Analysis
-
max time kernel
84s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 01:55
Behavioral task
behavioral1
Sample
a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe
-
Size
386KB
-
MD5
dfcf74891aaf54af31c3ebd229e5a2fd
-
SHA1
65d5aebab22e0d3292635d348c14c98ada120e74
-
SHA256
a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d
-
SHA512
c4848760608b78d7fdc443de003faeee8243e5c41e059a841548120bc3837e39d73ac95a6906d30c12a089fdd136978e5553f034c8b5f0ccd2b21bfe80d4dfa1
-
SSDEEP
6144:BvBAAQFNLs7wQIc72nxvG7rbxmPVvRqlfJg9i4s7wQIc72nxvG7rbxmPV9:DAgwQZ7287xmPFRkfJg9qwQZ7287xmP7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnlilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcdbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oikeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnimeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odaqikaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlgnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blejgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggphji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbaafocg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjehkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccdnipal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joepjokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbokda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldikbhfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdcbjal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obffpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cincaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emailhfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hefibg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jafilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdincdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekeiel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcojbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlpmndba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blejgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efifjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdloab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgfjjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alncgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbpolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aknnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egljjmkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Effidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifceemdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpnfdbig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbfhjfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klamohhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkepdbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdqfnhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfknjfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pahjgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbbcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kifgllbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qakppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bofbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Happkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpjcaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gafcahil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohkpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ceoagcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojdlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aniffaim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aodqok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlolhoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lafekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agonig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmcbojl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmejaqb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3032 Hpmdjf32.exe 2808 Hbkpfa32.exe 2784 Ipameehe.exe 2692 Ipcjje32.exe 2704 Iecohl32.exe 2732 Ijphqbpo.exe 1656 Jhfepfme.exe 908 Jmbnhm32.exe 2756 Jpajdi32.exe 1556 Jgmofbpk.exe 2980 Khcdijac.exe 1500 Kegebn32.exe 1168 Klamohhj.exe 2484 Knbjgq32.exe 2068 Kdlbckee.exe 2272 Kkfjpemb.exe 2012 Kapbmo32.exe 1636 Kdooij32.exe 1516 Kjlgaa32.exe 1532 Kpeonkig.exe 2036 Lgphke32.exe 1988 Lllpclnk.exe 280 Lcfhpf32.exe 336 Lnlmmo32.exe 1700 Lomidgkl.exe 1576 Lgdafeln.exe 2204 Ljbmbpkb.exe 2860 Loofjg32.exe 2188 Ljejgp32.exe 2976 Lkffohon.exe 2844 Lbpolb32.exe 2672 Lhjghlng.exe 564 Lngpac32.exe 2332 Mhlcnl32.exe 2520 Moflkfca.exe 2028 Mqhhbn32.exe 2904 Mgaqohql.exe 2060 Mnlilb32.exe 1748 Mqjehngm.exe 2488 Mgdmeh32.exe 1436 Mnneabff.exe 1520 Mdhnnl32.exe 1292 Mgfjjh32.exe 1032 Mnpbgbdd.exe 888 Mqoocmcg.exe 2260 Mflgkd32.exe 2792 Nmeohnil.exe 2652 Npdkdjhp.exe 2368 Nfncad32.exe 3056 Nmhlnngi.exe 2040 Npfhjifm.exe 2500 Nfppfcmj.exe 2292 Nmjicn32.exe 2908 Nnkekfkd.exe 844 Neemgp32.exe 1092 Nloedjin.exe 1172 Nbinad32.exe 536 Nicfnn32.exe 1124 Nlabjj32.exe 1028 Nbljfdoh.exe 1764 Ohhcokmp.exe 3048 Omekgakg.exe 2492 Ohkpdj32.exe 2720 Omhhma32.exe -
Loads dropped DLL 64 IoCs
