Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/12/2024, 04:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe
-
Size
93KB
-
MD5
f36444fc6282219af08364a90ad34ec2
-
SHA1
4670a73ce33f6e2567127dd7b49072bea2d61eb3
-
SHA256
ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8
-
SHA512
ab320924280703db69712ade9113550a6a11ac0bc175cfcfbf693a282c31260df200010daec8bec121e8ceab7a8c948f8a1ac324ec312add6699f45d5c50163f
-
SSDEEP
1536:FQsoMqo/6wM4Z9Bjs/P2U1hezQYEG6ePXbpAt5h3saMiwihtIbbpkp:SsoICwLBj8PH1hezQYEKX9a5ZdMiwaIu
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afffenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbcjnnpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpgobc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmjqpdje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhmhhmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klpdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khghgchk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjacjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jondnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pleofj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eddeladm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bckjhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qppkfhlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjklenpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenljmgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfdnihk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Loefnpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bimoloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chfbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedfqeka.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2344 Ppkhhjei.exe 2136 Pciddedl.exe 2664 Pjcmap32.exe 2164 Pckajebj.exe 2860 Pdmnam32.exe 2264 Pldebkhj.exe 2604 Qnebjc32.exe 2576 Qhjfgl32.exe 2632 Qododfek.exe 1256 Qackpado.exe 1640 Qhmcmk32.exe 1796 Ajnpecbj.exe 1652 Abegfa32.exe 1852 Acfdnihk.exe 2648 Agbpnh32.exe 2200 Amohfo32.exe 916 Adfqgl32.exe 576 Afgmodel.exe 684 Ajcipc32.exe 1148 Aqmamm32.exe 1608 Ackmih32.exe 1504 Amcbankf.exe 2404 Aobnniji.exe 2240 Ajgbkbjp.exe 2944 Aijbfo32.exe 2088 Akiobk32.exe 1996 Bbbgod32.exe 2672 Bimoloog.exe 2856 Bofgii32.exe 2796 Becpap32.exe 2668 Bgblmk32.exe 2656 Boidnh32.exe 2652 Bajqfq32.exe 2420 Biaign32.exe 1492 Bnnaoe32.exe 1464 Bammlq32.exe 1936 Bckjhl32.exe 2032 Bgffhkoj.exe 2188 Bjebdfnn.exe 2676 Bmcnqama.exe 1100 Baojapfj.exe 1960 Bflbigdb.exe 1528 Cjgoje32.exe 2352 Cnckjddd.exe 908 Ccpcckck.exe 2512 Cacclpae.exe 2288 Ccbphk32.exe 1756 Cbepdhgc.exe 2524 Cjlheehe.exe 2012 Cmjdaqgi.exe 2212 Clmdmm32.exe 2824 Ccdmnj32.exe 2580 Cbgmigeq.exe 3028 Ceeieced.exe 1708 Ciaefa32.exe 1636 Cmmagpef.exe 2124 Cpkmcldj.exe 2756 Cbiiog32.exe 2060 Cicalakk.exe 872 Chfbgn32.exe 1892 Cpmjhk32.exe 1284 Copjdhib.exe 2276 Dejbqb32.exe 1396 Difnaqih.exe -
Loads dropped DLL 64 IoCs
pid Process 2496 ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe 2496 ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe 2344 Ppkhhjei.exe 2344 Ppkhhjei.exe 2136 Pciddedl.exe 2136 Pciddedl.exe 2664 Pjcmap32.exe 2664 Pjcmap32.exe 2164 Pckajebj.exe 2164 Pckajebj.exe 2860 Pdmnam32.exe 2860 Pdmnam32.exe 2264 Pldebkhj.exe 2264 Pldebkhj.exe 2604 Qnebjc32.exe 2604 Qnebjc32.exe 2576 Qhjfgl32.exe 2576 Qhjfgl32.exe 2632 Qododfek.exe 2632 Qododfek.exe 1256 Qackpado.exe 1256 Qackpado.exe 1640 Qhmcmk32.exe 1640 Qhmcmk32.exe 1796 Ajnpecbj.exe 1796 Ajnpecbj.exe 1652 Abegfa32.exe 1652 Abegfa32.exe 1852 Acfdnihk.exe 1852 Acfdnihk.exe 2648 Agbpnh32.exe 2648 Agbpnh32.exe 2200 Amohfo32.exe 2200 Amohfo32.exe 916 Adfqgl32.exe 916 Adfqgl32.exe 576 Afgmodel.exe 576 Afgmodel.exe 684 Ajcipc32.exe 684 Ajcipc32.exe 1148 Aqmamm32.exe 1148 Aqmamm32.exe 1608 Ackmih32.exe 1608 Ackmih32.exe 1504 Amcbankf.exe 1504 Amcbankf.exe 2404 Aobnniji.exe 2404 Aobnniji.exe 2240 Ajgbkbjp.exe 2240 Ajgbkbjp.exe 2944 Aijbfo32.exe 2944 Aijbfo32.exe 2088 Akiobk32.exe 2088 Akiobk32.exe 1996 Bbbgod32.exe 1996 Bbbgod32.exe 2672 Bimoloog.exe 2672 Bimoloog.exe 2856 Bofgii32.exe 2856 Bofgii32.exe 2796 Becpap32.exe 2796 Becpap32.exe 2668 Bgblmk32.exe 2668 Bgblmk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mcnbhb32.exe Mobfgdcl.exe File created C:\Windows\SysWOW64\Alppmhnm.dll Anbkipok.exe File created C:\Windows\SysWOW64\Efeckm32.dll Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Cbgmigeq.exe Ccdmnj32.exe File opened for modification C:\Windows\SysWOW64\Chfbgn32.exe Cicalakk.exe File created C:\Windows\SysWOW64\Jeecim32.dll Gdhkfd32.exe File opened for modification C:\Windows\SysWOW64\Hahnac32.exe Hmmbqegc.exe File opened for modification C:\Windows\SysWOW64\Ieajkfmd.exe Ibcnojnp.exe File created C:\Windows\SysWOW64\Jgabdlfb.exe Jbefcm32.exe File created C:\Windows\SysWOW64\Apqcdckf.dll Pohhna32.exe File opened for modification C:\Windows\SysWOW64\Cenljmgq.exe Cfkloq32.exe File opened for modification C:\Windows\SysWOW64\Cpkmcldj.exe Cmmagpef.exe File opened for modification C:\Windows\SysWOW64\Cinafkkd.exe Cagienkb.exe File created C:\Windows\SysWOW64\Qjdaldla.dll Mqklqhpg.exe File opened for modification C:\Windows\SysWOW64\Eihgfd32.exe