Analysis
-
max time kernel
27s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 03:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe
-
Size
96KB
-
MD5
f0909008d05d5bcbf06a0047a7a13e2f
-
SHA1
2516e5af7c0b7c3206ad84d0143f7f1efcd0a97a
-
SHA256
d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9
-
SHA512
a6165fbcb6e4ffdc4aad8ef343b728256f9ef029d986d1e1418d6a5f98534505d66303e70243be8a3aba51c11d1e36220a587d2465d2bc99bad0da1055640f71
-
SSDEEP
1536:J0sBzJKWgXmhTd5KWTVJ5UlQAnJs3LtO1cR2cW13S8h/BOmTyCMy0QiLiizHNQNM:WsjK/mhTdYWTzoQKJs3LtOORE1Nh5OmU
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npkaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgpnjkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifiilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcqdidim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkndiabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kommediq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmlngdhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifdmbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deajlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indnqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkcbpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgodjico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophanl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aglhph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjahfkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpeebhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcpbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfglocf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdcncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kejahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npkaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaeiqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqaph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfcdfiob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljbmbpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aglhph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnfpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonqiod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqpahkmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahoamplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnqcaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfnjqifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kikpgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcfak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infjfblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpjcaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gemfghek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggbljogc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpeebhhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjpcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohnpcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knbjgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjfpkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpnbcfkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklnggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhdlbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghkbccdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfbmgcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdmljln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehlmnfeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njcibgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jalmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjieapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pikohg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbdokceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kneflplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccileljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqgngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmkcoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmljnfll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmlal32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1832 Jhkeelml.exe 2820 Joenaf32.exe 2708 Jklnggjm.exe 2836 Jaffca32.exe 2784 Kknklg32.exe 2768 Kpkcdn32.exe 604 Kkqhbf32.exe 2372 Kpmpjm32.exe 1820 Knaqcabh.exe 2908 Kgjelg32.exe 2312 Klfndn32.exe 340 Kbcfme32.exe 272 Kccbgh32.exe 1580 Llkgpmck.exe 2240 Lbhphdab.exe 1940 Lgehpk32.exe 308 Lqmliqfj.exe 488 Lggdfk32.exe 2432 Lqpiopdh.exe 1748 Lgiakjld.exe 1784 Lmfjcajl.exe 1916 Lcpbpk32.exe 2580 Mmifiahi.exe 1996 Mogcelgm.exe 2288 Mmkcoq32.exe 2760 Mcekkkmc.exe 2944 Mkpppmko.exe 2740 Mffdmfjd.exe 2668 Meidib32.exe 2224 Mpnifkae.exe 2576 Mpqekkob.exe 2520 Memncbmj.exe 2584 Nnfbmgcj.exe 988 Ncbkenba.exe 1020 Nljcflbd.exe 2964 Nnhobgag.exe 2036 Nafknbqk.exe 2176 Ndehjnpo.exe 2092 Nfcdfiob.exe 2216 Nnjlhg32.exe 948 Naihdb32.exe 