Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 20:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe
-
Size
384KB
-
MD5
fc0f804973ab95c9944f5fb4812fcdb0
-
SHA1
f07e36741c74b74f800c590817fe8593f064b412
-
SHA256
2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f
-
SHA512
8d7193f45135ec546c5d67f2394dd4ef34672fb9db9f218c198ddf561fdad032da9044585965fe4e4a5a6998f73f5bfdaeb7f60e9a1797c3755975d422d40eab
-
SSDEEP
6144:ifLLlZhTyEGyZ6YugQdjGG1wsKm6eBgdQbkoKTBEAz/6DG1ETdqvZNemWrsiLk6:aLBZhbGyXu1jGG1wsGeBgRTGAzciETdP
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpfdhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabkom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdhifooi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqknil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhngjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eogmcjef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlmljkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhflleb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jigbebhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhneehek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Helngnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lobgoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbalfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimgeigj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmcfeia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfepmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgnokgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjqgjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjnmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oldpnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cljodo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjpqpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioooiack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhmofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpojkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeaqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbonei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpdgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdmdacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gockgdeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecdhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkbdiqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nibebfpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghacfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipgcaob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bplhnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maefamlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjjed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjaddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajpjakhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cebeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggggoda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgemplap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnhbjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmbng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmdafpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafmqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjekfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjgpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojecajj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2832 Cpkbdiqb.exe 2896 Cjdfmo32.exe 2636 Djhphncm.exe 2672 Dogefd32.exe 2272 Dlkepi32.exe 660 Dkcofe32.exe 2192 Ehgppi32.exe 2676 Ejkima32.exe 1932 Eccmffjf.exe 1704 Fcjcfe32.exe 2516 Figlolbf.exe 2592 Fhneehek.exe 2408 Fbdjbaea.exe 1016 Gfhladfn.exe 1104 Ganpomec.exe 956 Gmgninie.exe 2496 Gbcfadgl.exe 376 Hkaglf32.exe 1524 Hakphqja.exe 2016 Hoopae32.exe 1004 Hhgdkjol.exe 2536 Hkfagfop.exe 2116 Hgmalg32.exe 1440 Hdqbekcm.exe 764 Iimjmbae.exe 1540 Ipjoplgo.exe 2616 Igchlf32.exe 2668 Ieidmbcc.exe 2604 Iapebchh.exe 760 Jocflgga.exe 332 Jhljdm32.exe 2704 Jhngjmlo.exe 2868 Jmplcp32.exe 1740 Jcjdpj32.exe 1744 Jqnejn32.exe 1564 Kiijnq32.exe 1584 Kcakaipc.exe 768 Knklagmb.exe 2412 Kkolkk32.exe 1460 Kbidgeci.exe 444 Kgemplap.exe 1632 Leimip32.exe 1656 Lnbbbffj.exe 1976 Leljop32.exe 1476 Lfmffhde.exe 2576 Lmgocb32.exe 2292 Lgmcqkkh.exe 892 Linphc32.exe 1536 Laegiq32.exe 2880 Lfbpag32.exe 2776 Liplnc32.exe 2664 Lcfqkl32.exe 1428 Lfdmggnm.exe 2196 Mlaeonld.exe 2876 Meijhc32.exe 1724 Mlcbenjb.exe 1920 Mapjmehi.exe 1780 Migbnb32.exe 2200 Mkhofjoj.exe 2568 Mdacop32.exe 1416 Mkklljmg.exe 1280 Meppiblm.exe 684 Mmldme32.exe 2012 Ndemjoae.exe -
Loads dropped DLL 64 IoCs
