Analysis
-
max time kernel
52s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 03:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe
-
Size
357KB
-
MD5
a71897d44af8ca9ff8a6e0922221dc98
-
SHA1
cd84b45d24bf88731070782c6cc48a48ca98bd35
-
SHA256
c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146
-
SHA512
042e02e4a39df3bc262309bb5acb317ca32c8a12f9601c48790d61b8bde7ec25d657846fb32d64a961a42a2886c5dc93e57c77fb26af7ca0d1bf087b6cbf973a
-
SSDEEP
6144:zkMspDpHQxyb1n6xJmPMwZoXpKtCe8AUReheFlfSZR0SvsuFrGoyeg3kl+fiXFOk:zknpDpHQ2ZoXpKtCe1eehil6ZR5ZrQe7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgffck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjpncii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmebgpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmbenc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necqbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnphfppi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cincaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcojbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hadece32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfphmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgjhkpbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfhfmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boifinfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggncop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbmbpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqakim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpbhmiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pihnqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Encchoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kaillp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahobdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigohejb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpeonkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijhkembk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kplfmfmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chickknc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fonbff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olnipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnacbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjghlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngafdepl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilblkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibbioilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlmddi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npkaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkndibq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohppjpkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deedfacn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhlogo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iekbmfdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmbiap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdminod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgkanomj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfblmofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgopak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlcgmpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpbiempj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoanij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpjhcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgidnobg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaiijgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eapcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pldnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeokdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kagkebpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opbopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqhhbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghaeaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fldbnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqcomn32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3000 Oomlfpdi.exe 2964 Oheppe32.exe 2328 Panehkaj.exe 2768 Pcmabnhm.exe 2796 Pkifgpeh.exe 2588 Pgogla32.exe 2724 Pkmobp32.exe 2412 Pkplgoop.exe 2336 Qckalamk.exe 3008 Qqoaefke.exe 2800 Aqanke32.exe 2568 Akkokc32.exe 1124 Aoihaa32.exe 1404 Akphfbbl.exe 1956 Bgkbfcck.exe 2116 Bcackdio.exe 620 Bfblmofp.exe 1520 Biceoj32.exe 2388 Chhbpfhi.exe 2232 Cdapjglj.exe 948 Coiqmp32.exe 2324 Dmomnlne.exe 2208 Dggbgadf.exe 2664 Ddkbqfcp.exe 2272 Dcpoab32.exe 2992 Dcblgbfe.exe 2160 Eagiho32.exe 2212 Eajennij.exe 2960 Eehndm32.exe 1576 Encchoml.exe 3028 Enepnoji.exe 2940 Fnhlcn32.exe 2792 Fqheei32.exe 1096 Fonbff32.exe 2452 Fihcdkom.exe 2528 Gbcecpck.exe 1064 Ggbjag32.exe 2000 Gfggbcdg.exe 2052 Gfjcgc32.exe 2668 Hpinagbm.exe 1248 Hlpofh32.exe 2364 Ilblkh32.exe 2200 Iekpdn32.exe 1400 Imfeip32.exe 2624 Ijjebd32.exe 2848 Ilmool32.exe 1692 Iiaoip32.exe 1148 Jehpna32.exe 864 Jlbhjkij.exe 2784 Jlddpkgh.exe 1436 Jcnmme32.exe 1868 Jhkeelml.exe 1648 Jeofnpke.exe 2420 Jogjgf32.exe 1640 Kjakhcne.exe 2780 Kjchmclb.exe 2280 Klbdiokf.exe 2428 Kfjibdbf.exe 1040 Kobmkj32.exe 1892 Kpbiempj.exe 2808 Khmnio32.exe 800 Lddoopbi.exe 1708 Lhbhdnio.exe 2124 Lqmliqfj.exe -
