Analysis
-
max time kernel
27s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 23:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe
-
Size
88KB
-
MD5
54b94d06a83c5c52ce28b38d71022c7a
-
SHA1
b1dd1251bd744b9e1c14d668f7ae736bc36770c3
-
SHA256
9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a
-
SHA512
811de1e5a82674218e0574912d09c7306c58a85276729fa53a8840ec718ae30c7e35c6e09413ae08cc2ff9e24a6e8f6099b322869389305991b097e2fa5da9d8
-
SSDEEP
1536:rH0c9ochozxgA3xjgCa6ScY9S/ylgZ57oht8Enouy8h:rH0jxzSA3xI6SLS6ly1os0outh
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgihjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaangfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkigfdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfhjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhcokmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkblm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeblgodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncggifep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fofekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqopmbed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibebeqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhhblgim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkchpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbbkabdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oicbma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndbjgjqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qicoleno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fiopah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kldchgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdoeipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkiknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpgieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Janihlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhjghlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhdcbjal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehonebqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Faonqiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eabeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llainlje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neemgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcljdpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmmiaknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncggifep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqddcdbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqjehngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqffna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjdnmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mflgkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdapggln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khhndi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfamko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqffna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieiegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqddcdbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdamhocm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdoeipjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnobfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mchjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdjenkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfjjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cejhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdhcinme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deonff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnakjaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iilocklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgdmeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbkgegad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Goekpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgjgepqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndlamke.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2828 Plneoace.exe 2268 Qlpadaac.exe 2984 Ahioobed.exe 2748 Aqddcdbo.exe 3052 Abdpngjb.exe 2820 Ajoebigm.exe 2720 Ampncd32.exe 2168 Bjdnmi32.exe 2924 Boqgep32.exe 1924 Bkghjq32.exe 2548 Bbapgknp.exe 2044 Boeppomj.exe 560 Bklaepbn.exe 2372 Bipaodah.exe 1768 Ckajqo32.exe 1968 Cnacbj32.exe 2708 Cmgpcg32.exe 2376 Cjkamk32.exe 2152 Cpgieb32.exe 1560 Dpjfjalp.exe 952 Dibjcg32.exe 1684 Deikhhhe.exe 1156 Dlcceboa.exe 840 Dekhnh32.exe 2180 Dmgmbj32.exe 884 Dhlapc32.exe 2600 Ehonebqq.exe 2836 Ekofgnna.exe 2476 Egfglocf.exe 2896 Eoalpaaa.exe 2860 Eabeal32.exe 2780 Fofekp32.exe 2788 Fnkblm32.exe 112 Fkocfa32.exe 1036 Fdjddf32.exe 1068 Fleihi32.exe 2148 Gofajcog.exe 1180 Gbfklolh.exe 1832 Gkoodd32.exe 956 Gbkdgn32.exe 2672 Gkchpcoc.exe 2136 Hgjieedg.exe 2416 Hfdpaqej.exe 600 Hiehbl32.exe 1948 Ipameehe.exe 2716 Iijbnkne.exe 772 Iilocklc.exe 936 Ijmkkc32.exe 1696 Idepdhia.exe 2240 Iokdaa32.exe 1520 Jdhlih32.exe 2572 Jfiekc32.exe 2244 Janihlcf.exe 2944 Jfkbqcam.exe 3016 Jpcfih32.exe 2744 Jmggcmgg.exe 2592 Joicje32.exe 2212 Jeblgodb.exe 1500 Kphpdhdh.exe 2396 Keehmobp.exe 2132 Kciifc32.exe 908 Kdjenkgh.exe 1324 Knbjgq32.exe 2388 Khhndi32.exe -