pid Process 2372 2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe 2372 2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe 2832 Cpkbdiqb.exe 2832 Cpkbdiqb.exe 2896 Cjdfmo32.exe 2896 Cjdfmo32.exe 2636 Djhphncm.exe 2636 Djhphncm.exe 2672 Dogefd32.exe 2672 Dogefd32.exe 2272 Dlkepi32.exe 2272 Dlkepi32.exe 660 Dkcofe32.exe 660 Dkcofe32.exe 2192 Ehgppi32.exe 2192 Ehgppi32.exe 2676 Ejkima32.exe 2676 Ejkima32.exe 1932 Eccmffjf.exe 1932 Eccmffjf.exe 1704 Fcjcfe32.exe 1704 Fcjcfe32.exe 2516 Figlolbf.exe 2516 Figlolbf.exe 2592 Fhneehek.exe 2592 Fhneehek.exe 2408 Fbdjbaea.exe 2408 Fbdjbaea.exe 1016 Gfhladfn.exe 1016 Gfhladfn.exe 1104 Ganpomec.exe 1104 Ganpomec.exe 956 Gmgninie.exe 956 Gmgninie.exe 2496 Gbcfadgl.exe 2496 Gbcfadgl.exe 376 Hkaglf32.exe 376 Hkaglf32.exe 1524 Hakphqja.exe 1524 Hakphqja.exe 2016 Hoopae32.exe 2016 Hoopae32.exe 1004 Hhgdkjol.exe 1004 Hhgdkjol.exe 2536 Hkfagfop.exe 2536 Hkfagfop.exe 2116 Hgmalg32.exe 2116 Hgmalg32.exe 1440 Hdqbekcm.exe 1440 Hdqbekcm.exe 1532 Iipgcaob.exe 1532 Iipgcaob.exe 1540 Ipjoplgo.exe 1540 Ipjoplgo.exe 2616 Igchlf32.exe 2616 Igchlf32.exe 2668 Ieidmbcc.exe 2668 Ieidmbcc.exe 2604 Iapebchh.exe 2604 Iapebchh.exe 760 Jocflgga.exe 760 Jocflgga.exe 332 Jhljdm32.exe 332 Jhljdm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fciang32.dll Jjaimn32.exe File opened for modification C:\Windows\SysWOW64\Cffljlpc.exe Cedpbd32.exe File created C:\Windows\SysWOW64\Fcmben32.exe Fjdnlhco.exe File opened for modification C:\Windows\SysWOW64\Hjfcpo32.exe Hanogipc.exe File opened for modification C:\Windows\SysWOW64\Pdakniag.exe Pljcllqe.exe File created C:\Windows\SysWOW64\Migkgb32.dll Ocdmaj32.exe File opened for modification C:\Windows\SysWOW64\Edfpih32.exe Eoigpa32.exe File created C:\Windows\SysWOW64\Ajqljc32.exe Anjlebjc.exe File created C:\Windows\SysWOW64\Qlomqkmp.dll Ipeaco32.exe File created C:\Windows\SysWOW64\Iokofcne.dll Kenoifpb.exe File created C:\Windows\SysWOW64\Egnhob32.dll Nplmop32.exe File opened for modification C:\Windows\SysWOW64\Kdefgj32.exe Kljabgnh.exe File created C:\Windows\SysWOW64\Cjgoje32.exe Baojapfj.exe File created C:\Windows\SysWOW64\Kagflkia.dll Nnmlcp32.exe File created C:\Windows\SysWOW64\Jliohkak.exe Jglgpdcc.exe File opened for modification C:\Windows\SysWOW64\Npagjpcd.exe Nekbmgcn.exe File created C:\Windows\SysWOW64\Mjekfd32.exe Mhgoji32.exe File created C:\Windows\SysWOW64\Fjegog32.exe Fdiogq32.exe File created C:\Windows\SysWOW64\Kongke32.dll Nefdpjkl.exe File created C:\Windows\SysWOW64\Koflgf32.exe Kkjpggkn.exe File created C:\Windows\SysWOW64\Hhgdkjol.exe Hoopae32.exe File created C:\Windows\SysWOW64\Phcobkam.dll Kqknil32.exe File created C:\Windows\SysWOW64\Glegaime.dll Ecfldoph.exe File opened for modification C:\Windows\SysWOW64\Lnbdko32.exe Lghlndfa.exe File created C:\Windows\SysWOW64\Locjhqpa.exe Lldmleam.exe File created C:\Windows\SysWOW64\Eegkpo32.exe Deenjpcd.exe File created C:\Windows\SysWOW64\Nknimnap.exe Nbeedh32.exe File created C:\Windows\SysWOW64\Kddmdk32.exe Kjoifb32.exe File opened for modification C:\Windows\SysWOW64\Kpojkp32.exe Jkbaci32.exe File created C:\Windows\SysWOW64\Dobgihgp.exe Dhiomn32.exe File created C:\Windows\SysWOW64\Elilld32.dll Emagacdm.exe File created C:\Windows\SysWOW64\Phnpagdp.exe Pbagipfi.exe File created C:\Windows\SysWOW64\Nehhoand.dll Oiafee32.exe File created C:\Windows\SysWOW64\Qkibcg32.exe Qfljkp32.exe File created C:\Windows\SysWOW64\Dlpajg32.dll Hgmalg32.exe File created C:\Windows\SysWOW64\Mlnnnokb.dll Hjcmgp32.exe File opened for modification C:\Windows\SysWOW64\Lipecm32.exe Lahmbo32.exe File opened for modification C:\Windows\SysWOW64\Enbnkigh.exe Dchmkkkj.exe File created C:\Windows\SysWOW64\Mpopnejo.exe Mmadbjkk.exe File created C:\Windows\SysWOW64\Dafmqb32.exe Dklddhka.exe File created C:\Windows\SysWOW64\Obhdcanc.exe Ojmpooah.exe File created C:\Windows\SysWOW64\Cpkbdiqb.exe 2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe File created C:\Windows\SysWOW64\Hklhae32.exe Hadcipbi.exe File created C:\Windows\SysWOW64\Mcbdnmap.dll Ckbpqe32.exe File created C:\Windows\SysWOW64\Kpgffe32.exe Khkbbc32.exe File created C:\Windows\SysWOW64\Ckndebll.dll Bceibfgj.exe File opened for modification C:\Windows\SysWOW64\Oniebmda.exe Oeaqig32.exe File opened for modification C:\Windows\SysWOW64\Boemlbpk.exe Agihgp32.exe File created C:\Windows\SysWOW64\Goiebopf.dll Ijehdl32.exe File created C:\Windows\SysWOW64\Pdaemiaj.dll Cpfdhl32.exe File created C:\Windows\SysWOW64\Ijehdl32.exe Idkpganf.exe File created C:\Windows\SysWOW64\Fphbpd32.dll Dphfbiem.exe File created C:\Windows\SysWOW64\Fihfnp32.exe Fdkmeiei.exe File opened for modification C:\Windows\SysWOW64\Agdjkogm.exe Ajpjakhc.exe File created C:\Windows\SysWOW64\Oepbgcpb.dll Oqcpob32.exe File opened for modification C:\Windows\SysWOW64\Pckoam32.exe Pkdgpo32.exe File created C:\Windows\SysWOW64\Hgbnifna.dll Edfpih32.exe File created C:\Windows\SysWOW64\Hjcmgp32.exe Hdiejfej.exe File opened for modification C:\Windows\SysWOW64\Dhpemm32.exe Dafmqb32.exe File created C:\Windows\SysWOW64\Eeohkeoe.exe Ecploipa.exe File opened for modification C:\Windows\SysWOW64\Eaeipfei.exe Eogmcjef.exe File created C:\Windows\SysWOW64\Eccmffjf.exe Ejkima32.exe File opened for modification C:\Windows\SysWOW64\Pdjjag32.exe Pidfdofi.exe File created C:\Windows\SysWOW64\Ekhmcelc.exe Ehjqgjmp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4204 3388 WerFault.exe 947 