Analysis
-
max time kernel
63s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 08:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe
-
Size
265KB
-
MD5
e11f558f1239bf7d4ccaa9ca3529e1d4
-
SHA1
fe1ae36c7cb2fe73022d22cdf66a813e5d4e0cc8
-
SHA256
b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765
-
SHA512
61e6ca62fd76a79a4c5817abc6951fa38d16222b25424b6d531e0fa0edf11745cebd03ce5bdb65e3288b88a96890a78d61ddc3007a694921f0dec232033dae7f
-
SSDEEP
6144:FTnENoTLp103ETiZ0moGP/2dga1mcyw7Iq:RndpScXwuR1mK7v
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcbmmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meffjjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhogaamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiockd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgbcofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnlikic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egihcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kqmnadlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Keappgmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejifdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmaqgaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfqiingf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nldcagaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maocekoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhdqma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inebpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjcedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kobkbaac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kodghqop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbmmbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Haleefoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdadadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfgjdlme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqmnadlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maocekoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlhaaogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmlglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdkaabnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nklaipbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpiacp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkjgckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Moqgiopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpafgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhogaamj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igpdnlgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jobocn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jknicnpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Capdpcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmaqgaae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Limhpihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggkipci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbhnkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmbnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlhfmqge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkejnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kopnma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgbfcjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjqhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipfkabpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jobocn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohkdfhge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Heakefnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieeqpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfjjkhhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npiiafpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bodhjdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblljhbo.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 576 Aankkqfl.exe 2964 Beldao32.exe 2712 Bodhjdcc.exe 3068 Bfpmog32.exe 2820 Bphaglgo.exe 2828 Biqfpb32.exe 1904 Bbikig32.exe 2464 Biccfalm.exe 2212 Cpohhk32.exe 2204 Capdpcge.exe 2304 Ccpqjfnh.exe 264 Cdamao32.exe 2160 Cgbfcjag.exe 2116 Cagjqbam.exe 2108 Cjboeenh.exe 596 Dpmgao32.exe 1080 Dgildi32.exe 1408 Djghpd32.exe 2228 Dlhaaogd.exe 1916 Dofnnkfg.exe 1552 Dljngoea.exe 1968 Doijcjde.exe 1736 Ekpkhkji.exe 2440 Enngdgim.exe 1584 Ekbhnkhf.exe 2852 Enpdjfgj.exe 2240 Egihcl32.exe 1976 Ejgeogmn.exe 3012 Ebnmpemq.exe 2704 Egkehllh.exe 2172 Edofbpja.exe 2236 Egmbnkie.exe 1700 Fjnkpf32.exe 2288 Fmlglb32.exe 2120 Fjqhef32.exe 1860 Fmodaadg.exe 2232 Fblljhbo.exe 2888 Fejifdab.exe 1932 Fmaqgaae.exe 2328 Fbniohpl.exe 2336 Felekcop.exe 2504 Fpbihl32.exe 1928 Fbpfeh32.exe 864 Ghmnmo32.exe 2296 Gddobpbe.exe 1368 Glkgcmbg.exe 764 Gmlckehe.exe 2560 Gdflgo32.exe 1964 Ghbhhnhk.exe 2000 Gjpddigo.exe 2980 Gajlac32.exe 3016 Ghddnnfi.exe 2732 Gieaef32.exe 2748 Gamifcmi.exe 1032 Gfiaojkq.exe 2276 Gihnkejd.exe 2132 Gmcikd32.exe 1660 Gpafgp32.exe 844 Hflndjin.exe 2148 Hijjpeha.exe 2316 Hlhfmqge.exe 2544 Hbboiknb.exe 560 Heakefnf.exe 2308 Hhogaamj.exe -
