 Nnjicjbf.exe 2852 Nnjicjbf.exe 636 Ndcapd32.exe 636 Ndcapd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mfgnnhkc.exe Mcfemmna.exe File opened for modification C:\Windows\SysWOW64\Aiaoclgl.exe Ahpbkd32.exe File created C:\Windows\SysWOW64\Jqgaapqd.dll Ajckilei.exe File opened for modification C:\Windows\SysWOW64\Kkmmlgik.exe Khnapkjg.exe File created C:\Windows\SysWOW64\Jingpl32.dll Lmpcca32.exe File opened for modification C:\Windows\SysWOW64\Efhqmadd.exe Epnhpglg.exe File created C:\Windows\SysWOW64\Hffibceh.exe Hqiqjlga.exe File created C:\Windows\SysWOW64\Gaojnq32.exe Gkebafoa.exe File opened for modification C:\Windows\SysWOW64\Jmdgipkk.exe Jfjolf32.exe File created C:\Windows\SysWOW64\Jcqlkjae.exe Jabponba.exe File created C:\Windows\SysWOW64\Oiggco32.dll Nnjicjbf.exe File created C:\Windows\SysWOW64\Nckkgp32.exe Nqmnjd32.exe File opened for modification C:\Windows\SysWOW64\Ohbikbkb.exe Oecmogln.exe File created C:\Windows\SysWOW64\Oehgjfhi.exe Objjnkie.exe File created C:\Windows\SysWOW64\Inajahoe.dll Acicla32.exe File created C:\Windows\SysWOW64\Knfddo32.dll Jlnmel32.exe File created C:\Windows\SysWOW64\Oldhgaef.dll Lofifi32.exe File opened for modification C:\Windows\SysWOW64\Aaejojjq.exe Aognbnkm.exe File created C:\Windows\SysWOW64\Dokggo32.dll Epeoaffo.exe File opened for modification C:\Windows\SysWOW64\Jpgmpk32.exe Jmipdo32.exe File created C:\Windows\SysWOW64\Kkojbf32.exe Kpieengb.exe File opened for modification C:\Windows\SysWOW64\Lhcafa32.exe Kechdf32.exe File created C:\Windows\SysWOW64\Ocaadj32.dll Lljpjchg.exe File created C:\Windows\SysWOW64\Hkekhpob.dll Fpbnjjkm.exe File created C:\Windows\SysWOW64\Bdfooh32.exe Bfcodkcb.exe File created C:\Windows\SysWOW64\Egdpmo32.dll Bqmpdioa.exe File created C:\Windows\SysWOW64\Cmfmojcb.exe Ckeqga32.exe File opened for modification C:\Windows\SysWOW64\Ngdjaofc.exe Ndfnecgp.exe File created C:\Windows\SysWOW64\Paaddgkj.exe Ojglhm32.exe File opened for modification C:\Windows\SysWOW64\Pbigmn32.exe Plpopddd.exe File opened for modification C:\Windows\SysWOW64\Aognbnkm.exe Aacmij32.exe File opened for modification C:\Windows\SysWOW64\Baefnmml.exe Bogjaamh.exe File created C:\Windows\SysWOW64\Dblhmoio.exe Ckbpqe32.exe File created C:\Windows\SysWOW64\Dkdmfe32.exe Dekdikhc.exe File created C:\Windows\SysWOW64\Nhmbnqfg.dll Fppaej32.exe File opened for modification C:\Windows\SysWOW64\Jmipdo32.exe Jjjdhc32.exe File created C:\Windows\SysWOW64\Glnhjjml.exe Giolnomh.exe File created C:\Windows\SysWOW64\Ikbilijo.dll Jfaeme32.exe File created C:\Windows\SysWOW64\Kablnadm.exe Kjhcag32.exe File opened for modification C:\Windows\SysWOW64\Ndcapd32.exe Nnjicjbf.exe File opened for modification C:\Windows\SysWOW64\Olbogqoe.exe Oehgjfhi.exe File created C:\Windows\SysWOW64\Ohipla32.exe Oaogognm.exe File created C:\Windows\SysWOW64\Fafdibdo.dll Blfapfpg.exe File opened for modification C:\Windows\SysWOW64\Cfoaho32.exe Cdmepgce.exe File created C:\Windows\SysWOW64\Jbdhhp32.dll Koflgf32.exe File opened for modification C:\Windows\SysWOW64\Obgnhkkh.exe Ohbikbkb.exe File created C:\Windows\SysWOW64\Cdlfik32.dll Paaddgkj.exe File created C:\Windows\SysWOW64\Ckeqga32.exe Ccnifd32.exe File created C:\Windows\SysWOW64\Gkgoff32.exe Ghibjjnk.exe File opened for modification C:\Windows\SysWOW64\Jikhnaao.exe Jfmkbebl.exe File created C:\Windows\SysWOW64\Jhdegn32.exe Jmlddeio.exe File created C:\Windows\SysWOW64\Kljdkpfl.exe Kijkje32.exe File created C:\Windows\SysWOW64\Cjedgmpi.dll Pbigmn32.exe File created C:\Windows\SysWOW64\Bfakep32.dll Ciokijfd.exe File opened for modification C:\Windows\SysWOW64\Deondj32.exe Dnefhpma.exe File created C:\Windows\SysWOW64\Pdfndl32.dll Giolnomh.exe File created C:\Windows\SysWOW64\Igqhpj32.exe Ifolhann.exe File opened for modification C:\Windows\SysWOW64\Loaokjjg.exe Lmpcca32.exe File created C:\Windows\SysWOW64\Dkmohi32.dll Nijpdfhm.exe File created C:\Windows\SysWOW64\Qofpqofd.dll Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Cdmepgce.exe Cmfmojcb.exe File opened for modification C:\Windows\SysWOW64\Efljhq32.exe Epbbkf32.exe File opened for modification C:\Windows\SysWOW64\Epeoaffo.exe Ehnfpifm.exe File created C:\Windows\SysWOW64\Loclai32.exe Llepen32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3388 3280 WerFault.exe 287 