Loads dropped DLL 64 IoCs
pid Process 2820 c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe 2820 c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe 3000 Oomlfpdi.exe 3000 Oomlfpdi.exe 2964 Oheppe32.exe 2964 Oheppe32.exe 2328 Panehkaj.exe 2328 Panehkaj.exe 2768 Pcmabnhm.exe 2768 Pcmabnhm.exe 2796 Pkifgpeh.exe 2796 Pkifgpeh.exe 2588 Pgogla32.exe 2588 Pgogla32.exe 2724 Pkmobp32.exe 2724 Pkmobp32.exe 2412 Pkplgoop.exe 2412 Pkplgoop.exe 2336 Qckalamk.exe 2336 Qckalamk.exe 3008 Qqoaefke.exe 3008 Qqoaefke.exe 2800 Aqanke32.exe 2800 Aqanke32.exe 2568 Akkokc32.exe 2568 Akkokc32.exe 1124 Aoihaa32.exe 1124 Aoihaa32.exe 1404 Akphfbbl.exe 1404 Akphfbbl.exe 1956 Bgkbfcck.exe 1956 Bgkbfcck.exe 2116 Bcackdio.exe 2116 Bcackdio.exe 620 Bfblmofp.exe 620 Bfblmofp.exe 1520 Biceoj32.exe 1520 Biceoj32.exe 2388 Chhbpfhi.exe 2388 Chhbpfhi.exe 2232 Cdapjglj.exe 2232 Cdapjglj.exe 948 Coiqmp32.exe 948 Coiqmp32.exe 2324 Dmomnlne.exe 2324 Dmomnlne.exe 2208 Dggbgadf.exe 2208 Dggbgadf.exe 2664 Ddkbqfcp.exe 2664 Ddkbqfcp.exe 2272 Dcpoab32.exe 2272 Dcpoab32.exe 2992 Dcblgbfe.exe 2992 Dcblgbfe.exe 2160 Eagiho32.exe 2160 Eagiho32.exe 2212 Eajennij.exe 2212 Eajennij.exe 2960 Eehndm32.exe 2960 Eehndm32.exe 1576 Encchoml.exe 1576 Encchoml.exe 3028 Enepnoji.exe 3028 Enepnoji.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hfegfg32.dll Empphi32.exe File created C:\Windows\SysWOW64\Hcdihn32.exe Hqcpfcbl.exe File created C:\Windows\SysWOW64\Nkbdbbop.exe Nmmgafjh.exe File created C:\Windows\SysWOW64\Pjgoohpd.dll Cjkamk32.exe File created C:\Windows\SysWOW64\Qlcgmpkp.exe Qicoleno.exe File opened for modification C:\Windows\SysWOW64\Akfaof32.exe Qoopie32.exe File created C:\Windows\SysWOW64\Jogidjmf.dll Aadbfp32.exe File created C:\Windows\SysWOW64\Cjcfjoil.exe Conbmfif.exe File opened for modification C:\Windows\SysWOW64\Dnmada32.exe Djoinbpm.exe File created C:\Windows\SysWOW64\Khedkiag.dll Inffdd32.exe File created C:\Windows\SysWOW64\Bfblmofp.exe Bcackdio.exe File created C:\Windows\SysWOW64\Majlhbai.dll Nmbenc32.exe File created C:\Windows\SysWOW64\Aqanke32.exe Qqoaefke.exe File created C:\Windows\SysWOW64\Ikhpoi32.dll Degobhjg.exe File created C:\Windows\SysWOW64\Ajodkofo.dll Kloqiijm.exe File created C:\Windows\SysWOW64\Deedfacn.exe Cincaq32.exe File opened for modification C:\Windows\SysWOW64\Jhgnbehe.exe Jlpmndba.exe File created C:\Windows\SysWOW64\Gdilkpbo.dll Kplfmfmf.exe File created C:\Windows\SysWOW64\Lhegcg32.exe Lnmfpnqn.exe File created C:\Windows\SysWOW64\Oinbglkm.exe Onhnjclg.exe File created C:\Windows\SysWOW64\Gljdlq32.exe Gdophn32.exe File created C:\Windows\SysWOW64\Pojfinhh.dll Moikinib.exe File created C:\Windows\SysWOW64\Cienge32.dll Qlcgmpkp.exe File created C:\Windows\SysWOW64\Lcophb32.dll Cdapjglj.exe File created C:\Windows\SysWOW64\Cfocnoae.dll Nnjlhg32.exe File created C:\Windows\SysWOW64\Qkeofnfk.exe Qfifmghc.exe File created C:\Windows\SysWOW64\Fplknh32.exe Fhqfie32.exe File opened for modification C:\Windows\SysWOW64\Gofajcog.exe Fgjmfa32.exe File created C:\Windows\SysWOW64\Imndmnob.exe Iagchmjn.exe File opened for modification C:\Windows\SysWOW64\Jalmcl32.exe Jhchjgoh.exe File opened for modification C:\Windows\SysWOW64\Boifinfg.exe Bgnaekil.exe File created C:\Windows\SysWOW64\Onhnjclg.exe Oepianef.exe File opened for modification C:\Windows\SysWOW64\Conbmfif.exe Bgqqcd32.exe File created C:\Windows\SysWOW64\Leialh32.dll Iagchmjn.exe File opened for modification C:\Windows\SysWOW64\Dbcnpk32.exe Dpbenpqh.exe File created C:\Windows\SysWOW64\Jehpna32.exe Iiaoip32.exe File created C:\Windows\SysWOW64\Oohlaj32.exe Opbopn32.exe File opened for modification C:\Windows\SysWOW64\Helmiiec.exe Goodpb32.exe File opened for modification C:\Windows\SysWOW64\Mlfebcnd.exe Lggpdmap.exe File created C:\Windows\SysWOW64\Jgopbe32.dll Bambjnfn.exe File opened for modification C:\Windows\SysWOW64\Phhonn32.exe Pbkgegad.exe File created C:\Windows\SysWOW64\Hcqcoo32.exe Hbafel32.exe File created C:\Windows\SysWOW64\Poinfpdk.dll Faedpdcc.exe File opened for modification C:\Windows\SysWOW64\Hqcpfcbl.exe Hkfgnldd.exe File created C:\Windows\SysWOW64\Jadfnabd.dll Ffcbce32.exe File created C:\Windows\SysWOW64\Hadece32.exe Hhkakonn.exe File opened for modification C:\Windows\SysWOW64\Igjabj32.exe Iqpiepcn.exe File opened for modification C:\Windows\SysWOW64\Nbgakd32.exe Necqbp32.exe File opened for modification C:\Windows\SysWOW64\Apdminod.exe Aellfe32.exe File created C:\Windows\SysWOW64\Piiekp32.exe Pnodjb32.exe File created C:\Windows\SysWOW64\Jkckdi32.dll Lljolodf.exe File created C:\Windows\SysWOW64\Dldldj32.dll Laidie32.exe File created C:\Windows\SysWOW64\Nqhblj32.dll Oheppe32.exe File opened for modification C:\Windows\SysWOW64\Jilkbn32.exe Jkfnaa32.exe File created C:\Windows\SysWOW64\Djffihmp.exe Dnpedghl.exe File