Loads dropped DLL 64 IoCs
pid Process 1172 b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe 1172 b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe 576 Aankkqfl.exe 576 Aankkqfl.exe 2964 Beldao32.exe 2964 Beldao32.exe 2712 Bodhjdcc.exe 2712 Bodhjdcc.exe 3068 Bfpmog32.exe 3068 Bfpmog32.exe 2820 Bphaglgo.exe 2820 Bphaglgo.exe 2828 Biqfpb32.exe 2828 Biqfpb32.exe 1904 Bbikig32.exe 1904 Bbikig32.exe 2464 Biccfalm.exe 2464 Biccfalm.exe 2212 Cpohhk32.exe 2212 Cpohhk32.exe 2204 Capdpcge.exe 2204 Capdpcge.exe 2304 Ccpqjfnh.exe 2304 Ccpqjfnh.exe 264 Cdamao32.exe 264 Cdamao32.exe 2160 Cgbfcjag.exe 2160 Cgbfcjag.exe 2116 Cagjqbam.exe 2116 Cagjqbam.exe 2108 Cjboeenh.exe 2108 Cjboeenh.exe 596 Dpmgao32.exe 596 Dpmgao32.exe 1080 Dgildi32.exe 1080 Dgildi32.exe 1408 Djghpd32.exe 1408 Djghpd32.exe 2228 Dlhaaogd.exe 2228 Dlhaaogd.exe 1916 Dofnnkfg.exe 1916 Dofnnkfg.exe 1552 Dljngoea.exe 1552 Dljngoea.exe 1968 Doijcjde.exe 1968 Doijcjde.exe 1736 Ekpkhkji.exe 1736 Ekpkhkji.exe 2440 Enngdgim.exe 2440 Enngdgim.exe 1584 Ekbhnkhf.exe 1584 Ekbhnkhf.exe 2852 Enpdjfgj.exe 2852 Enpdjfgj.exe 2240 Egihcl32.exe 2240 Egihcl32.exe 1976 Ejgeogmn.exe 1976 Ejgeogmn.exe 3012 Ebnmpemq.exe 3012 Ebnmpemq.exe 2704 Egkehllh.exe 2704 Egkehllh.exe 2172 Edofbpja.exe 2172 Edofbpja.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Flhbop32.dll Bodhjdcc.exe File created C:\Windows\SysWOW64\Onmfnc32.dll Heedqe32.exe File created C:\Windows\SysWOW64\Pjpief32.dll Jfjjkhhg.exe File opened for modification C:\Windows\SysWOW64\Meffjjln.exe Mpimbcnf.exe File opened for modification C:\Windows\SysWOW64\Mlbkmdah.exe Mhfoleio.exe File created C:\Windows\SysWOW64\Fmlglb32.exe Fjnkpf32.exe File created C:\Windows\SysWOW64\Inpmijpp.dll Hoipnl32.exe File opened for modification C:\Windows\SysWOW64\Iecdji32.exe Igpdnlgd.exe File created C:\Windows\SysWOW64\Ghddnnfi.exe Gajlac32.exe File created C:\Windows\SysWOW64\Klnkbdan.dll Jjnlikic.exe File created C:\Windows\SysWOW64\Mdpnaccc.dll Kkkhmadd.exe File created C:\Windows\SysWOW64\Qgdecm32.dll Lcppgbjd.exe File opened for modification C:\Windows\SysWOW64\Nklaipbj.exe Ngqeha32.exe File created C:\Windows\SysWOW64\Ncloha32.exe Nlbgkgcc.exe File created C:\Windows\SysWOW64\Hjchkfnl.dll Jkllnn32.exe File created C:\Windows\SysWOW64\Lefikg32.exe Lajmkhai.exe File opened for modification C:\Windows\SysWOW64\Moqgiopk.exe Mlbkmdah.exe File opened for modification C:\Windows\SysWOW64\Fmodaadg.exe Fjqhef32.exe File created C:\Windows\SysWOW64\Dlecmb32.dll Fbpfeh32.exe File created C:\Windows\SysWOW64\Gmlckehe.exe Glkgcmbg.exe File created C:\Windows\SysWOW64\Oijehm32.dll Gmcikd32.exe File created C:\Windows\SysWOW64\Iloilcci.exe Ieeqpi32.exe File created C:\Windows\SysWOW64\Bphaglgo.exe Bfpmog32.exe File created C:\Windows\SysWOW64\Npdbjl32.dll Jhfjadim.exe File created C:\Windows\SysWOW64\Kjcedj32.exe Kfgjdlme.exe File created C:\Windows\SysWOW64\Nddeae32.exe Npiiafpa.exe File opened for modification C:\Windows\SysWOW64\Nmmjjk32.exe Nknnnoph.exe File created C:\Windows\SysWOW64\Doijcjde.exe Dljngoea.exe File opened for modification C:\Windows\SysWOW64\Lfnlcnih.exe Lcppgbjd.exe File created C:\Windows\SysWOW64\Nickoldp.exe Ncjbba32.exe File created C:\Windows\SysWOW64\Jdbmjldj.dll Nickoldp.exe File created C:\Windows\SysWOW64\Jqkelimm.dll Hhogaamj.exe File created C:\Windows\SysWOW64\Kpgdnp32.exe Kkkhmadd.exe File created C:\Windows\SysWOW64\Lpiacp32.exe Lgbibb32.exe File opened for modification C:\Windows\SysWOW64\Limhpihl.exe Lfnlcnih.exe File created C:\Windows\SysWOW64\Mioeeifi.exe Mfqiingf.exe File created C:\Windows\SysWOW64\Oifcqnkn.dll Ghbhhnhk.exe File opened for modification C:\Windows\SysWOW64\Inebpgbf.exe Igkjcm32.exe File created C:\Windows\SysWOW64\Hedkhm32.dll Inebpgbf.exe File created C:\Windows\SysWOW64\Mhikae32.exe Maocekoo.exe File created C:\Windows\SysWOW64\Beldao32.exe Aankkqfl.exe File created C:\Windows\SysWOW64\Hflndjin.exe Gpafgp32.exe File created C:\Windows\SysWOW64\Jpmiidmj.dll Imcfjg32.exe File created C:\Windows\SysWOW64\Kggfnoch.exe Kopnma32.exe File created C:\Windows\SysWOW64\Kbeqjl32.exe Kpgdnp32.exe File opened for modification C:\Windows\SysWOW64\Cjboeenh.exe Cagjqbam.exe File created C:\Windows\SysWOW64\Qbegfg32.dll Cjboeenh.exe File opened for modification C:\Windows\SysWOW64\Enngdgim.exe Ekpkhkji.exe File created C:\Windows\SysWOW64\Mhfoleio.exe Mfebdm32.exe File created C:\Windows\SysWOW64\Hilgcb32.dll Ekpkhkji.exe File created C:\Windows\SysWOW64\Gajlac32.exe Gjpddigo.exe File created C:\Windows\SysWOW64\Blajkq32.dll Hflndjin.exe File created C:\Windows\SysWOW64\Limhpihl.exe Limhpihl.exe File created C:\Windows\SysWOW64\Kfopdk32.exe Kodghqop.exe File opened for modification C:\Windows\SysWOW64\Lncgollm.exe Lgiobadq.exe File created