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehcij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljdkpfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfapfpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahfdihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghibjjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgmpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkofg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpaom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdegn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihcog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baefnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbofmcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkojbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laleof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aognbnkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdppqbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfemmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehgjfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfmojcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feachqgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpopddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcqlkjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlfdac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifolhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphgln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqkiind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjolf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeoaffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijphofem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaoclgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqfbjhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgifgnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpimq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnklmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqkclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efljhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqhpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabponba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldahkaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnglnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbmfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnfpifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcag32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgcpnbh.dll" Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgikm32.dll" Eogolc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inhdgdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll" Jmdgipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbnocipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Opfegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieibdnnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalhln32.dll" Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfenefej.dll" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijdkh32.dll" Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcgqgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lofifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqgggnne.dll" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmnpam32.dll" Blinefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnhbmpkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcdkef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcedad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gamnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkbnjifp.dll" Gkgoff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jabponba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kechdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhcafa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojbbmnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jingpl32.dll" Lmpcca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkfclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dadfhdil.dll" Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pblmdj32.dll" Glbaei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifaid32.dll" Pfpibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhcghdk.dll" Dgnjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flnlkgjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbilijo.dll" Jfaeme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfodfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdbf32.dll" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmbpf32.dll" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hadcipbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcpimq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddiakkl.dll" Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leikbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkggmldl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lljpjchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Dihmpinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkghgpfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbgobp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epnhpglg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2692 