pid Process 2320 a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe 2320 a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe 3032 Hpmdjf32.exe 3032 Hpmdjf32.exe 2808 Hbkpfa32.exe 2808 Hbkpfa32.exe 2784 Ipameehe.exe 2784 Ipameehe.exe 2692 Ipcjje32.exe 2692 Ipcjje32.exe 2704 Iecohl32.exe 2704 Iecohl32.exe 2732 Ijphqbpo.exe 2732 Ijphqbpo.exe 1656 Jhfepfme.exe 1656 Jhfepfme.exe 908 Jmbnhm32.exe 908 Jmbnhm32.exe 2756 Jpajdi32.exe 2756 Jpajdi32.exe 1556 Jgmofbpk.exe 1556 Jgmofbpk.exe 2980 Khcdijac.exe 2980 Khcdijac.exe 1500 Kegebn32.exe 1500 Kegebn32.exe 1168 Klamohhj.exe 1168 Klamohhj.exe 2484 Knbjgq32.exe 2484 Knbjgq32.exe 2068 Kdlbckee.exe 2068 Kdlbckee.exe 2272 Kkfjpemb.exe 2272 Kkfjpemb.exe 2012 Kapbmo32.exe 2012 Kapbmo32.exe 1636 Kdooij32.exe 1636 Kdooij32.exe 1516 Kjlgaa32.exe 1516 Kjlgaa32.exe 1532 Kpeonkig.exe 1532 Kpeonkig.exe 2036 Lgphke32.exe 2036 Lgphke32.exe 1988 Lllpclnk.exe 1988 Lllpclnk.exe 280 Lcfhpf32.exe 280 Lcfhpf32.exe 336 Lnlmmo32.exe 336 Lnlmmo32.exe 1700 Lomidgkl.exe 1700 Lomidgkl.exe 1576 Lgdafeln.exe 1576 Lgdafeln.exe 2204 Ljbmbpkb.exe 2204 Ljbmbpkb.exe 2860 Loofjg32.exe 2860 Loofjg32.exe 2188 Ljejgp32.exe 2188 Ljejgp32.exe 2976 Lkffohon.exe 2976 Lkffohon.exe 2844 Lbpolb32.exe 2844 Lbpolb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bkddjkej.exe Bqopmbed.exe File created C:\Windows\SysWOW64\Iqmcmaja.exe Iiekkdjo.exe File opened for modification C:\Windows\SysWOW64\Qdlialfb.exe Qeihfp32.exe File opened for modification C:\Windows\SysWOW64\Lnlmmo32.exe Lcfhpf32.exe File created C:\Windows\SysWOW64\Canbdfch.dll Nnkekfkd.exe File created C:\Windows\SysWOW64\Popkeh32.exe Omonmpcm.exe File created C:\Windows\SysWOW64\Bmnqaanm.dll Aglhph32.exe File opened for modification C:\Windows\SysWOW64\Hcnfjpib.exe Hmdnme32.exe File created C:\Windows\SysWOW64\Ipimic32.exe Ilnqhddd.exe File created C:\Windows\SysWOW64\Hdfjnimm.dll Onfadc32.exe File created C:\Windows\SysWOW64\Aniffaim.exe Agonig32.exe File created C:\Windows\SysWOW64\Cbfhjfdk.exe Cklpml32.exe File created C:\Windows\SysWOW64\Djqdgfho.dll Hnimeg32.exe File created C:\Windows\SysWOW64\Ofmiea32.exe Onfadc32.exe File created C:\Windows\SysWOW64\Oebffm32.exe Obdjjb32.exe File created C:\Windows\SysWOW64\Ecmmbajg.dll Pfaopc32.exe File created C:\Windows\SysWOW64\Ejfagnkj.dll Cbdkdffm.exe File created C:\Windows\SysWOW64\Lcfhpf32.exe Lllpclnk.exe File created C:\Windows\SysWOW64\Hbepplkh.exe Hklhca32.exe File opened for modification C:\Windows\SysWOW64\Hbepplkh.exe Hklhca32.exe File opened for modification C:\Windows\SysWOW64\Kppohf32.exe Kifgllbc.exe File opened for modification C:\Windows\SysWOW64\Moahdd32.exe Mgjpcf32.exe File opened for modification C:\Windows\SysWOW64\Cmgblphf.exe Cjifpdib.exe File created C:\Windows\SysWOW64\Giikkehc.exe Gdmcbojl.exe File created C:\Windows\SysWOW64\Deljfqmf.exe Dbmnjenb.exe File created C:\Windows\SysWOW64\Flingf32.dll Lkffohon.exe File created C:\Windows\SysWOW64\Lclijeeg.dll Mhlcnl32.exe File created C:\Windows\SysWOW64\Qommgk32.dll Dhdddnep.exe File created C:\Windows\SysWOW64\Epgoio32.exe Dfnjqifb.exe File opened for modification C:\Windows\SysWOW64\Npngng32.exe Nidoamch.exe File created C:\Windows\SysWOW64\Agonig32.exe Adqbml32.exe File opened for modification C:\Windows\SysWOW64\Cklpml32.exe Cincaq32.exe File created C:\Windows\SysWOW64\Jidngh32.exe Jffakm32.exe File created C:\Windows\SysWOW64\Eelgce32.dll Jemkai32.exe File created C:\Windows\SysWOW64\Kihcakpa.exe Kbokda32.exe File created C:\Windows\SysWOW64\Ncmbldke.dll Lahaqm32.exe File created C:\Windows\SysWOW64\Ngnlaehe.dll Feeilbhg.exe File opened for modification C:\Windows\SysWOW64\Gllabp32.exe Ginefe32.exe File opened for modification C:\Windows\SysWOW64\Oaeacppk.exe Ojlife32.exe File created C:\Windows\SysWOW64\Bkddjkej.exe Bqopmbed.exe File created C:\Windows\SysWOW64\Mafibkqg.dll Flkohc32.exe File opened for modification C:\Windows\SysWOW64\Johlpoij.exe Jhndcd32.exe File created C:\Windows\SysWOW64\Feeilbhg.exe Fmnakege.exe File created C:\Windows\SysWOW64\Omekgakg.exe Ohhcokmp.exe File created C:\Windows\SysWOW64\Pdgnnfme.dll Plfhdlfb.exe File opened for modification C:\Windows\SysWOW64\Obffpa32.exe Ollncgjq.exe File created C:\Windows\SysWOW64\Pdqfnhpa.exe Pmgnan32.exe File opened for modification C:\Windows\SysWOW64\Denglpkc.exe Dmgokcja.exe File created C:\Windows\SysWOW64\Fkdoii32.exe Fhfbmn32.exe File opened for modification C:\Windows\SysWOW64\Hjnaehgj.exe Hcdihn32.exe File opened for modification C:\Windows\SysWOW64\Hchbcmlh.exe Hmojfcdk.exe File created C:\Windows\SysWOW64\Gfobjfcf.dll Fkeedo32.exe File created C:\Windows\SysWOW64\Cebplg32.dll Gpfggeai.exe File created C:\Windows\SysWOW64\Imfgahao.exe Ifloeo32.exe File created C:\Windows\SysWOW64\Ciomamim.dll Lnmfpnqn.exe File created C:\Windows\SysWOW64\Bfpkfb32.exe Bofbih32.exe File opened for modification C:\Windows\SysWOW64\Ejpipf32.exe Ebhani32.exe File opened for modification C:\Windows\SysWOW64\Mnpbgbdd.exe Mgfjjh32.exe File opened for modification C:\Windows\SysWOW64\Nbinad32.exe Nloedjin.exe File opened for modification C:\Windows\SysWOW64\Dbneekan.exe Djcpqidc.exe File created C:\Windows\SysWOW64\Gfhikl32.exe Gdfmccfm.exe File created C:\Windows\SysWOW64\Fmbkfd32.exe Fkdoii32.exe File opened for modification C:\Windows\SysWOW64\Jpajdi32.exe Jmbnhm32.exe File opened for modification C:\Windows\SysWOW64\Pejcab32.exe Popkeh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5556 5460 WerFault.exe 520 