Eelkeeah.exe File opened for modification C:\Windows\SysWOW64\Emagacdm.exe Eiekpd32.exe File opened for modification C:\Windows\SysWOW64\Jbcjnnpl.exe Jdpjba32.exe File created C:\Windows\SysWOW64\Klcdfdcb.dll Mjfnomde.exe File created C:\Windows\SysWOW64\Bgllgedi.exe Bhjlli32.exe File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Caifjn32.exe File created C:\Windows\SysWOW64\Qnebjc32.exe Pldebkhj.exe File created C:\Windows\SysWOW64\Fhbnbpjc.exe Eecafd32.exe File created C:\Windows\SysWOW64\Cefhdnca.dll Knmdeioh.exe File opened for modification C:\Windows\SysWOW64\Mfokinhf.exe Mbcoio32.exe File created C:\Windows\SysWOW64\Nplimbka.exe Ngealejo.exe File created C:\Windows\SysWOW64\Ndqkleln.exe Nenkqi32.exe File created C:\Windows\SysWOW64\Ahebaiac.exe Afffenbp.exe File created C:\Windows\SysWOW64\Lbhnia32.dll Bigkel32.exe File opened for modification C:\Windows\SysWOW64\Aobnniji.exe Amcbankf.exe File created C:\Windows\SysWOW64\Gfdkid32.dll Ngealejo.exe File created C:\Windows\SysWOW64\Kmdlca32.dll Odgamdef.exe File opened for modification C:\Windows\SysWOW64\Phnpagdp.exe Pdbdqh32.exe File created C:\Windows\SysWOW64\Nlbjim32.dll Pkcbnanl.exe File opened for modification C:\Windows\SysWOW64\Khkbbc32.exe Kdpfadlm.exe File created C:\Windows\SysWOW64\Lkfalipj.dll Fgdnnl32.exe File created C:\Windows\SysWOW64\Famope32.exe Fnacpffh.exe File created C:\Windows\SysWOW64\Oljomn32.dll Golbnm32.exe File created C:\Windows\SysWOW64\Hmalldcn.exe Hjcppidk.exe File created C:\Windows\SysWOW64\Cjlheehe.exe Cbepdhgc.exe File created C:\Windows\SysWOW64\Qackpado.exe Qododfek.exe File created C:\Windows\SysWOW64\Moanlj32.dll Eaheeecg.exe File created C:\Windows\SysWOW64\Dejdjfjb.dll Iflmjihl.exe File opened for modification C:\Windows\SysWOW64\Pciddedl.exe Ppkhhjei.exe File created C:\Windows\SysWOW64\Jihcbj32.dll Epbpbnan.exe File opened for modification C:\Windows\SysWOW64\Kglehp32.exe Khielcfh.exe File opened for modification C:\Windows\SysWOW64\Amohfo32.exe Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Hldlga32.exe Hmalldcn.exe File created C:\Windows\SysWOW64\Jdnmma32.exe Jpbalb32.exe File opened for modification C:\Windows\SysWOW64\Nfoghakb.exe Ndqkleln.exe File created C:\Windows\SysWOW64\Gmmfaa32.exe Gjojef32.exe File opened for modification C:\Windows\SysWOW64\Epbpbnan.exe Elfcbo32.exe File opened for modification C:\Windows\SysWOW64\Hmmbqegc.exe Hjofdi32.exe File created C:\Windows\SysWOW64\Jbefcm32.exe Jpgjgboe.exe File opened for modification C:\Windows\SysWOW64\Jkchmo32.exe Jhdlad32.exe File opened for modification C:\Windows\SysWOW64\Kekiphge.exe Kncaojfb.exe File created C:\Windows\SysWOW64\Eifppipg.dll Nameek32.exe File created C:\Windows\SysWOW64\Blangfdh.dll Nbmaon32.exe File opened for modification C:\Windows\SysWOW64\Aqmamm32.exe Ajcipc32.exe File opened for modification C:\Windows\SysWOW64\Acfmcc32.exe Apgagg32.exe File created C:\Windows\SysWOW64\Maanne32.dll Ajpepm32.exe File created C:\Windows\SysWOW64\Pdjjag32.exe Ppnnai32.exe File opened for modification C:\Windows\SysWOW64\Knfndjdp.exe Kocmim32.exe File created C:\Windows\SysWOW64\Kadfkhkf.exe Kjmnjkjd.exe File opened for modification C:\Windows\SysWOW64\Nncbdomg.exe Njhfcp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5968 5960 WerFault.exe 510 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjofdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmdeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcipc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecploipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaaeepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbcoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpjba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bccmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbpbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihiphln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndqkleln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehmdgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jialfgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opihgfop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieajkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchfhfeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhmfbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaghki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhmcmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caifjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcnqama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oococb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecafd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncpef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihlqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbbagjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjojef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdjkhdh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkoicb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpomb32.dll" Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfhhjklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Difnaqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eldglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfplfp.dll" Lfoojj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjfnomde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmpbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofhhgce.dll" Lbfook32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdghaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfokinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcchb32.dll" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnlibhd.dll" ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlomqkmp.dll" Inhanl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eacljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmjki32.dll" Eecafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oippjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhkkbmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll" Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ipeaco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkdhopfa.dll" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iliebpfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbefcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kccllg32.dll" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baepmlkg.dll" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmlkmc32.dll" Cjlheehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bnknoogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmojkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgldnkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nipdkieg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjokpjd.dll" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll" Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnfobob.dll" Lnjcomcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmeignj.dll" Bhjlli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepoia32.dll" Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmamfed.dll" Fmkilb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2344 2496 ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe 30 PID 2496 wrote to memory of 2344 2496 ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe 30 PID 2496 wrote to memory of 2344 2496 ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe 30 PID 2496 wrote to memory of 2344 2496 ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe 30 PID 2344 wrote to memory of 2136 2344 Ppkhhjei.exe 31 PID 2344 wrote to memory of 2136 2344 Ppkhhjei.exe 31 PID 2344 wrote to memory of 2136 2344 Ppkhhjei.exe 31 PID 2344 wrote to memory of 2136 2344 Ppkhhjei.exe 31 PID 2136 wrote to memory of 2664 2136 Pciddedl.exe 32 PID 2136 wrote to memory of 2664 2136 Pciddedl.exe 32 PID 2136 wrote to memory of 2664 2136 Pciddedl.exe 32 PID 2136 wrote to memory of 2664 2136 Pciddedl.exe 32 PID 2664 wrote to memory of 2164 2664 Pjcmap32.exe 33 PID 2664 wrote to memory of 2164 2664 Pjcmap32.exe 33 PID 2664 wrote to memory of 2164 2664 Pjcmap32.exe 33 PID 2664 wrote to memory of 2164 2664 Pjcmap32.exe 33 PID 2164 wrote to memory of 2860 2164 Pckajebj.exe 34 PID 2164 wrote to memory of 2860 2164 Pckajebj.exe 34 PID 2164 wrote to memory of 2860 2164 Pckajebj.exe 34 PID 2164 wrote to memory of 2860 2164 Pckajebj.exe 34 PID 2860 wrote to memory of 2264 2860 Pdmnam32.exe 35 PID 2860 wrote to memory of 2264 2860 Pdmnam32.exe 35 PID 2860 wrote to memory of 2264 2860 Pdmnam32.exe 35 PID 2860 wrote to memory of 2264 2860 Pdmnam32.exe 35 PID 2264 wrote to memory of 2604 2264 Pldebkhj.exe 36 PID 2264 wrote to memory of 2604 2264 Pldebkhj.exe 36 PID 2264 wrote to memory of 2604 2264 Pldebkhj.exe 36 PID 2264 wrote to memory of 2604 2264 Pldebkhj.exe 36 PID 2604 wrote to memory of 2576 2604 Qnebjc32.exe 37 PID 2604 wrote to memory of 2576 2604 Qnebjc32.exe 37 PID 2604 wrote to memory of 2576 2604 Qnebjc32.exe 37 PID 2604 wrote to memory of 2576 2604 Qnebjc32.exe 37 PID 2576 wrote to memory of 2632 2576 Qhjfgl32.exe 38 PID 2576 wrote to memory of 2632 2576 Qhjfgl32.exe 38 PID 2576 wrote to memory of 2632 2576 Qhjfgl32.exe 38 PID 2576 wrote to memory of 2632 2576 Qhjfgl32.exe 38 PID 2632 wrote to memory of 1256 2632 Qododfek.exe 39 PID 2632 wrote to memory of 1256 2632 Qododfek.exe 39 PID 2632 wrote to memory of 1256 2632 Qododfek.exe 39 PID 2632 wrote to memory of 1256 2632 Qododfek.exe 39 PID 1256 wrote to memory of 1640 1256 Qackpado.exe 40 PID 1256 wrote to memory of 1640 1256 Qackpado.exe 40 PID 1256 wrote to memory of 1640 1256 Qackpado.exe 40 PID 1256 wrote to memory of 1640 1256 Qackpado.exe 40 PID 1640 wrote to memory of 1796 1640 Qhmcmk32.exe 41 PID 1640 wrote to memory of 1796 1640 Qhmcmk32.exe 41 PID 1640 wrote to memory of 1796 1640 Qhmcmk32.exe 41 PID 1640 wrote to memory of 1796 1640 Qhmcmk32.exe 41 PID 1796 wrote to memory of 1652 1796 Ajnpecbj.exe 42 PID 1796 wrote to memory of 1652 1796 Ajnpecbj.exe 42 PID 1796 wrote to memory of 1652 1796 Ajnpecbj.exe 42 PID 1796 wrote to memory of 1652 1796 Ajnpecbj.exe 42 PID 1652 wrote to memory of 1852 1652 Abegfa32.exe 43 PID 1652 wrote to memory of 1852 1652 Abegfa32.exe 43 PID 1652 wrote to memory of 1852 1652 Abegfa32.exe 43 PID 1652 wrote to memory of 1852 1652 Abegfa32.exe 43 PID 1852 wrote to memory of 2648 1852 Acfdnihk.exe 44 PID 1852 wrote to memory of 2648 1852 Acfdnihk.exe 44 PID 1852 wrote to memory of 2648 1852 Acfdnihk.exe 44 PID 1852 wrote to memory of 2648 1852 Acfdnihk.exe 44 PID 2648 wrote to memory of 2200 2648 Agbpnh32.exe 45 PID 2648 wrote to memory of 2200 2648 Agbpnh32.exe 45 PID 2648 wrote to memory of 2200 2648 Agbpnh32.exe 45 PID 2648 wrote to memory of 2200 2648 Agbpnh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe"C:\Users\Admin\AppData\Local\Temp\ed60be6127748aac4fa2fea100d0d4de9471eb99d924252c230748a5042277b8.