2644 353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe 30 PID 2644 wrote to memory of 2692 2644 353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe 30 PID 2644 wrote to memory of 2692 2644 353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe 30 PID 2644 wrote to memory of 2692 2644 353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe 30 PID 2692 wrote to memory of 2680 2692 Ifpcchai.exe 31 PID 2692 wrote to memory of 2680 2692 Ifpcchai.exe 31 PID 2692 wrote to memory of 2680 2692 Ifpcchai.exe 31 PID 2692 wrote to memory of 2680 2692 Ifpcchai.exe 31 PID 2680 wrote to memory of 2712 2680 Iphgln32.exe 32 PID 2680 wrote to memory of 2712 2680 Iphgln32.exe 32 PID 2680 wrote to memory of 2712 2680 Iphgln32.exe 32 PID 2680 wrote to memory of 2712 2680 Iphgln32.exe 32 PID 2712 wrote to memory of 2600 2712 Icfpbl32.exe 33 PID 2712 wrote to memory of 2600 2712 Icfpbl32.exe 33 PID 2712 wrote to memory of 2600 2712 Icfpbl32.exe 33 PID 2712 wrote to memory of 2600 2712 Icfpbl32.exe 33 PID 2600 wrote to memory of 2672 2600 Ijphofem.exe 34 PID 2600 wrote to memory of 2672 2600 Ijphofem.exe 34 PID 2600 wrote to memory of 2672 2600 Ijphofem.exe 34 PID 2600 wrote to memory of 2672 2600 Ijphofem.exe 34 PID 2672 wrote to memory of 2296 2672 Imaapa32.exe 35 PID 2672 wrote to memory of 2296 2672 Imaapa32.exe 35 PID 2672 wrote to memory of 2296 2672 Imaapa32.exe 35 PID 2672 wrote to memory of 2296 2672 Imaapa32.exe 35 PID 2296 wrote to memory of 2920 2296 Jpajbl32.exe 36 PID 2296 wrote to memory of 2920 2296 Jpajbl32.exe 36 PID 2296 wrote to memory of 2920 2296 Jpajbl32.exe 36 PID 2296 wrote to memory of 2920 2296 Jpajbl32.exe 36 PID 2920 wrote to memory of 2796 2920 Jhmofo32.exe 37 PID 2920 wrote to memory of 2796 2920 Jhmofo32.exe 37 PID 2920 wrote to memory of 2796 2920 Jhmofo32.exe 37 PID 2920 wrote to memory of 2796 2920 Jhmofo32.exe 37 PID 2796 wrote to memory of 592 2796 Jhoklnkg.exe 38 PID 2796 wrote to memory of 592 2796 Jhoklnkg.exe 38 PID 2796 wrote to memory of 592 2796 Jhoklnkg.exe 38 PID 2796 wrote to memory of 592 2796 Jhoklnkg.exe 38 PID 592 wrote to memory of 1140 592 Jmlddeio.exe 39 PID 592 wrote to memory of 1140 592 Jmlddeio.exe 39 PID 592 wrote to memory of 1140 592 Jmlddeio.exe 39 PID 592 wrote to memory of 1140 592 Jmlddeio.exe 39 PID 1140 wrote to memory of 1892 1140 Jhdegn32.exe 40 PID 1140 wrote to memory of 1892 1140 Jhdegn32.exe 40 PID 1140 wrote to memory of 1892 1140 Jhdegn32.exe 40 PID 1140 wrote to memory of 1892 1140 Jhdegn32.exe 40 PID 1892 wrote to memory of 2536 1892 Kdkelolf.exe 41 PID 1892 wrote to memory of 2536 1892 Kdkelolf.exe 41 PID 1892 wrote to memory of 2536 1892 Kdkelolf.exe 41 PID 1892 wrote to memory of 2536 1892 Kdkelolf.exe 41 PID 2536 wrote to memory of 1996 2536 Kkdnhi32.exe 42 PID 2536 wrote to memory of 1996 2536 Kkdnhi32.exe 42 PID 2536 wrote to memory of 1996 2536 Kkdnhi32.exe 42 PID 2536 wrote to memory of 1996 2536 Kkdnhi32.exe 42 PID 1996 wrote to memory of 1848 1996 Kijkje32.exe 43 PID 1996 wrote to memory of 1848 1996 Kijkje32.exe 43 PID 1996 wrote to memory of 1848 1996 Kijkje32.exe 43 PID 1996 wrote to memory of 1848 1996 Kijkje32.exe 43 PID 1848 wrote to memory of 900 1848 Kljdkpfl.exe 44 PID 1848 wrote to memory of 900 1848 Kljdkpfl.exe 44 PID 1848 wrote to memory of 900 1848 Kljdkpfl.exe 44 PID 1848 wrote to memory of 900 1848 Kljdkpfl.exe 44 PID 900 wrote to memory of 1212 900 Kechdf32.exe 45 PID 900 wrote to memory of 1212 900 Kechdf32.exe 45 PID 900 wrote to memory of 1212 900 Kechdf32.exe 45 PID 900 wrote to memory of 1212 900 Kechdf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe"C:\Users\Admin\AppData\Local\Temp\353506dd2bdd483dadaa6c9f89680cb0871f1ab1164d1b9a9d060f21ef732b2aN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Lljpjchg.exeC:\Windows\system32\Lljpjchg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Nnjicjbf.exeC:\Windows\system32\Nnjicjbf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ndfnecgp.exeC:\Windows\system32\Ndfnecgp.