2112 Nhbqqlfe.exe 2408 Njammhei.exe 2424 Nidmhd32.exe 1224 Nakeib32.exe 1656 Nblaajbd.exe 3068 Njcibgcf.exe 1600 Nmbenc32.exe 1388 Oppbjn32.exe 2960 Obonfj32.exe 2884 Oiifcdhn.exe 2652 Olgboogb.exe 2724 Ooeolkff.exe 2212 Ofmgmhgh.exe 2272 Ohncdp32.exe 1992 Opekenmh.exe 2876 Obcgaill.exe 2920 Oebdndlp.exe 2248 Ollljo32.exe 2024 Okolfkjg.exe 2956 Oahdce32.exe 344 Odgqoa32.exe 1012 Okailkhd.exe 1672 Omoehf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2544 d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe 2544 d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe 1832 Jhkeelml.exe 1832 Jhkeelml.exe 2820 Joenaf32.exe 2820 Joenaf32.exe 2708 Jklnggjm.exe 2708 Jklnggjm.exe 2836 Jaffca32.exe 2836 Jaffca32.exe 2784 Kknklg32.exe 2784 Kknklg32.exe 2768 Kpkcdn32.exe 2768 Kpkcdn32.exe 604 Kkqhbf32.exe 604 Kkqhbf32.exe 2372 Kpmpjm32.exe 2372 Kpmpjm32.exe 1820 Knaqcabh.exe 1820 Knaqcabh.exe 2908 Kgjelg32.exe 2908 Kgjelg32.exe 2312 Klfndn32.exe 2312 Klfndn32.exe 340 Kbcfme32.exe 340 Kbcfme32.exe 272 Kccbgh32.exe 272 Kccbgh32.exe 1580 Llkgpmck.exe 1580 Llkgpmck.exe 2240 Lbhphdab.exe 2240 Lbhphdab.exe 1940 Lgehpk32.exe 1940 Lgehpk32.exe 308 Lqmliqfj.exe 308 Lqmliqfj.exe 488 Lggdfk32.exe 488 Lggdfk32.exe 2432 Lqpiopdh.exe 2432 Lqpiopdh.exe 1748 Lgiakjld.exe 1748 Lgiakjld.exe 1784 Lmfjcajl.exe 1784 Lmfjcajl.exe 1916 Lcpbpk32.exe 1916 Lcpbpk32.exe 2580 Mmifiahi.exe 2580 Mmifiahi.exe 1996 Mogcelgm.exe 1996 Mogcelgm.exe 2288 Mmkcoq32.exe 2288 Mmkcoq32.exe 2760 Mcekkkmc.exe 2760 Mcekkkmc.exe 2944 Mkpppmko.exe 2944 Mkpppmko.exe 2740 Mffdmfjd.exe 2740 Mffdmfjd.exe 2668 Meidib32.exe 2668 Meidib32.exe 2224 Mpnifkae.exe 2224 Mpnifkae.exe 2576 Mpqekkob.exe 2576 Mpqekkob.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdhpfchb.dll Gndebkii.exe File opened for modification C:\Windows\SysWOW64\Gkchpcoc.exe Gghloe32.exe File opened for modification C:\Windows\SysWOW64\Lllpclnk.exe Ljndga32.exe File created C:\Windows\SysWOW64\Npkaei32.exe Niaihojk.exe File created C:\Windows\SysWOW64\Olmpij32.dll Ajlabc32.exe File created C:\Windows\SysWOW64\Acjfpokk.exe Aqljdclg.exe File created C:\Windows\SysWOW64\Difcao32.dll Cikdbhhi.exe File opened for modification C:\Windows\SysWOW64\Ccaipaho.exe Cabldeik.exe File created C:\Windows\SysWOW64\Glpdbfek.exe Gjahfkfg.exe File created C:\Windows\SysWOW64\Ibnoen32.dll Bmhmgbif.exe File opened for modification C:\Windows\SysWOW64\Ckbccnji.exe Cicggcke.exe File created C:\Windows\SysWOW64\Dijjgegh.exe Deonff32.exe File created C:\Windows\SysWOW64\Dodlfmlb.exe Dhjdjc32.exe File created C:\Windows\SysWOW64\Emncci32.exe Ekofgnna.exe File created C:\Windows\SysWOW64\Fdldjnpc.dll Ldlghhde.exe File created C:\Windows\SysWOW64\Jhbeejlb.dll Pkcfak32.exe File opened for modification C:\Windows\SysWOW64\Cifdmbib.exe Cejhld32.exe File created C:\Windows\SysWOW64\Cpbiolnl.exe Cgkanomj.exe File created C:\Windows\SysWOW64\Fkbqmqbj.dll Eipjmk32.exe File created C:\Windows\SysWOW64\Gddpndhp.exe Gqidme32.exe File created C:\Windows\SysWOW64\Kpiihgoh.exe Jafilj32.exe File opened for modification C:\Windows\SysWOW64\Nmpkal32.exe Njaoeq32.exe File created C:\Windows\SysWOW64\Fagnmkjm.exe Fohbqpki.exe File created C:\Windows\SysWOW64\Hiblmldn.exe Hfdpaqej.exe File created C:\Windows\SysWOW64\Pmkkpm32.dll Klimcf32.exe File opened for modification C:\Windows\SysWOW64\Kkigfdjo.exe Kgmkef32.exe File opened for modification C:\Windows\SysWOW64\Iapfmg32.exe Inajql32.exe File created C:\Windows\SysWOW64\Bgqeea32.exe Bineidcj.exe File created C:\Windows\SysWOW64\Pemjdi32.dll Ehjqif32.exe File created C:\Windows\SysWOW64\Jpcfih32.exe Jlhjijpe.exe File created C:\Windows\SysWOW64\Bdmhcp32.exe Bbolge32.exe File created C:\Windows\SysWOW64\Hqkmahpp.exe Hnlqemal.exe File created C:\Windows\SysWOW64\Dhkjod32.dll Jmmmbg32.exe File created C:\Windows\SysWOW64\Ldikbhfh.exe Lpnobi32.exe File created C:\Windows\SysWOW64\Cpcpjbah.exe Cnacbj32.exe File opened for modification C:\Windows\SysWOW64\Jkdalb32.exe Jhfepfme.exe File opened for modification C:\Windows\SysWOW64\Kciifc32.exe Kommediq.exe File opened for modification C:\Windows\SysWOW64\Jinghn32.exe Jeblgodb.exe File created C:\Windows\SysWOW64\Ldchdjom.exe Lllpclnk.exe File created C:\Windows\SysWOW64\Imkqmh32.exe Ijmdql32.exe File opened for modification C:\Windows\SysWOW64\Pddinn32.exe Peaibajp.exe File opened for modification C:\Windows\SysWOW64\Dihmae32.exe Djemfibq.exe File created C:\Windows\SysWOW64\Plodbd32.dll Dlifcqfl.exe File created C:\Windows\SysWOW64\Iefeaj32.exe Ifceemdj.exe File created C:\Windows\SysWOW64\Njammhei.exe Nhbqqlfe.exe File created C:\Windows\SysWOW64\Nqollm32.dll Cnacbj32.exe File created C:\Windows\SysWOW64\Kloqiijm.exe Kiqdmm32.exe File opened for modification C:\Windows\SysWOW64\Dlqgob32.exe Dibjcg32.exe File created C:\Windows\SysWOW64\Goekpm32.exe Ghkbccdn.exe File created C:\Windows\SysWOW64\Ifloeo32.exe Icnbic32.exe File created