Loads dropped DLL 64 IoCs
pid Process 2348 9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe 2348 9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe 2828 Plneoace.exe 2828 Plneoace.exe 2268 Qlpadaac.exe 2268 Qlpadaac.exe 2984 Ahioobed.exe 2984 Ahioobed.exe 2748 Aqddcdbo.exe 2748 Aqddcdbo.exe 3052 Abdpngjb.exe 3052 Abdpngjb.exe 2820 Ajoebigm.exe 2820 Ajoebigm.exe 2720 Ampncd32.exe 2720 Ampncd32.exe 2168 Bjdnmi32.exe 2168 Bjdnmi32.exe 2924 Boqgep32.exe 2924 Boqgep32.exe 1924 Bkghjq32.exe 1924 Bkghjq32.exe 2548 Bbapgknp.exe 2548 Bbapgknp.exe 2044 Boeppomj.exe 2044 Boeppomj.exe 560 Bklaepbn.exe 560 Bklaepbn.exe 2372 Bipaodah.exe 2372 Bipaodah.exe 1768 Ckajqo32.exe 1768 Ckajqo32.exe 1968 Cnacbj32.exe 1968 Cnacbj32.exe 2708 Cmgpcg32.exe 2708 Cmgpcg32.exe 2376 Cjkamk32.exe 2376 Cjkamk32.exe 2152 Cpgieb32.exe 2152 Cpgieb32.exe 1560 Dpjfjalp.exe 1560 Dpjfjalp.exe 952 Dibjcg32.exe 952 Dibjcg32.exe 1684 Deikhhhe.exe 1684 Deikhhhe.exe 1156 Dlcceboa.exe 1156 Dlcceboa.exe 840 Dekhnh32.exe 840 Dekhnh32.exe 2180 Dmgmbj32.exe 2180 Dmgmbj32.exe 884 Dhlapc32.exe 884 Dhlapc32.exe 2600 Ehonebqq.exe 2600 Ehonebqq.exe 2836 Ekofgnna.exe 2836 Ekofgnna.exe 2476 Egfglocf.exe 2476 Egfglocf.exe 2896 Eoalpaaa.exe 2896 Eoalpaaa.exe 2860 Eabeal32.exe 2860 Eabeal32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gbfklolh.exe Gofajcog.exe File opened for modification C:\Windows\SysWOW64\Jmggcmgg.exe Jpcfih32.exe File created C:\Windows\SysWOW64\Bkhppp32.dll Niombolm.exe File created C:\Windows\SysWOW64\Dimfmeef.exe Dogbolep.exe File opened for modification C:\Windows\SysWOW64\Abdpngjb.exe Aqddcdbo.exe File opened for modification C:\Windows\SysWOW64\Iilocklc.exe Iijbnkne.exe File created C:\Windows\SysWOW64\Ekgfkl32.exe Eoqeekme.exe File created C:\Windows\SysWOW64\Mfamko32.exe Mglpjc32.exe File created C:\Windows\SysWOW64\Depojmnb.dll Mkelcenm.exe File created C:\Windows\SysWOW64\Boqgep32.exe Bjdnmi32.exe File created C:\Windows\SysWOW64\Adhohapp.exe Abjcleqm.exe File created C:\Windows\SysWOW64\Fmlbgc32.dll Abjcleqm.exe File created C:\Windows\SysWOW64\Cfekkgla.exe Biakbc32.exe File created C:\Windows\SysWOW64\Ijhemglp.dll Ijenpn32.exe File created C:\Windows\SysWOW64\Gppoqa32.dll Nnnbqeib.exe File opened for modification C:\Windows\SysWOW64\Cpgieb32.exe Cjkamk32.exe File created C:\Windows\SysWOW64\Cneiki32.exe Cbnhfhoc.exe File created C:\Windows\SysWOW64\Epinic32.dll Lklmoccl.exe File opened for modification C:\Windows\SysWOW64\Cnacbj32.exe Ckajqo32.exe File created C:\Windows\SysWOW64\Oeanjk32.dll Kneflplf.exe File created C:\Windows\SysWOW64\Eabjhf32.dll Mflgkd32.exe File opened for modification C:\Windows\SysWOW64\Niombolm.exe Npfhjifm.exe File created C:\Windows\SysWOW64\Jcgmedpl.dll Bgkeol32.exe File created C:\Windows\SysWOW64\Gbkdgn32.exe Gkoodd32.exe File created C:\Windows\SysWOW64\Pmlhga32.dll Kcdljghj.exe File created C:\Windows\SysWOW64\Pladek32.dll Dhdddnep.exe File opened for modification C:\Windows\SysWOW64\Njjieace.exe Nbodpo32.exe File opened for modification C:\Windows\SysWOW64\Kneflplf.exe Khhndi32.exe File created C:\Windows\SysWOW64\Mcfied32.dll Fdjddf32.exe File created C:\Windows\SysWOW64\Agboqe32.dll Iijbnkne.exe File created C:\Windows\SysWOW64\Daonbn32.dll Pmlngdhk.exe File created C:\Windows\SysWOW64\Kldchgag.exe Kblooa32.exe File created C:\Windows\SysWOW64\Bklaepbn.exe Boeppomj.exe File created C:\Windows\SysWOW64\Ldepenep.dll Khhndi32.exe File opened for modification C:\Windows\SysWOW64\Mqjehngm.exe Mnlilb32.exe File opened for modification C:\Windows\SysWOW64\Mqlbnnej.exe Mgdmeh32.exe File opened for modification C:\Windows\SysWOW64\Dajlhc32.exe Dfegjknm.exe File created C:\Windows\SysWOW64\Jjhfan32.dll Dmcibdad.exe File created C:\Windows\SysWOW64\Cbijpj32.dll Bipaodah.exe File opened for modification C:\Windows\SysWOW64\Jadlgjjq.exe Jdplmflg.exe File created C:\Windows\SysWOW64\Ldikbhfh.exe Lnobfn32.exe File created C:\Windows\SysWOW64\Pbenfb32.dll Eabeal32.exe File created C:\Windows\SysWOW64\Fnkblm32.exe Fofekp32.exe File opened for modification C:\Windows\SysWOW64\Npfhjifm.exe Njipabhe.exe File opened for modification C:\Windows\SysWOW64\Pkihpi32.exe Pldknmhd.exe File created C:\Windows\SysWOW64\Peaibajp.exe Pmjaadjm.exe File created C:\Windows\SysWOW64\Kcadedfd.dll Copljmpo.exe File opened for modification C:\Windows\SysWOW64\Folhio32.exe Fiopah32.exe File opened for modification C:\Windows\SysWOW64\Hkiknb32.exe Hjhofj32.exe File opened for modification C:\Windows\SysWOW64\Bbapgknp.exe Bkghjq32.exe File created C:\Windows\SysWOW64\Qicoleno.exe Pdffcn32.exe File created C:\Windows\SysWOW64\Blfmgmin.dll Cejhld32.exe File created C:\Windows\SysWOW64\Dmcibdad.exe Dbneekan.exe File created C:\Windows\SysWOW64\Maaqhfpj.dll Hhhblgim.exe File created C:\Windows\SysWOW64\Kfenjq32.exe Kmmiaknb.exe File created C:\Windows\SysWOW64\Mchjjc32.exe Mlnbmikh.exe File created C:\Windows\SysWOW64\Cpgieb32.exe Cjkamk32.exe File created C:\Windows\SysWOW64\Ijocpfhd.dll Bbolge32.exe File opened for modification C:\Windows\SysWOW64\Bdoeipjh.exe Bnemlf32.exe File opened for