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhgdkjol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedpbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobbofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcafa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qodlkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfqgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khohkamc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdiejfej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafoikjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmdacnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcnojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkggmldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmplcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeohnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjqqap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfegij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdakniag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlfma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqnejn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nekbmgcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cejphiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghacfmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokqnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalkih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohaeia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfgqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddlof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhkhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbnhihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeccjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeaedd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliohkak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdmjamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpemm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jglgpdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpedeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clmdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbokgpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkegeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcoib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdacop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdflqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihniioc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjlnpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqbdkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebcmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfognic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icafgmbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimjmbae.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhjmfnok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekknjcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaompi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmgbeon.dll" Meppiblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpmdofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jokqnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eogolc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allepo32.dll" Kbidgeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefkh32.dll" Djocbqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efedga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdmddc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bplhnoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccigfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiodmlgo.dll" Eodnebpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkdjlion.dll" Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcfqkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll" Jcnoejch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpgajgeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoiiijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gockgdeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aohjlnjk.dll" Ohhkjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dciceaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaloddnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abbeflpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkfbfjdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anjlebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noomnjpj.dll" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljhcccai.dll" Aaheie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapefloq.dll" Fdkmeiei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbqbaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ioliqbjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dojddmec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfiaojk.dll" Gpabcbdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leljop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnook32.dll" Bbikgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igcale32.dll" Pggdejno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deenjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmjae32.dll" Piabdiep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqcfnhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Knhhaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcchb32.dll" Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndhipoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdiejfej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kqdhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncehag32.dll" Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apldjp32.dll" Gonocmbi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2832 