C:\Windows\SysWOW64\Icjmpd32.exe Ilceog32.exe File opened for modification C:\Windows\SysWOW64\Nlabjj32.exe Nhffikob.exe File created C:\Windows\SysWOW64\Deoipl32.dll Fcjqpm32.exe File created C:\Windows\SysWOW64\Fdmjmenh.exe Faonqiod.exe File opened for modification C:\Windows\SysWOW64\Khpaidpk.exe Kpiihgoh.exe File opened for modification C:\Windows\SysWOW64\Eplood32.exe Emncci32.exe File created C:\Windows\SysWOW64\Pmghcf32.dll Gccjpb32.exe File opened for modification C:\Windows\SysWOW64\Mhopcl32.exe Mqhhbn32.exe File opened for modification C:\Windows\SysWOW64\Bgihjl32.exe Bblpae32.exe File created C:\Windows\SysWOW64\Mcekkkmc.exe Mmkcoq32.exe File created C:\Windows\SysWOW64\Bfkobj32.exe Boqgep32.exe File created C:\Windows\SysWOW64\Fkneka32.dll Gdgcnj32.exe File created C:\Windows\SysWOW64\Mplmipff.dll Eoqeekme.exe File created C:\Windows\SysWOW64\Iapfmg32.exe Inajql32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7536 7508 WerFault.exe 747 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cifdmbib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peapmhnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjbienl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmhqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kneflplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkgegad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pieobaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifceemdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkajkoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omonmpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inajql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdffcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceanmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaeiqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfina32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjcekj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbenc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjanfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhphdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niaihojk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmgho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifcqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpfkhbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbljogc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfalaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffdmfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphpdhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgphke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlabc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpnbcfkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmimif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbppqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciknhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefeaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdcgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfkbhae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlmnfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigehk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbehbqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcfak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcankb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkbqcam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcgoolln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaoaafli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnobi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiakjld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmhljip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgoakpjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecodfogg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaegbmlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbmbpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkcgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peaibajp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alhaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeold32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eipjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgomoboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll" Niilmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Neemgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Niilmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgjhkpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iokdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mogcelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ppgdjqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddcadd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkomepon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mceodfan.dll" Mgjpcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlnbmikh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankomldp.dll" Ollljo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbigao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Necqbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efaglp32.dll" Ohmljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdldjnpc.dll" Ldlghhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maaqhfpj.dll" Hbafel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olgboogb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfgpgmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgofgcik.dll" Icjmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iilocklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffhad32.dll" Paemac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbfeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgmofbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjlnacb.dll" Hkpaoape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjllgppm.dll" Mkpppmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iggbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiihgc32.dll" Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egghdk32.dll" Cbfeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmjdo32.dll" Fqqdigko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpeebhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgloq32.dll" Bkjdpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnhakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpqekkob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qamjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpfkhbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioccpggm.dll" Fpihnbmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inajql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgjhkpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpalpp32.dll" Oejgbonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhofj32.dll" Jjhgdqef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joepjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbkicgjf.dll" Mbmgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lakfgi32.dll" Oebdndlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqkaef32.dll" Oelcho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Feccqime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chapbi32.dll" Adncoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fadagl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdhjg32.dll" Lllpclnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aodqok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alhaho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdcncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnlilb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbqekhmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iimhfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limhol32.dll" Mdigakic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edmnnakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benhai32.dll" Hnlqemal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dibjcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dadehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghbmiik.dll" Haggijgb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 1832 2544 d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe 29 PID 2544 wrote to memory of 1832 2544 d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe 29 PID 2544 wrote to memory of 1832 2544 d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe 29 PID 2544 wrote to memory of 1832 2544 d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe 29 PID 1832 wrote to memory of 2820 1832 Jhkeelml.exe 30 PID 1832 wrote to memory of 2820 1832 Jhkeelml.exe 30 PID 1832 wrote to memory of 2820 1832 Jhkeelml.exe 30 PID 1832 wrote to memory of 2820 1832 Jhkeelml.exe 30 PID 2820 wrote to memory of 2708 2820 Joenaf32.exe 31 PID 2820 wrote to memory of 2708 2820 Joenaf32.exe 31 PID 2820 wrote to memory of 2708 2820 Joenaf32.exe 31 PID 2820 wrote to memory of 2708 2820 Joenaf32.exe 31 PID 2708 wrote to memory of 2836 2708 Jklnggjm.exe 32 PID 2708 wrote to memory of 2836 2708 Jklnggjm.exe 32 PID 2708 wrote to memory of 2836 2708 Jklnggjm.exe 32 PID 2708 wrote to memory of 2836 2708 Jklnggjm.exe 32 PID 2836 wrote to memory of 2784 2836 Jaffca32.exe 33 PID 2836 wrote to memory of 2784 2836 Jaffca32.exe 33 PID 2836 wrote to memory of 2784 2836 Jaffca32.exe 33 PID 2836 wrote to memory of 2784 2836 Jaffca32.exe 33 PID 2784 wrote to memory of 2768 2784 Kknklg32.exe 34 PID 2784 wrote to memory of 2768 2784 Kknklg32.exe 34 PID 2784 wrote to memory of 2768 2784 Kknklg32.exe 34 PID 2784 wrote to memory of 2768 2784 Kknklg32.exe 34 PID 2768 wrote to memory of 604 2768 Kpkcdn32.exe 35 PID 2768 wrote to memory of 604 2768 Kpkcdn32.exe 35 PID 2768 wrote to memory of 604 2768 