C:\Windows\SysWOW64\Pgcacc32.dll Mpkjgckc.exe File opened for modification C:\Windows\SysWOW64\Dpmgao32.exe Cjboeenh.exe File opened for modification C:\Windows\SysWOW64\Doijcjde.exe Dljngoea.exe File created C:\Windows\SysWOW64\Ipfkabpg.exe Iilceh32.exe File created C:\Windows\SysWOW64\Mpenafkn.dll Kecmfg32.exe File created C:\Windows\SysWOW64\Mlbkmdah.exe Mhfoleio.exe File created C:\Windows\SysWOW64\Hkejnl32.exe Hdkaabnh.exe File created C:\Windows\SysWOW64\Nklaipbj.exe Ngqeha32.exe File created C:\Windows\SysWOW64\Befddlni.dll Cdamao32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3404 3380 WerFault.exe 217 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiockd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkllnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfgjdlme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqiingf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpimbcnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfebdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbgkgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djghpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egihcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmcikd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbeqjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbjjekhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogjhnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aankkqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmnmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdfmlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmnadlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkilgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mioeeifi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkehllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblljhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkkhmadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beldao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpqjfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekbhnkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaqgaae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felekcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbhhnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkaabnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipabfcdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhdfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodhjdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhmehji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcgqbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajmkhai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldcagaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphaglgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknicnpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladpagin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpmog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkgcmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honiikpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfopdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meffjjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpdjfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hechkfkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imcfjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moqgiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmacej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbniohpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipfkabpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfjadim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgdnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcncbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfoleio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfiaojkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdqma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkjcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdofebo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gieaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljcbcngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljeoimeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogllmge.dll" Hijjpeha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbeqjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonkpi32.dll" Mldgbcoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ncjbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flefhg32.dll" Ekbhnkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnddjom.dll" Edofbpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gamifcmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpbihl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iilceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjqhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmcikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghemo32.dll" Neohqicc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nklaipbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heknhioh.dll" Ncjbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmodmbk.dll" Lgbibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbabqihk.dll" Mpimbcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kqmnadlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keappgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kemqig32.dll" Lgiobadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekbglc32.dll" Limhpihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpkjgckc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hflndjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmfnc32.dll" Heedqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igkjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdgaplj.dll" Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koqdolib.dll" Mlgdhcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enpdjfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blajkq32.dll" Hflndjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icijhlgk.dll" Ipabfcdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meffjjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlbkmdah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blagna32.dll" Ogjhnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdgmbedh.dll" Biqfpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghmnmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liakodpp.dll" Hbghdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkilgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffojn32.dll" Lcncbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncloha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmedeaio.dll" Djghpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhogaamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfhmehji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eldplnan.dll" Kqmnadlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjamcall.dll" Kobkbaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccmhojk.dll" Ljeoimeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fblljhbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Igngim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgqofhkp.dll" Jdogldmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hkejnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iecdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfjjkhhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kopnma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdfipdll.dll" Kfopdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkbnmhi.dll" Gajlac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpimbcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncjbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdekmcg.dll" Hechkfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilgcb32.dll" Ekpkhkji.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1172 wrote to memory of 576 1172 b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe 30 PID 1172 wrote to memory of 576 1172 b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe 30 PID 1172 wrote to memory of 576 1172 b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe 30 PID 1172 wrote to memory of 576 1172 b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe 30 PID 576 wrote to memory of 2964 576 Aankkqfl.exe 31 PID 576 wrote to memory of 2964 576 Aankkqfl.exe 31 PID 576 wrote to memory of 2964 576 Aankkqfl.exe 31 PID 576 wrote to memory of 2964 576 Aankkqfl.exe 31 PID 2964 wrote to memory of 2712 2964 Beldao32.exe 32 PID 2964 wrote to memory of 2712 2964 Beldao32.exe 32 PID 2964 wrote to memory of 2712 2964 Beldao32.exe 32 PID 2964 wrote to memory of 2712 2964 Beldao32.exe 32 PID 2712 wrote to memory of 3068 2712 Bodhjdcc.exe 33 PID 2712 wrote to memory of 3068 2712 Bodhjdcc.exe 33 PID 2712 wrote to memory of 3068 2712 Bodhjdcc.exe 33 PID 2712 wrote to memory of 3068 2712 Bodhjdcc.exe 33 PID 3068 wrote to memory of 2820 3068 Bfpmog32.exe 34 PID 3068 wrote to memory of 2820 3068 Bfpmog32.exe 34 PID 3068 wrote to memory of 2820 3068 Bfpmog32.exe 34 PID 3068 wrote to memory of 2820 3068 Bfpmog32.exe 34 PID 2820 wrote to memory of 2828 2820 Bphaglgo.exe 35 PID 2820 wrote to memory of 2828 2820 Bphaglgo.exe 35 PID 2820 wrote to memory of 2828 2820 Bphaglgo.exe 35 PID 2820 wrote to memory of 2828 2820 Bphaglgo.exe 35 PID 2828 wrote to memory of 1904 2828 Biqfpb32.exe 36 PID 2828 wrote to memory of 1904 2828 Biqfpb32.exe 36 PID 2828 wrote to memory of 1904 2828 Biqfpb32.exe 36 PID 2828 wrote to memory of 1904 2828 Biqfpb32.exe 36 PID 1904 wrote to memory of 2464 1904 Bbikig32.exe 37 PID 1904 wrote to memory of 2464 1904 Bbikig32.exe 37 PID 1904 wrote to memory of 2464 1904 Bbikig32.exe 37 