2372 2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe 30 PID 2372 wrote to memory of 2832 2372 2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe 30 PID 2372 wrote to memory of 2832 2372 2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe 30 PID 2372 wrote to memory of 2832 2372 2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe 30 PID 2832 wrote to memory of 2896 2832 Cpkbdiqb.exe 31 PID 2832 wrote to memory of 2896 2832 Cpkbdiqb.exe 31 PID 2832 wrote to memory of 2896 2832 Cpkbdiqb.exe 31 PID 2832 wrote to memory of 2896 2832 Cpkbdiqb.exe 31 PID 2896 wrote to memory of 2636 2896 Cjdfmo32.exe 32 PID 2896 wrote to memory of 2636 2896 Cjdfmo32.exe 32 PID 2896 wrote to memory of 2636 2896 Cjdfmo32.exe 32 PID 2896 wrote to memory of 2636 2896 Cjdfmo32.exe 32 PID 2636 wrote to memory of 2672 2636 Djhphncm.exe 33 PID 2636 wrote to memory of 2672 2636 Djhphncm.exe 33 PID 2636 wrote to memory of 2672 2636 Djhphncm.exe 33 PID 2636 wrote to memory of 2672 2636 Djhphncm.exe 33 PID 2672 wrote to memory of 2272 2672 Dogefd32.exe 34 PID 2672 wrote to memory of 2272 2672 Dogefd32.exe 34 PID 2672 wrote to memory of 2272 2672 Dogefd32.exe 34 PID 2672 wrote to memory of 2272 2672 Dogefd32.exe 34 PID 2272 wrote to memory of 660 2272 Dlkepi32.exe 35 PID 2272 wrote to memory of 660 2272 Dlkepi32.exe 35 PID 2272 wrote to memory of 660 2272 Dlkepi32.exe 35 PID 2272 wrote to memory of 660 2272 Dlkepi32.exe 35 PID 660 wrote to memory of 2192 660 Dkcofe32.exe 36 PID 660 wrote to memory of 2192 660 Dkcofe32.exe 36 PID 660 wrote to memory of 2192 660 Dkcofe32.exe 36 PID 660 wrote to memory of 2192 660 Dkcofe32.exe 36 PID 2192 wrote to memory of 2676 2192 Ehgppi32.exe 37 PID 2192 wrote to memory of 2676 2192 Ehgppi32.exe 37 PID 2192 wrote to memory of 2676 2192 Ehgppi32.exe 37 PID 2192 wrote to memory of 2676 2192 Ehgppi32.exe 37 PID 2676 wrote to memory of 1932 2676 Ejkima32.exe 38 PID 2676 wrote to memory of 1932 2676 Ejkima32.exe 38 PID 2676 wrote to memory of 1932 2676 Ejkima32.exe 38 PID 2676 wrote to memory of 1932 2676 Ejkima32.exe 38 PID 1932 wrote to memory of 1704 1932 Eccmffjf.exe 39 PID 1932 wrote to memory of 1704 1932 Eccmffjf.exe 39 PID 1932 wrote to memory of 1704 1932 Eccmffjf.exe 39 PID 1932 wrote to memory of 1704 1932 Eccmffjf.exe 39 PID 1704 wrote to memory of 2516 1704 Fcjcfe32.exe 40 PID 1704 wrote to memory of 2516 1704 Fcjcfe32.exe 40 PID 1704 wrote to memory of 2516 1704 Fcjcfe32.exe 40 PID 1704 wrote to memory of 2516 1704 Fcjcfe32.exe 40 PID 2516 wrote to memory of 2592 2516 Figlolbf.exe 41 PID 2516 wrote to memory of 2592 2516 Figlolbf.exe 41 PID 2516 wrote to memory of 2592 2516 Figlolbf.exe 41 PID 2516 wrote to memory of 2592 2516 Figlolbf.exe 41 PID 2592 wrote to memory of 2408 2592 Fhneehek.exe 42 PID 2592 wrote to memory of 2408 2592 Fhneehek.exe 42 PID 2592 wrote to memory of 2408 2592 Fhneehek.exe 42 PID 2592 wrote to memory of 2408 2592 Fhneehek.exe 42 PID 2408 wrote to memory of 1016 2408 Fbdjbaea.exe 43 PID 2408 wrote to memory of 1016 2408 Fbdjbaea.exe 43 PID 2408 wrote to memory of 1016 2408 Fbdjbaea.exe 43 PID 2408 wrote to memory of 1016 2408 Fbdjbaea.exe 43 PID 1016 wrote to memory of 1104 1016 Gfhladfn.exe 44 PID 1016 wrote to memory of 1104 1016 Gfhladfn.exe 44 PID 1016 wrote to memory of 1104 1016 Gfhladfn.exe 44 PID 1016 wrote to memory of 1104 1016 Gfhladfn.exe 44 PID 1104 wrote to memory of 956 1104 Ganpomec.exe 45 PID 1104 wrote to memory of 956 1104 Ganpomec.exe 45 PID 1104 wrote to memory of 956 1104 Ganpomec.exe 45 PID 1104 wrote to memory of 956 1104 Ganpomec.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe"C:\Users\Admin\AppData\Local\Temp\2a80a402367c1abf10cf4410b56966f0852d0dbed5ee33987d9ee2dd9ca4169f.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Cpkbdiqb.exeC:\Windows\system32\Cpkbdiqb.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Dogefd32.exeC:\Windows\system32\Dogefd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Dlkepi32.exeC:\Windows\system32\Dlkepi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Eccmffjf.exeC:\Windows\system32\Eccmffjf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Fcjcfe32.exeC:\Windows\system32\Fcjcfe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Ganpomec.exeC:\Windows\system32\Ganpomec.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Gmgninie.exeC:\Windows\system32\Gmgninie.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Gbcfadgl.exeC:\Windows\system32\Gbcfadgl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:376 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Hhgdkjol.exeC:\Windows\system32\Hhgdkjol.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Hkfagfop.exeC:\Windows\system32\Hkfagfop.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2116 -