opened for modification C:\Windows\SysWOW64\Faljqcmk.exe Fgffck32.exe File created C:\Windows\SysWOW64\Iekpdn32.exe Ilblkh32.exe File opened for modification C:\Windows\SysWOW64\Pjpicfdb.exe Pgopak32.exe File created C:\Windows\SysWOW64\Bhoqqojp.dll Lpbhmiji.exe File created C:\Windows\SysWOW64\Bhkjbbln.dll Eapcjo32.exe File created C:\Windows\SysWOW64\Lijgiokj.dll Lllkaobc.exe File opened for modification C:\Windows\SysWOW64\Aadbfp32.exe Apeflmjc.exe File opened for modification C:\Windows\SysWOW64\Khmnio32.exe Kpbiempj.exe File created C:\Windows\SysWOW64\Phmiimlf.exe Pbppqf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2884 1120 WerFault.exe 494 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbopn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echoepmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opicgenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghnaaljp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehpna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemjbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbgdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhjejai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohppjpkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgeopqfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbigao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkkpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkoojip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakeib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjanfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilkbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbdbbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imndmnob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbppqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobmkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abachg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkkepio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alncgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiekkdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkanomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkndiabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faljqcmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fonbff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddoopbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmlal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjddf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhchjgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjenkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfhfjgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmapna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjcnfcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmada32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olnipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfflfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joepjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oinbglkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhbgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkplnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bambjnfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkbfcck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoopie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekelo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkakonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgogla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpoab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agcekn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qicoleno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnaekil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boainhic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiifjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmholgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piiekp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odgchjhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlfebcnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlhbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaieif32.dll" Abachg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fialggcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdgab32.dll" Lllihf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibklddof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcblgbfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibejfffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olnipn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oepianef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbanhfjd.dll" Ebkndibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpfjf32.dll" Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfediek.dll" Kpndlobg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlddpkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adbmjbif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koelibnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjdhb32.dll" Qfganb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahpdficc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbpalg32.dll" Kpeonkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmaadi32.dll" Ifoljn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meafpibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Janjga32.dll" Pjhaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcodcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpnpam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elnonp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpfggeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbinloge.dll" Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deedfacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olmefhdk.dll" Eagiho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnlmmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlpmndba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmbagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngnlaehe.dll" Flmecm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfmfchfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bklaepbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doocln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpdkel32.dll" Hfflfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npkaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkpdpg32.dll" Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phelnhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkqbd32.dll" Aodjdede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfpln32.dll" Dcpoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbkimd32.dll" Akjham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkgpdidf.dll" Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmbkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lddjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djoinbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Impcbm32.dll" Ilblkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Degobhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hcqcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccaicfb.dll" Eibikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obpncg32.dll" Conbmfif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iqpiepcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cokdcc32.dll" Jadnoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmdnjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbmlal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljlkmo32.dll" Gafcahil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhmchljg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aolihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbnhppoa.dll" Kiifjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncbkenba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eaangfjf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2820 wrote to memory of 3000 2820 c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe 30 PID 2820 wrote to memory of 3000 2820 c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe 30 PID 2820 wrote to memory of 3000 2820 c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe 30 PID 2820 wrote to memory of 3000 2820 c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe 30 PID 3000 wrote to memory of 2964 3000 Oomlfpdi.exe 31 PID 3000 wrote to memory of 2964 3000 Oomlfpdi.exe 31 PID 3000 wrote to memory of 2964 3000 Oomlfpdi.exe 31 PID 3000 wrote to memory of 2964 3000 Oomlfpdi.exe 31 PID 2964 wrote to memory of 2328 2964 Oheppe32.exe 32 PID 2964 wrote to memory of 2328 2964 Oheppe32.exe 32 PID 2964 wrote to memory of 2328 2964 Oheppe32.exe 32 PID 2964 wrote to memory of 2328 2964 Oheppe32.exe 32 PID 2328 wrote to memory of 2768 2328 Panehkaj.exe 33 PID 2328 wrote to memory of 2768 2328 Panehkaj.exe 33 PID 2328 wrote to memory of 2768 2328 Panehkaj.exe 33 PID 2328 wrote to memory of 2768 2328 Panehkaj.exe 33 PID 2768 wrote to memory of 2796 2768 Pcmabnhm.exe 34 PID 2768 wrote to memory of 2796 2768 Pcmabnhm.exe 34 PID 2768 wrote to memory of 2796 2768 Pcmabnhm.exe 34 PID 2768 wrote to memory of 2796 2768 Pcmabnhm.exe 34 PID 2796 wrote to memory of 2588 2796 Pkifgpeh.exe 35 PID 2796 wrote to memory of 2588 2796 Pkifgpeh.exe 35 PID 2796 wrote to memory of 2588 2796 Pkifgpeh.exe 35 PID 2796 wrote to memory of 2588 2796 Pkifgpeh.exe 35 PID 2588 wrote to memory of 2724 2588 Pgogla32.exe 36 PID 2588 wrote to memory of 2724 2588 Pgogla32.exe 36 PID 2588 wrote to memory of 2724 2588 Pgogla32.exe 36 PID 2588 wrote to memory of 2724 2588 Pgogla32.exe 36 PID 2724 wrote to memory of 2412 2724 Pkmobp32.exe 37 PID 2724 wrote to memory of 2412 2724 Pkmobp32.exe 37 PID 2724 wrote to memory of 2412 2724 Pkmobp32.exe 37 PID 2724 wrote to memory of 2412 2724 Pkmobp32.exe 37 PID 2412 wrote to memory of 2336 2412 Pkplgoop.exe 38 PID 2412 wrote to memory of 2336 2412 Pkplgoop.exe 38 PID 2412 wrote to memory of 2336 