Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 20:50
Behavioral task
behavioral1
Sample
2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe
-
Size
112KB
-
MD5
eadc8ef151ac182f4e960390bb7506d5
-
SHA1
7c7c3e5ac867faa3938c94a39aefdee8dac6ec2b
-
SHA256
2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431
-
SHA512
5b8d2dcc75adbd09509ad9995d34f1f7c5b4ebca449d3d76d12087675bf5ac98af48a361a117f2cd450bee45b6a5ff7dd6b4cc5e19647287dfaa542d57ee3d1b
-
SSDEEP
3072:DfYb6g4YJuW3ff3SUgKX3rDrLXfzoeqarm9mTE:DU6g4A/3h3/XfxqySSE
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieibdnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmkihbho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpieengb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkjkflb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaphpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngbmlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eafkhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hffibceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfcabd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhdegn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpbnjjkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhkin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lofifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mblbnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdkelolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnejim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifbdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpjifjdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkmgncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkielpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eafkhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blkjkflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lifcib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpimq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdompf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnagmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Koflgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfebnmcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdiokbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejaphpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqjefamk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadica32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidddj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Flnlkgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jplfkjbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opialpld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blinefnd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2788 Jokqnhpa.exe 2532 Jmnqje32.exe 2624 Jpmmfp32.exe 2528 Jhdegn32.exe 3024 Kdkelolf.exe 576 Kigndekn.exe 2612 Klfjpa32.exe 2412 Kmegjdad.exe 1984 Kpdcfoph.exe 1856 Kilgoe32.exe 2584 Kljdkpfl.exe 1500 Klmqapci.exe 2312 Keeeje32.exe 2116 Ldheebad.exe 2236 Lnqjnhge.exe 2360 Legaoehg.exe 940 Lgingm32.exe 3008 Lncfcgeb.exe 920 Lhhkapeh.exe 1468 Lkggmldl.exe 2024 Lnecigcp.exe 2152 Lgngbmjp.exe 2428 Ljldnhid.exe 3004 Lgpdglhn.exe 1564 Lfbdci32.exe 2672 Llmmpcfe.exe 2552 Mgbaml32.exe 3020 Mqjefamk.exe 2980 Mblbnj32.exe 1048 Mlafkb32.exe 2836 Mdmkoepk.exe 2084 Mhjcec32.exe 768 Modlbmmn.exe 2344 Ngpqfp32.exe 264 Nkkmgncb.exe 988 Ngbmlo32.exe 2508 Ncinap32.exe 1904 Nmabjfek.exe 2396 Nppofado.exe 2352 Nqokpd32.exe 344 Nbpghl32.exe 2044 Njgpij32.exe 2184 Nmflee32.exe 1640 Oimmjffj.exe 1844 Opfegp32.exe 3000 Oniebmda.exe 1612 Oecmogln.exe 2420 Oioipf32.exe 1512 Opialpld.exe 2540 Obgnhkkh.exe 2600 Oefjdgjk.exe 2808 Ohdfqbio.exe 2956 Onnnml32.exe 1932 Oehgjfhi.exe 2732 Odkgec32.exe 2328 Olbogqoe.exe 1976 Omckoi32.exe 1200 Oejcpf32.exe 2440 Ohipla32.exe 1152 Ojglhm32.exe 2772 Pmehdh32.exe 2120 Ppddpd32.exe 2452 Phklaacg.exe 2280 Pjihmmbk.exe -
Loads dropped DLL 64 IoCs