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe36⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Nnnbni32.exeC:\Windows\system32\Nnnbni32.exe37⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe39⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe44⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe48⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Ohbikbkb.exeC:\Windows\system32\Ohbikbkb.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe52⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe56⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2228 -
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:340 -
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe63⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe64⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe66⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe67⤵PID:752
-
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe71⤵
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe73⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe74⤵PID:2740
-
C:\Windows\SysWOW64\Qejpoi32.exeC:\Windows\system32\Qejpoi32.exe75⤵PID:2068
-
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe76⤵
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe77⤵PID:1704
-
C:\Windows\SysWOW64\Qlfdac32.exeC:\Windows\system32\Qlfdac32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Ahpbkd32.exeC:\Windows\system32\Ahpbkd32.exe82⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:848 -
C:\Windows\SysWOW64\Aahfdihn.exeC:\Windows\system32\Aahfdihn.exe84⤵
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Acicla32.exeC:\Windows\system32\Acicla32.exe85⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe86⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Apmcefmf.exeC:\Windows\system32\Apmcefmf.exe87⤵PID:1512
-
C:\Windows\SysWOW64\Agglbp32.exeC:\Windows\system32\Agglbp32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe89⤵PID:2688
-
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe90⤵PID:2368
-
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe91⤵PID:2892
-
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe94⤵PID:388
-
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe95⤵
- Modifies registry class
PID:1220 -
C:\Windows\SysWOW64\Bogjaamh.exeC:\Windows\system32\Bogjaamh.exe96⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Bddbjhlp.exeC:\Windows\system32\Bddbjhlp.exe98⤵PID:3012
-
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:644 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe100⤵
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Bdfooh32.exeC:\Windows\system32\Bdfooh32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Bkpglbaj.exeC:\Windows\system32\Bkpglbaj.exe102⤵PID:2520
-
C:\Windows\SysWOW64\Bqmpdioa.exeC:\Windows\system32\Bqmpdioa.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Bdhleh32.exeC:\Windows\system32\Bdhleh32.exe104⤵PID:2584
-
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Bbllnlfd.exeC:\Windows\system32\Bbllnlfd.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:792 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe107⤵
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Ckeqga32.exeC:\Windows\system32\Ckeqga32.exe108⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:112 -
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe110⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Cfoaho32.exeC:\Windows\system32\Cfoaho32.exe111⤵PID:2436
-
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1784 -
C:\Windows\SysWOW64\Cqdfehii.exeC:\Windows\system32\Cqdfehii.exe113⤵PID:1208
-
C:\Windows\SysWOW64\Cgnnab32.exeC:\Windows\system32\Cgnnab32.exe114⤵PID:1180
-
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe115⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Cqfbjhgf.exeC:\Windows\system32\Cqfbjhgf.exe116⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe117⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Ciagojda.exeC:\Windows\system32\Ciagojda.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Ckpckece.exeC:\Windows\system32\Ckpckece.exe119⤵PID:1608
-
C:\Windows\SysWOW64\Cbjlhpkb.exeC:\Windows\system32\Cbjlhpkb.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Cidddj32.exeC:\Windows\system32\Cidddj32.exe121⤵PID:1444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-