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpjchicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfieec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjehkek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfknjfbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdooij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoaliln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgmka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babbpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaoaafli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqkqbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lahaqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obopobhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omonmpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjqglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbihpbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcadq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbidof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdfki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmhcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoagcld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnlolhoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eajhgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbnhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlabjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodqok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgdqef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbfbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffgfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cincaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlnaghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnhfhoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipimic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoinfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnodjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnipal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehqme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihcakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebekej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eolljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdpcahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfggeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbljogc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcdijac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poddphee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqeaemk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgokcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnafop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegpamoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhhchlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conpdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiocbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkohc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeilbhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekelo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmeij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokmnlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johlpoij.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbnhfhoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmbcq32.dll" Falakjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkeedo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iapfmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbokda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbihec32.dll" Ohqbbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmkebdg.dll" Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjligacm.dll" Hkfgnldd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnfindfp.dll" Lllpclnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Poddphee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkckf32.dll" Ahancp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhdlbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbdkdffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dkaihkih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Effidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmhjhpn.dll" Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijinin32.dll" Hpmdjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khcdijac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnomgnhj.dll" Phabdmgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbjoki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clkfjman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcegdnna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fehmlh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqkqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngnoa32.dll" Mhdcbjal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnmlpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccjehkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahancp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oleiokho.dll" Fcgdjmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alncgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmllgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mejojlab.dll" Eoanij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibgakob.dll" Fgffck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fangfcki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmhlnngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Biakbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfalaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijjgkmqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiglfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgffck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgbejj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdmjmenh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmfkbeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpfk32.dll" Joepjokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djffihmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiajmgka.dll" Epmahmcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bjjakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hojqjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Koelibnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdkcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qeglqpaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggphji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdnfhbgm.dll" Loofjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfncad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omekgakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpfggeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koiohb32.dll" Igioiacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdlialfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehopnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boobcigh.dll" Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjeace32.dll" Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfncad32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 3032 2320 a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe 29 PID 2320 wrote to memory of 3032 2320 a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe 29 PID 2320 wrote to memory of 3032 2320 a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe 29 PID 2320 wrote to memory of 3032 2320 a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe 29 PID 3032 wrote to memory of 2808 3032 Hpmdjf32.exe 30 PID 3032 wrote to memory of 2808 3032 Hpmdjf32.exe 30 PID 3032 wrote to memory of 2808 3032 Hpmdjf32.exe 30 PID 3032 wrote to memory of 2808 3032 Hpmdjf32.exe 30 PID 2808 wrote to memory of 2784 2808 Hbkpfa32.exe 31 PID 2808 wrote to memory of 2784 2808 Hbkpfa32.exe 31 PID 2808 wrote to memory of 2784 2808 Hbkpfa32.exe 31 PID 2808 wrote to memory of 2784 2808 Hbkpfa32.exe 31 PID 2784 wrote to memory of 2692 2784 Ipameehe.exe 32 PID 2784 wrote to memory of 2692 2784 Ipameehe.exe 32 PID 2784 wrote to memory of 2692 2784 Ipameehe.exe 32 PID 2784 wrote to memory of 2692 2784 Ipameehe.exe 32 PID 2692 wrote to memory of 2704 2692 Ipcjje32.exe 33 PID 2692 wrote to memory of 2704 2692 Ipcjje32.exe 33 PID 2692 wrote to memory of 2704 2692 Ipcjje32.exe 33 PID 2692 wrote to memory of 2704 2692 Ipcjje32.exe 33 PID 2704 wrote to memory of 2732 2704 Iecohl32.exe 34 PID 2704 wrote to memory of 2732 2704 Iecohl32.exe 34 PID 2704 wrote to memory of 2732 2704 Iecohl32.exe 34 PID 2704 wrote to memory of 2732 2704 Iecohl32.exe 34 PID 2732 wrote to memory of 1656 2732 Ijphqbpo.exe 35 PID 2732 wrote to memory of 1656 2732 Ijphqbpo.exe 35 PID 2732 wrote to memory of 1656 2732 Ijphqbpo.exe 35 PID 2732 wrote to memory of 1656 2732 Ijphqbpo.exe 35 PID 1656 wrote to memory of 908 1656 Jhfepfme.exe 36 PID 1656 wrote to memory of 908 1656 Jhfepfme.exe 36 PID 1656 wrote to memory of 908 1656 Jhfepfme.exe 36 PID 1656 wrote to memory of 908 1656 Jhfepfme.exe 36 PID 908 wrote to memory of 2756 908 Jmbnhm32.exe 37 PID 908 wrote to memory of 2756 908 Jmbnhm32.exe 37 PID 908 wrote to memory of 2756 908 Jmbnhm32.exe 37 PID 908 wrote to memory of 2756 908 Jmbnhm32.exe 37 PID 2756 wrote to memory of 1556 2756 Jpajdi32.exe 38 PID 2756 wrote to memory of 1556 2756 Jpajdi32.exe 38 PID 2756 wrote to memory of 1556 2756 Jpajdi32.exe 38 PID 2756 wrote to memory of 1556 2756 Jpajdi32.exe 38 PID 1556 wrote to memory of 2980 1556 Jgmofbpk.exe 39 PID 1556 wrote to memory of 2980 1556 Jgmofbpk.exe 39 PID 1556 wrote to memory of 2980 1556 Jgmofbpk.exe 39 PID 1556 wrote to memory of 2980 1556 Jgmofbpk.exe 39 PID 2980 wrote to memory of 1500 2980 Khcdijac.exe 40 PID 2980 wrote to memory of 1500 2980 Khcdijac.exe 40 PID 2980 wrote to memory of 1500 2980 Khcdijac.exe 40 PID 2980 wrote to memory of 1500 2980 Khcdijac.exe 40 PID 1500 wrote to memory of 1168 1500 Kegebn32.exe 41 PID 1500 wrote to memory of 1168 1500 Kegebn32.exe 41 PID 1500 wrote to memory of 1168 1500 Kegebn32.exe 41 PID 1500 wrote to memory of 1168 1500 Kegebn32.exe 41 PID 1168 wrote to memory of 2484 1168 Klamohhj.exe 42 PID 1168 wrote to memory of 2484 1168 Klamohhj.exe 42 PID 1168 wrote to memory of 2484 1168 Klamohhj.exe 42 PID 1168 wrote to memory of 2484 1168 Klamohhj.exe 42 PID 2484 wrote to memory of 2068 2484 Knbjgq32.exe 43 PID 2484 wrote to memory of 2068 2484 Knbjgq32.exe 43 PID 2484 wrote to memory of 2068 2484 Knbjgq32.exe 43 PID 2484 wrote to memory of 2068 2484 Knbjgq32.exe 43 PID 2068 wrote to memory of 2272 2068 Kdlbckee.exe 44 PID 2068 wrote to memory of 2272 2068 Kdlbckee.exe 44 PID 2068 wrote to memory of 2272 2068 Kdlbckee.exe 44 PID 2068 wrote to memory of 2272 2068 Kdlbckee.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe"C:\Users\Admin\AppData\Local\Temp\a8c1a5d63b9b97d8658acd0b0687610899ede06c0849c0220a0853cbe7b9de9d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ijphqbpo.exeC:\Windows\system32\Ijphqbpo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Jmbnhm32.exeC:\Windows\system32\Jmbnhm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Klamohhj.exeC:\Windows\system32\Klamohhj.