pid Process 2748 2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe 2748 2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe 2788 Jokqnhpa.exe 2788 Jokqnhpa.exe 2532 Jmnqje32.exe 2532 Jmnqje32.exe 2624 Jpmmfp32.exe 2624 Jpmmfp32.exe 2528 Jhdegn32.exe 2528 Jhdegn32.exe 3024 Kdkelolf.exe 3024 Kdkelolf.exe 576 Kigndekn.exe 576 Kigndekn.exe 2612 Klfjpa32.exe 2612 Klfjpa32.exe 2412 Kmegjdad.exe 2412 Kmegjdad.exe 1984 Kpdcfoph.exe 1984 Kpdcfoph.exe 1856 Kilgoe32.exe 1856 Kilgoe32.exe 2584 Kljdkpfl.exe 2584 Kljdkpfl.exe 1500 Klmqapci.exe 1500 Klmqapci.exe 2312 Keeeje32.exe 2312 Keeeje32.exe 2116 Ldheebad.exe 2116 Ldheebad.exe 2236 Lnqjnhge.exe 2236 Lnqjnhge.exe 2360 Legaoehg.exe 2360 Legaoehg.exe 940 Lgingm32.exe 940 Lgingm32.exe 3008 Lncfcgeb.exe 3008 Lncfcgeb.exe 920 Lhhkapeh.exe 920 Lhhkapeh.exe 1468 Lkggmldl.exe 1468 Lkggmldl.exe 2024 Lnecigcp.exe 2024 Lnecigcp.exe 2152 Lgngbmjp.exe 2152 Lgngbmjp.exe 2428 Ljldnhid.exe 2428 Ljldnhid.exe 3004 Lgpdglhn.exe 3004 Lgpdglhn.exe 1564 Lfbdci32.exe 1564 Lfbdci32.exe 2672 Llmmpcfe.exe 2672 Llmmpcfe.exe 2552 Mgbaml32.exe 2552 Mgbaml32.exe 3020 Mqjefamk.exe 3020 Mqjefamk.exe 2980 Mblbnj32.exe 2980 Mblbnj32.exe 1048 Mlafkb32.exe 1048 Mlafkb32.exe 2836 Mdmkoepk.exe 2836 Mdmkoepk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pmhejhao.exe Pjihmmbk.exe File created C:\Windows\SysWOW64\Addfkeid.exe Aaejojjq.exe File opened for modification C:\Windows\SysWOW64\Djlfma32.exe Dcbnpgkh.exe File created C:\Windows\SysWOW64\Pkbnjifp.dll Gdnfjl32.exe File opened for modification C:\Windows\SysWOW64\Hffibceh.exe Hcgmfgfd.exe File created C:\Windows\SysWOW64\Jcqlkjae.exe Jpepkk32.exe File created C:\Windows\SysWOW64\Kambcbhb.exe Jplfkjbd.exe File created C:\Windows\SysWOW64\Hlhjdd32.dll Oefjdgjk.exe File created C:\Windows\SysWOW64\Eghoka32.dll Kdphjm32.exe File created C:\Windows\SysWOW64\Ecdbje32.dll Addfkeid.exe File created C:\Windows\SysWOW64\Dpnladjl.exe Cidddj32.exe File opened for modification C:\Windows\SysWOW64\Dgiaefgg.exe Difqji32.exe File opened for modification C:\Windows\SysWOW64\Jlnmel32.exe Jfaeme32.exe File opened for modification C:\Windows\SysWOW64\Koflgf32.exe Khldkllj.exe File created C:\Windows\SysWOW64\Lgfikc32.dll Liipnb32.exe File opened for modification C:\Windows\SysWOW64\Qaapcj32.exe Qbnphngk.exe File created C:\Windows\SysWOW64\Kfeaomqq.dll Gcjmmdbf.exe File opened for modification C:\Windows\SysWOW64\Gekfnoog.exe Gkebafoa.exe File opened for modification C:\Windows\SysWOW64\Kidjdpie.exe Kambcbhb.exe File created C:\Windows\SysWOW64\Kjeglh32.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Kmkihbho.exe Kkmmlgik.exe File created C:\Windows\SysWOW64\Aklabp32.exe Aeoijidl.exe File opened for modification C:\Windows\SysWOW64\Nkkmgncb.exe Ngpqfp32.exe File created C:\Windows\SysWOW64\Aodcbn32.dll Nkkmgncb.exe File created C:\Windows\SysWOW64\Ncinap32.exe Ngbmlo32.exe File created C:\Windows\SysWOW64\Hcepqh32.exe Hdbpekam.exe File opened for modification C:\Windows\SysWOW64\Ibacbcgg.exe Hmdkjmip.exe File created C:\Windows\SysWOW64\Biklma32.dll Jefbnacn.exe File opened for modification C:\Windows\SysWOW64\Khldkllj.exe Kdphjm32.exe File opened for modification C:\Windows\SysWOW64\Kljdkpfl.exe Kilgoe32.exe File opened for modification C:\Windows\SysWOW64\Aclpaali.exe Alageg32.exe File created C:\Windows\SysWOW64\Bhdhefpc.exe Bnochnpm.exe File created C:\Windows\SysWOW64\Eikfdl32.exe Efljhq32.exe File opened for modification C:\Windows\SysWOW64\Gefmcp32.exe Goldfelp.exe File opened for modification C:\Windows\SysWOW64\Gdkjdl32.exe Gcjmmdbf.exe File created C:\Windows\SysWOW64\Kgcnahoo.exe Kpieengb.exe File opened for modification C:\Windows\SysWOW64\Llmmpcfe.exe Lfbdci32.exe File created C:\Windows\SysWOW64\Ckeqga32.exe Ccnifd32.exe File opened for modification C:\Windows\SysWOW64\Cfanmogq.exe Ccbbachm.exe File created C:\Windows\SysWOW64\Mcbniafn.dll Lifcib32.exe File created C:\Windows\SysWOW64\Mehoblpm.dll Qdompf32.exe File created C:\Windows\SysWOW64\Afliclij.exe Apppkekc.exe File created C:\Windows\SysWOW64\Fghiml32.dll Djjjga32.exe File created C:\Windows\SysWOW64\Agpqch32.dll Llepen32.exe File opened for modification C:\Windows\SysWOW64\Klmqapci.exe Kljdkpfl.exe File created C:\Windows\SysWOW64\Pmehdh32.exe Ojglhm32.exe File opened for modification C:\Windows\SysWOW64\Qldhkc32.exe Qiflohqk.exe File opened for modification C:\Windows\SysWOW64\Cbgobp32.exe Coicfd32.exe File opened for modification C:\Windows\SysWOW64\Glnhjjml.exe Gpggei32.exe File created C:\Windows\SysWOW64\Pbkboega.dll Kjeglh32.exe File opened for modification C:\Windows\SysWOW64\Lifcib32.exe Lghgmg32.exe File created C:\Windows\SysWOW64\Ldheebad.exe Keeeje32.exe File opened for modification C:\Windows\SysWOW64\Hcepqh32.exe Hdbpekam.exe File created C:\Windows\SysWOW64\Lbfchlee.dll Ibcphc32.exe File created C:\Windows\SysWOW64\Onpeobjf.dll Khnapkjg.exe File created C:\Windows\SysWOW64\Coicfd32.exe Ciokijfd.exe File created C:\Windows\SysWOW64\Hffpebmm.dll Aklabp32.exe File created C:\Windows\SysWOW64\Iacoff32.dll Gkebafoa.exe File created C:\Windows\SysWOW64\Mqjefamk.exe Mgbaml32.exe File created C:\Windows\SysWOW64\Pnalcc32.dll Hffibceh.exe File created C:\Windows\SysWOW64\Ibacbcgg.exe Hmdkjmip.exe File created C:\Windows\SysWOW64\Dcoaml32.dll