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:916 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe33⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe34⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe35⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe36⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe37⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe39⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe40⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe42⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe43⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe45⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe46⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe47⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe48⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1756 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe51⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe52⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe54⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe55⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe56⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe58⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe59⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe62⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe63⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe64⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe66⤵PID:2248
-
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe67⤵PID:2068
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe68⤵PID:2864
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe70⤵PID:2744
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe71⤵PID:2772
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe72⤵PID:2488
-
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2748 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe74⤵
- Modifies registry class
PID:336 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe75⤵PID:2620
-
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:660 -
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe78⤵
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe79⤵
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe80⤵PID:2452
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe82⤵PID:2260
-
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe83⤵PID:2880
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe84⤵PID:2876
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2376 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe86⤵PID:768
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe87⤵
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe88⤵PID:1860
-
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe89⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe90⤵PID:2784
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe91⤵PID:2640
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe92⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe93⤵PID:2372
-
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe94⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe95⤵PID:2100
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe96⤵PID:1480
-
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe97⤵PID:2616
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe98⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe99⤵PID:1880
-
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe102⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe103⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe104⤵PID:952
-
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe106⤵PID:1516
-
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe107⤵PID:3008
-
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe108⤵PID:2712
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2600 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe110⤵PID:1452
-
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe112⤵PID:1632
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe113⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe115⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe116⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe117⤵PID:2312
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe118⤵PID:2220
-
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe119⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe120⤵PID:1544
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe121⤵PID:604
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-