Kpkcdn32.exe 35 PID 2768 wrote to memory of 604 2768 Kpkcdn32.exe 35 PID 604 wrote to memory of 2372 604 Kkqhbf32.exe 36 PID 604 wrote to memory of 2372 604 Kkqhbf32.exe 36 PID 604 wrote to memory of 2372 604 Kkqhbf32.exe 36 PID 604 wrote to memory of 2372 604 Kkqhbf32.exe 36 PID 2372 wrote to memory of 1820 2372 Kpmpjm32.exe 37 PID 2372 wrote to memory of 1820 2372 Kpmpjm32.exe 37 PID 2372 wrote to memory of 1820 2372 Kpmpjm32.exe 37 PID 2372 wrote to memory of 1820 2372 Kpmpjm32.exe 37 PID 1820 wrote to memory of 2908 1820 Knaqcabh.exe 38 PID 1820 wrote to memory of 2908 1820 Knaqcabh.exe 38 PID 1820 wrote to memory of 2908 1820 Knaqcabh.exe 38 PID 1820 wrote to memory of 2908 1820 Knaqcabh.exe 38 PID 2908 wrote to memory of 2312 2908 Kgjelg32.exe 39 PID 2908 wrote to memory of 2312 2908 Kgjelg32.exe 39 PID 2908 wrote to memory of 2312 2908 Kgjelg32.exe 39 PID 2908 wrote to memory of 2312 2908 Kgjelg32.exe 39 PID 2312 wrote to memory of 340 2312 Klfndn32.exe 40 PID 2312 wrote to memory of 340 2312 Klfndn32.exe 40 PID 2312 wrote to memory of 340 2312 Klfndn32.exe 40 PID 2312 wrote to memory of 340 2312 Klfndn32.exe 40 PID 340 wrote to memory of 272 340 Kbcfme32.exe 41 PID 340 wrote to memory of 272 340 Kbcfme32.exe 41 PID 340 wrote to memory of 272 340 Kbcfme32.exe 41 PID 340 wrote to memory of 272 340 Kbcfme32.exe 41 PID 272 wrote to memory of 1580 272 Kccbgh32.exe 42 PID 272 wrote to memory of 1580 272 Kccbgh32.exe 42 PID 272 wrote to memory of 1580 272 Kccbgh32.exe 42 PID 272 wrote to memory of 1580 272 Kccbgh32.exe 42 PID 1580 wrote to memory of 2240 1580 Llkgpmck.exe 43 PID 1580 wrote to memory of 2240 1580 Llkgpmck.exe 43 PID 1580 wrote to memory of 2240 1580 Llkgpmck.exe 43 PID 1580 wrote to memory of 2240 1580 Llkgpmck.exe 43 PID 2240 wrote to memory of 1940 2240 Lbhphdab.exe 44 PID 2240 wrote to memory of 1940 2240 Lbhphdab.exe 44 PID 2240 wrote to memory of 1940 2240 Lbhphdab.exe 44 PID 2240 wrote to memory of 1940 2240 Lbhphdab.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe"C:\Users\Admin\AppData\Local\Temp\d584cff4f75e3659772928c6a507f6a1fab566576faba9edfef2a6b78a3acbf9.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Jhkeelml.exeC:\Windows\system32\Jhkeelml.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Jklnggjm.exeC:\Windows\system32\Jklnggjm.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Jaffca32.exeC:\Windows\system32\Jaffca32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Kknklg32.exeC:\Windows\system32\Kknklg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Kpkcdn32.exeC:\Windows\system32\Kpkcdn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Kkqhbf32.exeC:\Windows\system32\Kkqhbf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\Kpmpjm32.exeC:\Windows\system32\Kpmpjm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Kgjelg32.exeC:\Windows\system32\Kgjelg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:340 -
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Lbhphdab.exeC:\Windows\system32\Lbhphdab.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Lgehpk32.exeC:\Windows\system32\Lgehpk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Lqmliqfj.exeC:\Windows\system32\Lqmliqfj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:488 -
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Lmfjcajl.exeC:\Windows\system32\Lmfjcajl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Lcpbpk32.exeC:\Windows\system32\Lcpbpk32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Mogcelgm.exeC:\Windows\system32\Mogcelgm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2288 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Mkpppmko.exeC:\Windows\system32\Mkpppmko.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Mffdmfjd.exeC:\Windows\system32\Mffdmfjd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Meidib32.exeC:\Windows\system32\Meidib32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Mpnifkae.exeC:\Windows\system32\Mpnifkae.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Memncbmj.exeC:\Windows\system32\Memncbmj.exe33⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Ncbkenba.exeC:\Windows\system32\Ncbkenba.exe35⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Nljcflbd.exeC:\Windows\system32\Nljcflbd.exe36⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe37⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe38⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe39⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Nnjlhg32.exeC:\Windows\system32\Nnjlhg32.exe41⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe42⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe44⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe45⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe46⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe47⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe50⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