Aclpaali.exe File opened for modification C:\Windows\SysWOW64\Ngbmlo32.exe Nkkmgncb.exe File opened for modification C:\Windows\SysWOW64\Colpld32.exe Cbgobp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3756 3648 WerFault.exe 293 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfebnmcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekfnoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqokpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peefcjlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boemlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpglbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdkjmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opialpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdfqbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpklkgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injqmdki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laahme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajckilei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdhefpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkebafoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kambcbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldhkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpgfeao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liipnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmqapci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffibceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadojlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnochnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coicfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlafkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoebgcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbogqoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfapfpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokqnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdcfoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkjkflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcekfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaagcpdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igqhpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifcib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeqga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paocnkph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihmpinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihmmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfafcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjjga32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opilhdhd.dll" Phfoee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjiflem.dll" Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kigndekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aknngo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kambcbhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nehhoand.dll" Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhpgfeao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejcmmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eikfdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljldnhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnebcjoe.dll" Pfebnmcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfggnkoj.dll" Fooembgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopqjabc.dll" Llgljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfkee32.dll" Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgfoglc.dll" Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpjoahj.dll" Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jagcgk32.dll" Mblbnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lepiko32.dll" Dhpgfeao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gekfnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llgljn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpnopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdkelolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpppdfa.dll" Klmqapci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phklaacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjihmmbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pddjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckeqga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knpbpo32.dll" Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfbdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkielpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoaml32.dll" Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcomncc.dll" Bfabnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkoadgf.dll" Ieponofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idneibad.dll" Kigndekn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oehgjfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmehdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gicaikhj.dll" Fliook32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apkgpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omfpmb32.dll" Jnagmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jlnmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbniafn.dll" Lifcib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdmngfm.dll" Jmnqje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhdegn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aacmij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhqnpqce.dll" Cfehhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncadjah.dll" Hifbdnbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhjcec32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2788 2748 2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe 31 PID 2748 wrote to memory of 2788 2748 2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe 31 PID 2748 wrote to memory of 2788 2748 2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe 31 PID 2748 wrote to memory of 2788 2748 2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe 31 PID 2788 wrote to memory of 2532 2788 Jokqnhpa.exe 32 PID 2788 wrote to memory of 2532 2788 Jokqnhpa.exe 32 PID 2788 wrote to memory of 2532 2788 Jokqnhpa.exe 32 PID 2788 wrote to memory of 2532 2788 Jokqnhpa.exe 32 PID 2532 wrote to memory of 2624 2532 Jmnqje32.exe 33 PID 2532 wrote to memory of 2624 2532 Jmnqje32.exe 33 PID 2532 wrote to memory of 2624 2532 Jmnqje32.exe 33 PID 2532 wrote to memory of 2624 2532 Jmnqje32.exe 33 PID 2624 wrote to memory of 2528 2624 Jpmmfp32.exe 34 PID 2624 wrote to memory of 2528 2624 Jpmmfp32.exe 34 PID 2624 wrote to memory of 2528 2624 Jpmmfp32.exe 34 PID 2624 wrote to memory of 2528 2624 Jpmmfp32.exe 34 PID 2528 wrote to memory of 3024 2528 Jhdegn32.exe 35 PID 2528 wrote to memory of 3024 2528 Jhdegn32.exe 35 PID 2528 wrote to memory of 3024 2528 Jhdegn32.exe 35 PID 2528 wrote to memory of 3024 2528 Jhdegn32.exe 35 PID 3024 wrote to memory of 576 3024 Kdkelolf.exe 36 PID 3024 wrote to memory of 576 3024 Kdkelolf.exe 36 PID 3024 wrote to memory of 576 3024 Kdkelolf.exe 36 PID 3024 wrote to memory of 576 3024 Kdkelolf.exe 36 PID 576 wrote to memory of 2612 576 Kigndekn.exe 37 PID 576 wrote to memory of 2612 576 Kigndekn.exe 37 PID 576 wrote to memory of 2612 576 Kigndekn.exe 37 PID 576 wrote to memory of 2612 576 Kigndekn.exe 37 PID 2612 wrote to memory of 2412 2612 Klfjpa32.exe 38 PID 2612 wrote to memory of 2412 2612 Klfjpa32.exe 38 PID 2612 wrote to memory of 2412 2612 Klfjpa32.exe 38 PID 2612 wrote to memory of 2412 2612 Klfjpa32.exe 38 PID 2412 wrote to memory of 1984 2412 Kmegjdad.exe 39 PID 2412 wrote to memory of 1984 2412 Kmegjdad.exe 39 PID 2412 wrote to memory of 1984 2412 Kmegjdad.exe 39 PID 2412 wrote to memory of 1984 2412 Kmegjdad.exe 39 PID 1984 wrote to memory of 1856 1984 Kpdcfoph.exe 40 PID 1984 wrote to memory of 1856 1984 Kpdcfoph.exe 40 PID 1984 wrote to memory of 1856 1984 Kpdcfoph.exe 40 PID 1984 wrote to memory of 1856 1984 Kpdcfoph.exe 40 PID 1856 wrote to memory of 2584 1856 Kilgoe32.exe 41 PID 1856 wrote to memory of 2584 1856 Kilgoe32.exe 41 PID 1856 wrote to memory of 2584 1856 Kilgoe32.exe 41 PID 1856 wrote to memory of 2584 1856 Kilgoe32.exe 41 PID 2584 wrote to memory of 1500 2584 Kljdkpfl.exe 42 PID 2584 wrote to memory of 1500 2584 Kljdkpfl.exe 42 PID 2584 wrote to memory of 1500 2584 Kljdkpfl.exe 42 PID 2584 wrote to memory of 1500 2584 Kljdkpfl.exe 42 PID 1500 wrote to memory of 2312 1500 Klmqapci.exe 43 PID 1500 wrote to memory of 2312 1500 Klmqapci.exe 43 PID 1500 wrote to memory of 2312 1500 Klmqapci.exe 43 PID 1500 wrote to memory of 2312 1500 Klmqapci.exe 43 PID 2312 wrote to memory of 2116 2312 Keeeje32.exe 44 PID 2312 wrote to memory of 2116 2312 Keeeje32.exe 44 PID 2312 wrote to memory of 2116 2312 Keeeje32.exe 44 PID 2312 wrote to memory of 2116 2312 Keeeje32.exe 44 PID 2116 wrote to memory of 2236 2116 Ldheebad.exe 45 PID 2116 wrote to memory of 2236 2116 Ldheebad.exe 45 PID 2116 wrote to memory of 2236 2116 Ldheebad.exe 45 PID 2116 wrote to memory of 2236 2116 Ldheebad.exe 45 PID 2236 wrote to memory of 2360 2236 Lnqjnhge.exe 46 PID 2236 wrote to memory of 2360 2236 Lnqjnhge.exe 46 PID 2236 wrote to memory of 2360 2236 Lnqjnhge.exe 46 PID 2236 wrote to memory of 2360 2236 Lnqjnhge.