2412 Pkplgoop.exe 38 PID 2412 wrote to memory of 2336 2412 Pkplgoop.exe 38 PID 2336 wrote to memory of 3008 2336 Qckalamk.exe 39 PID 2336 wrote to memory of 3008 2336 Qckalamk.exe 39 PID 2336 wrote to memory of 3008 2336 Qckalamk.exe 39 PID 2336 wrote to memory of 3008 2336 Qckalamk.exe 39 PID 3008 wrote to memory of 2800 3008 Qqoaefke.exe 40 PID 3008 wrote to memory of 2800 3008 Qqoaefke.exe 40 PID 3008 wrote to memory of 2800 3008 Qqoaefke.exe 40 PID 3008 wrote to memory of 2800 3008 Qqoaefke.exe 40 PID 2800 wrote to memory of 2568 2800 Aqanke32.exe 41 PID 2800 wrote to memory of 2568 2800 Aqanke32.exe 41 PID 2800 wrote to memory of 2568 2800 Aqanke32.exe 41 PID 2800 wrote to memory of 2568 2800 Aqanke32.exe 41 PID 2568 wrote to memory of 1124 2568 Akkokc32.exe 42 PID 2568 wrote to memory of 1124 2568 Akkokc32.exe 42 PID 2568 wrote to memory of 1124 2568 Akkokc32.exe 42 PID 2568 wrote to memory of 1124 2568 Akkokc32.exe 42 PID 1124 wrote to memory of 1404 1124 Aoihaa32.exe 43 PID 1124 wrote to memory of 1404 1124 Aoihaa32.exe 43 PID 1124 wrote to memory of 1404 1124 Aoihaa32.exe 43 PID 1124 wrote to memory of 1404 1124 Aoihaa32.exe 43 PID 1404 wrote to memory of 1956 1404 Akphfbbl.exe 44 PID 1404 wrote to memory of 1956 1404 Akphfbbl.exe 44 PID 1404 wrote to memory of 1956 1404 Akphfbbl.exe 44 PID 1404 wrote to memory of 1956 1404 Akphfbbl.exe 44 PID 1956 wrote to memory of 2116 1956 Bgkbfcck.exe 45 PID 1956 wrote to memory of 2116 1956 Bgkbfcck.exe 45 PID 1956 wrote to memory of 2116 1956 Bgkbfcck.exe 45 PID 1956 wrote to memory of 2116 1956 Bgkbfcck.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe"C:\Users\Admin\AppData\Local\Temp\c12f31260c5b6572dc4db8bec0282afaa120b4b384df02cc79b4cdf759fdd146.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Oomlfpdi.exeC:\Windows\system32\Oomlfpdi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Oheppe32.exeC:\Windows\system32\Oheppe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Pcmabnhm.exeC:\Windows\system32\Pcmabnhm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Pkifgpeh.exeC:\Windows\system32\Pkifgpeh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Pkmobp32.exeC:\Windows\system32\Pkmobp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Pkplgoop.exeC:\Windows\system32\Pkplgoop.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Qqoaefke.exeC:\Windows\system32\Qqoaefke.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Aqanke32.exeC:\Windows\system32\Aqanke32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Akkokc32.exeC:\Windows\system32\Akkokc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Aoihaa32.exeC:\Windows\system32\Aoihaa32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Bgkbfcck.exeC:\Windows\system32\Bgkbfcck.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Bcackdio.exeC:\Windows\system32\Bcackdio.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Biceoj32.exeC:\Windows\system32\Biceoj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Chhbpfhi.exeC:\Windows\system32\Chhbpfhi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Cdapjglj.exeC:\Windows\system32\Cdapjglj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Dmomnlne.exeC:\Windows\system32\Dmomnlne.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Dggbgadf.exeC:\Windows\system32\Dggbgadf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Ddkbqfcp.exeC:\Windows\system32\Ddkbqfcp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Dcpoab32.exeC:\Windows\system32\Dcpoab32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Eajennij.exeC:\Windows\system32\Eajennij.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Eehndm32.exeC:\Windows\system32\Eehndm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Encchoml.exeC:\Windows\system32\Encchoml.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Enepnoji.exeC:\Windows\system32\Enepnoji.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe33⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Fqheei32.exeC:\Windows\system32\Fqheei32.exe34⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Fihcdkom.exeC:\Windows\system32\Fihcdkom.exe36⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe37⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Ggbjag32.exeC:\Windows\system32\Ggbjag32.exe38⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Gfggbcdg.exeC:\Windows\system32\Gfggbcdg.exe39⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Gfjcgc32.exeC:\Windows\system32\Gfjcgc32.exe40⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe41⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Hlpofh32.exeC:\Windows\system32\Hlpofh32.exe42⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Ilblkh32.exeC:\Windows\system32\Ilblkh32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Iekpdn32.exeC:\Windows\system32\Iekpdn32.exe44⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Imfeip32.exeC:\Windows\system32\Imfeip32.exe45⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Ijjebd32.exeC:\Windows\system32\Ijjebd32.exe46⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ibejfffo.exeC:\Windows\system32\Ibejfffo.exe47⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe48⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Iiaoip32.exeC:\Windows\system32\Iiaoip32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Jehpna32.exeC:\Windows\system32\Jehpna32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Jlbhjkij.exeC:\Windows\system32\Jlbhjkij.exe51⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Jlddpkgh.exeC:\Windows\system32\Jlddpkgh.