PID 1904 wrote to memory of 2464 1904 Bbikig32.exe 37 PID 2464 wrote to memory of 2212 2464 Biccfalm.exe 38 PID 2464 wrote to memory of 2212 2464 Biccfalm.exe 38 PID 2464 wrote to memory of 2212 2464 Biccfalm.exe 38 PID 2464 wrote to memory of 2212 2464 Biccfalm.exe 38 PID 2212 wrote to memory of 2204 2212 Cpohhk32.exe 39 PID 2212 wrote to memory of 2204 2212 Cpohhk32.exe 39 PID 2212 wrote to memory of 2204 2212 Cpohhk32.exe 39 PID 2212 wrote to memory of 2204 2212 Cpohhk32.exe 39 PID 2204 wrote to memory of 2304 2204 Capdpcge.exe 40 PID 2204 wrote to memory of 2304 2204 Capdpcge.exe 40 PID 2204 wrote to memory of 2304 2204 Capdpcge.exe 40 PID 2204 wrote to memory of 2304 2204 Capdpcge.exe 40 PID 2304 wrote to memory of 264 2304 Ccpqjfnh.exe 41 PID 2304 wrote to memory of 264 2304 Ccpqjfnh.exe 41 PID 2304 wrote to memory of 264 2304 Ccpqjfnh.exe 41 PID 2304 wrote to memory of 264 2304 Ccpqjfnh.exe 41 PID 264 wrote to memory of 2160 264 Cdamao32.exe 42 PID 264 wrote to memory of 2160 264 Cdamao32.exe 42 PID 264 wrote to memory of 2160 264 Cdamao32.exe 42 PID 264 wrote to memory of 2160 264 Cdamao32.exe 42 PID 2160 wrote to memory of 2116 2160 Cgbfcjag.exe 43 PID 2160 wrote to memory of 2116 2160 Cgbfcjag.exe 43 PID 2160 wrote to memory of 2116 2160 Cgbfcjag.exe 43 PID 2160 wrote to memory of 2116 2160 Cgbfcjag.exe 43 PID 2116 wrote to memory of 2108 2116 Cagjqbam.exe 44 PID 2116 wrote to memory of 2108 2116 Cagjqbam.exe 44 PID 2116 wrote to memory of 2108 2116 Cagjqbam.exe 44 PID 2116 wrote to memory of 2108 2116 Cagjqbam.exe 44 PID 2108 wrote to memory of 596 2108 Cjboeenh.exe 45 PID 2108 wrote to memory of 596 2108 Cjboeenh.exe 45 PID 2108 wrote to memory of 596 2108 Cjboeenh.exe 45 PID 2108 wrote to memory of 596 2108 Cjboeenh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe"C:\Users\Admin\AppData\Local\Temp\b3666b0c2f1c3f5cae540b43e5727ec1a5c78ffa64341b69a8bc3c4e3065d765.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Aankkqfl.exeC:\Windows\system32\Aankkqfl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Bfpmog32.exeC:\Windows\system32\Bfpmog32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Bphaglgo.exeC:\Windows\system32\Bphaglgo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Biqfpb32.exeC:\Windows\system32\Biqfpb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Bbikig32.exeC:\Windows\system32\Bbikig32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Biccfalm.exeC:\Windows\system32\Biccfalm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Cpohhk32.exeC:\Windows\system32\Cpohhk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Cagjqbam.exeC:\Windows\system32\Cagjqbam.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Dpmgao32.exeC:\Windows\system32\Dpmgao32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Djghpd32.exeC:\Windows\system32\Djghpd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Doijcjde.exeC:\Windows\system32\Doijcjde.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Enngdgim.exeC:\Windows\system32\Enngdgim.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Ekbhnkhf.exeC:\Windows\system32\Ekbhnkhf.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Ejgeogmn.exeC:\Windows\system32\Ejgeogmn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Egmbnkie.exeC:\Windows\system32\Egmbnkie.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Fjqhef32.exeC:\Windows\system32\Fjqhef32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Fmodaadg.exeC:\Windows\system32\Fmodaadg.exe37⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Fblljhbo.exeC:\Windows\system32\Fblljhbo.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Fmaqgaae.exeC:\Windows\system32\Fmaqgaae.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Fbniohpl.exeC:\Windows\system32\Fbniohpl.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Felekcop.exeC:\Windows\system32\Felekcop.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Fpbihl32.exeC:\Windows\system32\Fpbihl32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Fbpfeh32.exeC:\Windows\system32\Fbpfeh32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe46⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe48⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Gdflgo32.exeC:\Windows\system32\Gdflgo32.exe49⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ghbhhnhk.exeC:\Windows\system32\Ghbhhnhk.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Gajlac32.exeC:\Windows\system32\Gajlac32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe53⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Gfiaojkq.exeC:\Windows\system32\Gfiaojkq.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe57⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Gmcikd32.exeC:\Windows\system32\Gmcikd32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1660 -