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe"C:\Users\Admin\AppData\Local\Temp\2847dea1ae88464e3cfa34fa2d612d58ea05e5d8d0b2b74b323944b6be405431.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe34⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe38⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe40⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe42⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe43⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe44⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe45⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe46⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe47⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe48⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe49⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe51⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Ohdfqbio.exeC:\Windows\system32\Ohdfqbio.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe54⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe56⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe58⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe59⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe60⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe66⤵PID:2752
-
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe67⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe68⤵PID:2556
-
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe69⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe70⤵PID:1768
-
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe71⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe72⤵
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe73⤵PID:532
-
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Phfoee32.exeC:\Windows\system32\Phfoee32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe76⤵PID:2140
-
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe77⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Qiflohqk.exeC:\Windows\system32\Qiflohqk.exe78⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe80⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe81⤵PID:2896
-
C:\Windows\SysWOW64\Qdompf32.exeC:\Windows\system32\Qdompf32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe84⤵
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Aeoijidl.exeC:\Windows\system32\Aeoijidl.exe85⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe86⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe88⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe89⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe90⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Acicla32.exeC:\Windows\system32\Acicla32.exe91⤵PID:860
-
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Alageg32.exeC:\Windows\system32\Alageg32.exe93⤵
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe95⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe96⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe97⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe98⤵
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1176 -
C:\Windows\SysWOW64\Boemlbpk.exeC:\Windows\system32\Boemlbpk.exe100⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe102⤵PID:2392
-
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Bfcodkcb.exeC:\Windows\system32\Bfcodkcb.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2192 -
C:\Windows\SysWOW64\Bkpglbaj.exeC:\Windows\system32\Bkpglbaj.exe108⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Bnochnpm.exeC:\Windows\system32\Bnochnpm.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\Bhdhefpc.exeC:\Windows\system32\Bhdhefpc.exe110⤵
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Bbllnlfd.exeC:\Windows\system32\Bbllnlfd.exe112⤵PID:2136
-
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe113⤵
- Drops file in System32 directory
PID:524 -
C:\Windows\SysWOW64\Ckeqga32.exeC:\Windows\system32\Ckeqga32.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Cqaiph32.exeC:\Windows\system32\Cqaiph32.exe115⤵PID:804
-
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe116⤵PID:2124
-
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Ccbbachm.exeC:\Windows\system32\Ccbbachm.exe118⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe119⤵PID:1412
-
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Coicfd32.exeC:\Windows\system32\Coicfd32.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2504
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-