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe53⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Jhkeelml.exeC:\Windows\system32\Jhkeelml.exe54⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe55⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Jogjgf32.exeC:\Windows\system32\Jogjgf32.exe56⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Kjakhcne.exeC:\Windows\system32\Kjakhcne.exe57⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe58⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Klbdiokf.exeC:\Windows\system32\Klbdiokf.exe59⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Kfjibdbf.exeC:\Windows\system32\Kfjibdbf.exe60⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Kobmkj32.exeC:\Windows\system32\Kobmkj32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Kpbiempj.exeC:\Windows\system32\Kpbiempj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe63⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe65⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Lqmliqfj.exeC:\Windows\system32\Lqmliqfj.exe66⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Ldkeoo32.exeC:\Windows\system32\Ldkeoo32.exe67⤵PID:2896
-
C:\Windows\SysWOW64\Lmfjcajl.exeC:\Windows\system32\Lmfjcajl.exe68⤵PID:2356
-
C:\Windows\SysWOW64\Lfonlg32.exeC:\Windows\system32\Lfonlg32.exe69⤵PID:2552
-
C:\Windows\SysWOW64\Mcbofk32.exeC:\Windows\system32\Mcbofk32.exe70⤵PID:2564
-
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe71⤵PID:2644
-
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe72⤵PID:2980
-
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe73⤵PID:2772
-
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe75⤵PID:3044
-
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe76⤵PID:2524
-
C:\Windows\SysWOW64\Ncbkenba.exeC:\Windows\system32\Ncbkenba.exe77⤵
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe78⤵PID:3056
-
C:\Windows\SysWOW64\Nnjlhg32.exeC:\Windows\system32\Nnjlhg32.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe80⤵PID:2152
-
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe83⤵
- System Location Discovery: System Language Discovery
PID:548 -
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe85⤵PID:756
-
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe89⤵PID:976
-
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe90⤵PID:1972
-
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe91⤵
- Drops file in System32 directory
PID:788 -
C:\Windows\SysWOW64\Qkeofnfk.exeC:\Windows\system32\Qkeofnfk.exe92⤵PID:1168
-
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Akjham32.exeC:\Windows\system32\Akjham32.exe94⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe95⤵
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe97⤵PID:892
-
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2156 -
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe99⤵PID:1624
-
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe100⤵PID:908
-
C:\Windows\SysWOW64\Bfphmi32.exeC:\Windows\system32\Bfphmi32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe102⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Bjanfl32.exeC:\Windows\system32\Bjanfl32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe104⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Cancif32.exeC:\Windows\system32\Cancif32.exe105⤵PID:1348
-
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Cgjhkpbj.exeC:\Windows\system32\Cgjhkpbj.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe108⤵PID:1496
-
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe109⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Cfaaalep.exeC:\Windows\system32\Cfaaalep.exe110⤵PID:2640
-
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe111⤵PID:612
-
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Doocln32.exeC:\Windows\system32\Doocln32.exe113⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Dkfcqo32.exeC:\Windows\system32\Dkfcqo32.exe114⤵PID:1396
-
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Dlepjbmo.exeC:\Windows\system32\Dlepjbmo.exe116⤵PID:3052
-
C:\Windows\SysWOW64\Dhlapc32.exeC:\Windows\system32\Dhlapc32.exe117⤵PID:2296
-
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe118⤵PID:1312
-
C:\Windows\SysWOW64\Eganqo32.exeC:\Windows\system32\Eganqo32.exe119⤵PID:1680
-
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe120⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Eplood32.exeC:\Windows\system32\Eplood32.exe121⤵PID:2712
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-