C:\Windows\SysWOW64\Hflndjin.exeC:\Windows\system32\Hflndjin.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Hijjpeha.exeC:\Windows\system32\Hijjpeha.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Hbboiknb.exeC:\Windows\system32\Hbboiknb.exe63⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Heakefnf.exeC:\Windows\system32\Heakefnf.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Hoipnl32.exeC:\Windows\system32\Hoipnl32.exe66⤵
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Hechkfkc.exeC:\Windows\system32\Hechkfkc.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Hiockd32.exeC:\Windows\system32\Hiockd32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Hkppcmjk.exeC:\Windows\system32\Hkppcmjk.exe69⤵PID:2500
-
C:\Windows\SysWOW64\Hbghdj32.exeC:\Windows\system32\Hbghdj32.exe70⤵
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Heedqe32.exeC:\Windows\system32\Heedqe32.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Hhdqma32.exeC:\Windows\system32\Hhdqma32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Honiikpa.exeC:\Windows\system32\Honiikpa.exe73⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Haleefoe.exeC:\Windows\system32\Haleefoe.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Hkejnl32.exeC:\Windows\system32\Hkejnl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Imcfjg32.exeC:\Windows\system32\Imcfjg32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Ipabfcdm.exeC:\Windows\system32\Ipabfcdm.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Igkjcm32.exeC:\Windows\system32\Igkjcm32.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Inebpgbf.exeC:\Windows\system32\Inebpgbf.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe81⤵PID:2444
-
C:\Windows\SysWOW64\Idokma32.exeC:\Windows\system32\Idokma32.exe82⤵PID:1512
-
C:\Windows\SysWOW64\Igngim32.exeC:\Windows\system32\Igngim32.exe83⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Iilceh32.exeC:\Windows\system32\Iilceh32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Ipfkabpg.exeC:\Windows\system32\Ipfkabpg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Iecdji32.exeC:\Windows\system32\Iecdji32.exe87⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Ilmlfcel.exeC:\Windows\system32\Ilmlfcel.exe88⤵PID:2920
-
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe89⤵PID:2568
-
C:\Windows\SysWOW64\Ieeqpi32.exeC:\Windows\system32\Ieeqpi32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Iloilcci.exeC:\Windows\system32\Iloilcci.exe91⤵PID:2124
-
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1760 -
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Jhfjadim.exeC:\Windows\system32\Jhfjadim.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Jfjjkhhg.exeC:\Windows\system32\Jfjjkhhg.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Jdmjfe32.exeC:\Windows\system32\Jdmjfe32.exe96⤵PID:2604
-
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Jobocn32.exeC:\Windows\system32\Jobocn32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Jflgph32.exeC:\Windows\system32\Jflgph32.exe99⤵PID:1868
-
C:\Windows\SysWOW64\Jdogldmo.exeC:\Windows\system32\Jdogldmo.exe100⤵
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Jgnchplb.exeC:\Windows\system32\Jgnchplb.exe101⤵PID:1448
-
C:\Windows\SysWOW64\Jngkdj32.exeC:\Windows\system32\Jngkdj32.exe102⤵PID:1680
-
C:\Windows\SysWOW64\Jdadadkl.exeC:\Windows\system32\Jdadadkl.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Jjnlikic.exeC:\Windows\system32\Jjnlikic.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Jqhdfe32.exeC:\Windows\system32\Jqhdfe32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Jcgqbq32.exeC:\Windows\system32\Jcgqbq32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Jknicnpf.exeC:\Windows\system32\Jknicnpf.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Jjqiok32.exeC:\Windows\system32\Jjqiok32.exe109⤵PID:2372
-
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe110⤵PID:2408
-
C:\Windows\SysWOW64\Kdfmlc32.exeC:\Windows\system32\Kdfmlc32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Kfgjdlme.exeC:\Windows\system32\Kfgjdlme.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Kjcedj32.exeC:\Windows\system32\Kjcedj32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Kqmnadlk.exeC:\Windows\system32\Kqmnadlk.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1516 -
C:\Windows\SysWOW64\Kopnma32.exeC:\Windows\system32\Kopnma32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Kggfnoch.exeC:\Windows\system32\Kggfnoch.exe116⤵PID:1504
-
C:\Windows\SysWOW64\Kjebjjck.exeC:\Windows\system32\Kjebjjck.exe117⤵PID:1572
-
C:\Windows\SysWOW64\Kmdofebo.exeC:\Windows\system32\Kmdofebo.exe118⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Kobkbaac.exeC:\Windows\system32\Kobkbaac.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Kbqgolpf.exeC:\Windows\system32\Kbqgolpf.exe120⤵PID:2784
-
C:\Windows\SysWOW64\Kjhopjqi.exeC:\Windows\system32\Kjhopjqi.exe121⤵PID:1352
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-