C:\Windows\SysWOW64\Hdqbekcm.exeC:\Windows\system32\Hdqbekcm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\Iipgcaob.exeC:\Windows\system32\Iipgcaob.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:760 -
C:\Windows\SysWOW64\Jhljdm32.exeC:\Windows\system32\Jhljdm32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Jmplcp32.exeC:\Windows\system32\Jmplcp32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe36⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Jqnejn32.exeC:\Windows\system32\Jqnejn32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe38⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe39⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Knklagmb.exeC:\Windows\system32\Knklagmb.exe40⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Kkolkk32.exeC:\Windows\system32\Kkolkk32.exe41⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe44⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Lnbbbffj.exeC:\Windows\system32\Lnbbbffj.exe45⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe47⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Lmgocb32.exeC:\Windows\system32\Lmgocb32.exe48⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe49⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe50⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe51⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe53⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe55⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe56⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe57⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe58⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe59⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Migbnb32.exeC:\Windows\system32\Migbnb32.exe60⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe61⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe63⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe66⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe68⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Ndhipoob.exeC:\Windows\system32\Ndhipoob.exe69⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe70⤵PID:2744
-
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe71⤵PID:2612
-
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe73⤵PID:484
-
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe74⤵PID:2096
-
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe75⤵PID:2952
-
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe76⤵PID:1848
-
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe77⤵PID:2248
-
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe78⤵PID:2092
-
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe79⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe80⤵PID:2036
-
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe82⤵PID:1860
-
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe83⤵PID:2852
-
C:\Windows\SysWOW64\Okanklik.exeC:\Windows\system32\Okanklik.exe84⤵PID:1628
-
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe85⤵PID:2352
-
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe86⤵PID:1640
-
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe87⤵PID:2444
-
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe88⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe89⤵PID:536
-
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe90⤵
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe91⤵PID:1872
-
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe92⤵PID:2976
-
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe93⤵PID:2588
-
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe94⤵PID:2160
-
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe95⤵PID:2236
-
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe96⤵PID:2188
-
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe97⤵PID:1812
-
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe98⤵PID:1236
-
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe99⤵
- Drops file in System32 directory
PID:2520 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe100⤵PID:2632
-
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe101⤵PID:2780
-
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe102⤵PID:352
-
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe103⤵PID:356
-
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Qodlkm32.exeC:\Windows\system32\Qodlkm32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe108⤵
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe109⤵PID:1036
-
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe111⤵PID:2056
-
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe112⤵PID:2644
-
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe113⤵
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe114⤵PID:596
-
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe115⤵PID:2080
-
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe116⤵PID:2940
-
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe117⤵PID:2424
-
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe118⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe119⤵PID:2072
-
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe120⤵PID:1796
-
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe121⤵PID:1520
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-