Obonfj32.exeC:\Windows\system32\Obonfj32.exe51⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe52⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe54⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe55⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe56⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Opekenmh.exeC:\Windows\system32\Opekenmh.exe57⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe58⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Ollljo32.exeC:\Windows\system32\Ollljo32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe61⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Oahdce32.exeC:\Windows\system32\Oahdce32.exe62⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Odgqoa32.exeC:\Windows\system32\Odgqoa32.exe63⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe64⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe65⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Oefmid32.exeC:\Windows\system32\Oefmid32.exe66⤵PID:2264
-
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe67⤵PID:1400
-
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Pmabmf32.exeC:\Windows\system32\Pmabmf32.exe69⤵PID:928
-
C:\Windows\SysWOW64\Pppnia32.exeC:\Windows\system32\Pppnia32.exe70⤵PID:704
-
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe71⤵PID:2732
-
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe72⤵PID:2880
-
C:\Windows\SysWOW64\Pmdocf32.exeC:\Windows\system32\Pmdocf32.exe73⤵PID:2916
-
C:\Windows\SysWOW64\Pdngpp32.exeC:\Windows\system32\Pdngpp32.exe74⤵PID:2676
-
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe75⤵PID:2840
-
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe77⤵PID:1148
-
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe78⤵PID:1060
-
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe79⤵
- System Location Discovery: System Language Discovery
PID:500 -
C:\Windows\SysWOW64\Pnihneon.exeC:\Windows\system32\Pnihneon.exe80⤵PID:1160
-
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe81⤵
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe82⤵PID:992
-
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe83⤵PID:2276
-
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe84⤵PID:2420
-
C:\Windows\SysWOW64\Ppiapp32.exeC:\Windows\system32\Ppiapp32.exe85⤵PID:1724
-
C:\Windows\SysWOW64\Qchmll32.exeC:\Windows\system32\Qchmll32.exe86⤵PID:2508
-
C:\Windows\SysWOW64\Qefihg32.exeC:\Windows\system32\Qefihg32.exe87⤵PID:1716
-
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe88⤵PID:2712
-
C:\Windows\SysWOW64\Qkcbpn32.exeC:\Windows\system32\Qkcbpn32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe90⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe91⤵PID:2088
-
C:\Windows\SysWOW64\Qkeofnfk.exeC:\Windows\system32\Qkeofnfk.exe92⤵PID:1776
-
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe93⤵PID:2416
-
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe94⤵PID:844
-
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe95⤵
- Modifies registry class
PID:1272 -
C:\Windows\SysWOW64\Ahioobed.exeC:\Windows\system32\Ahioobed.exe96⤵PID:1780
-
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe97⤵PID:1696
-
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe98⤵PID:936
-
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe99⤵PID:2056
-
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe100⤵PID:1536
-
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe101⤵
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe102⤵PID:2532
-
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe103⤵PID:2752
-
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe104⤵PID:2756
-
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe105⤵PID:2608
-
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe106⤵PID:1040
-
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe107⤵PID:2452
-
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe108⤵PID:2900
-
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe109⤵
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe110⤵PID:2440
-
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe111⤵PID:2428
-
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe112⤵PID:1964
-
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe113⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe114⤵PID:1512
-
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe115⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe116⤵PID:2744
-
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe117⤵PID:2800
-
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe118⤵PID:1680
-
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe119⤵PID:2072
-
C:\Windows\SysWOW64\Bkjdpp32.exeC:\Windows\system32\Bkjdpp32.exe120⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Bnhqll32.exeC:\Windows\system32\Bnhqll32.exe121⤵PID:2256
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-