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Kapbmo32.exeC:\Windows\system32\Kapbmo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:336 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Loofjg32.exeC:\Windows\system32\Loofjg32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe33⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe34⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Moflkfca.exeC:\Windows\system32\Moflkfca.exe36⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Mqhhbn32.exeC:\Windows\system32\Mqhhbn32.exe37⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe38⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe40⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe41⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe42⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Mdhnnl32.exeC:\Windows\system32\Mdhnnl32.exe43⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Mnpbgbdd.exeC:\Windows\system32\Mnpbgbdd.exe45⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe46⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe47⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe48⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe49⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe52⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe53⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe54⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe56⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe58⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe59⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe61⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Omekgakg.exeC:\Windows\system32\Omekgakg.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe65⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe67⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe68⤵PID:2920
-
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe69⤵PID:852
-
C:\Windows\SysWOW64\Ojnelefl.exeC:\Windows\system32\Ojnelefl.exe70⤵PID:2748
-
C:\Windows\SysWOW64\Omlahqeo.exeC:\Windows\system32\Omlahqeo.exe71⤵PID:1048
-
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Oegflcbj.exeC:\Windows\system32\Oegflcbj.exe73⤵PID:580
-
C:\Windows\SysWOW64\Omonmpcm.exeC:\Windows\system32\Omonmpcm.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe75⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe76⤵PID:2476
-
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe77⤵PID:692
-
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe78⤵PID:1484
-
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe79⤵PID:1572
-
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe80⤵
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Poddphee.exeC:\Windows\system32\Poddphee.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe82⤵PID:2664
-
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe83⤵PID:2832
-
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe84⤵PID:2108
-
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe85⤵PID:2812
-
C:\Windows\SysWOW64\Pddinn32.exeC:\Windows\system32\Pddinn32.exe86⤵PID:2684
-
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe87⤵
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe88⤵PID:1916
-
C:\Windows\SysWOW64\Pahjgb32.exeC:\Windows\system32\Pahjgb32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe90⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Aodqok32.exeC:\Windows\system32\Aodqok32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Aglhph32.exeC:\Windows\system32\Aglhph32.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Ajjeld32.exeC:\Windows\system32\Ajjeld32.exe93⤵PID:2056
-
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe94⤵PID:2352
-
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe95⤵
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Aknnil32.exeC:\Windows\system32\Aknnil32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe98⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe99⤵PID:2256
-
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:648 -
C:\Windows\SysWOW64\Bqopmbed.exeC:\Windows\system32\Bqopmbed.exe101⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe102⤵PID:2768
-
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Bkgqpjch.exeC:\Windows\system32\Bkgqpjch.exe104⤵PID:2656
-
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe105⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe106⤵PID:2928
-
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe107⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Bcdbjl32.exeC:\Windows\system32\Bcdbjl32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:880 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe109⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe110⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Cjqglf32.exeC:\Windows\system32\Cjqglf32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Conpdm32.exeC:\Windows\system32\Conpdm32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe113⤵PID:2840
-
C:\Windows\SysWOW64\Cmapna32.exeC:\Windows\system32\Cmapna32.exe114⤵PID:3008
-
C:\Windows\SysWOW64\Ckdpinhf.exeC:\Windows\system32\Ckdpinhf.exe115⤵PID:2584
-
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Cihqbb32.exeC:\Windows\system32\Cihqbb32.exe117⤵PID:900
-
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Ckijdm32.exeC:\Windows\system32\Ckijdm32.exe119⤵PID:2968
-
C:\Windows\SysWOW64\Ccdnipal.exeC:\Windows\system32\Ccdnipal.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Clkfjman.exeC:\Windows\system32\Clkfjman.exe121⤵
- Modifies registry class
PID:2472
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-