modification C:\Windows\SysWOW64\Damhmc32.exe Dhdddnep.exe File opened for modification C:\Windows\SysWOW64\Ggeiooea.exe Glpdbfek.exe File opened for modification C:\Windows\SysWOW64\Gcljdpke.exe Ggeiooea.exe File created C:\Windows\SysWOW64\Fifjgemj.dll Opcaiggo.exe File opened for modification C:\Windows\SysWOW64\Dpjfjalp.exe Cpgieb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3696 3676 WerFault.exe 254 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjieace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkiknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iglkoaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiopah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijhkembk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiodliep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjehngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqoocmcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgihjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbapgknp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npfhjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdkpomkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjhofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkbqcam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldlghhde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkelcenm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdnmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllpclnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekbmfdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqkgbkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjfjalp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deikhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnlmmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgodjico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlnaghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagfffbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimfmeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdpaqej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janihlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egfglocf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdljghj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjcleqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnaekil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqffna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkfjman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkahbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjieedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joicje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdhcinme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbgdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdapggln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbkabdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkihpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaadjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbjgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhhma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndbjgjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhjghlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niombolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkohc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlpadaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqddcdbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdpngjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bipaodah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqopmbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plneoace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boqgep32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbeemg32.dll" Fofekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcfied32.dll" Fdjddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnemlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edkahbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ncggifep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mglpjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nbodpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdcof32.dll" Ngoinfao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijmkkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbnbfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nehjmppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdkpomkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiopah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmoai32.dll" Njobpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Falakjag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dekhnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkocfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdjddf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdjenkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Copljmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkkdjl.dll" Bjlnaghp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cneiki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnemfipf.dll" Gkgbioee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boqgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boeppomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekofgnna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kneflplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjkckf32.dll" Ahancp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiehbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfiekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjlnaghp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggbljogc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijhbkmbo.dll" Hbepplkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Faonqiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlmhggb.dll" Goekpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigbpkok.dll" Gbfklolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbnbfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgbbec32.dll" Phoeomjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccdnipal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eecgafkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbpccf32.dll" Hdapggln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iekbmfdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpcfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daonbn32.dll" Pmlngdhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhfan32.dll" Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfobjfcf.dll" Falakjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goekpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhimgpgk.dll" Fnkblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohjfpmp.dll" Jdplmflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oajojd32.dll" Lhbjmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdeehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kldchgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdnkcibn.dll" Oddmokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddaman32.dll" Pdamhocm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdhcinme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cejhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Falakjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhhblgim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hdapggln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njobpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgdnd32.dll" Jdhlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkigfdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epochndp.dll" Dbneekan.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2828 2348 9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe 29 PID 2348 wrote to memory of 2828 2348 9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe 29 PID 2348 wrote to memory of 2828 2348 9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe 29 PID 2348 wrote to memory of 2828 2348 9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe 29 PID 2828 wrote to memory of 2268 2828 Plneoace.exe 30 PID 2828 wrote to memory of 2268 2828 Plneoace.exe 30 PID 2828 wrote to memory of 2268 2828 Plneoace.exe 30 PID 2828 wrote to memory of 2268 2828 Plneoace.exe 30 PID 2268 wrote to memory of 2984 2268 Qlpadaac.exe 31 PID 2268 wrote to memory of 2984 2268 Qlpadaac.exe 31 PID 2268 wrote to memory of 2984 2268 Qlpadaac.exe 31 PID 2268 wrote to memory of 2984 2268 Qlpadaac.exe 31 PID 2984 wrote to memory of 2748 2984 Ahioobed.exe 32 PID 2984 wrote to memory of 2748 2984 Ahioobed.exe 32 PID 2984 wrote to memory of 2748 2984 Ahioobed.exe 32 PID 2984 wrote to memory of 2748 2984 Ahioobed.exe 32 PID 2748 wrote to memory of 3052 2748 Aqddcdbo.exe 33 PID 2748 wrote to memory of 3052 2748 Aqddcdbo.exe 33 PID 2748 wrote to memory of 3052 2748 Aqddcdbo.exe 33 PID 2748 wrote to memory of 3052 2748 Aqddcdbo.exe 33 PID 3052 wrote to memory of 2820 3052 Abdpngjb.exe 34 PID 3052 wrote to memory of 2820 3052 Abdpngjb.exe 34 PID 3052 wrote to memory of 2820 3052 Abdpngjb.exe 34 PID 3052 wrote to memory of 2820 3052 Abdpngjb.exe 34 PID 2820 wrote to memory of 2720 2820 Ajoebigm.exe 35 PID 2820 wrote to memory of 2720 2820 Ajoebigm.exe 35 PID 2820 wrote to memory of 2720 2820 Ajoebigm.exe 35 PID 2820 wrote to memory of 2720 2820 Ajoebigm.exe 35 PID 2720 wrote to memory of 2168 2720 Ampncd32.exe 36 PID 2720 wrote to memory of 2168 2720 Ampncd32.exe 36 PID 2720 wrote to memory of 2168 2720 Ampncd32.exe 36 PID 2720 wrote to memory of 2168 2720 Ampncd32.exe 36 PID 2168 wrote to memory of 2924 2168 Bjdnmi32.exe 37 PID 2168 wrote to memory of 2924 2168 Bjdnmi32.exe 37 PID 2168 wrote to memory of 2924 2168 Bjdnmi32.exe 37 PID 2168 wrote to memory of 2924 2168 Bjdnmi32.exe 37 PID 2924 wrote to memory of 1924 2924 Boqgep32.exe 38 PID 2924 wrote to memory of 1924 2924 Boqgep32.exe 38 PID 2924 wrote to memory of 1924 2924 Boqgep32.exe 38 PID 2924 wrote to memory of 1924 2924 Boqgep32.exe 38 PID 1924 wrote to memory of 2548 1924 Bkghjq32.exe 39 PID 1924 wrote to memory of 2548 1924 Bkghjq32.exe 39 PID 1924 wrote to memory of 2548 1924 Bkghjq32.exe 39 PID 1924 wrote to memory of 2548 1924 Bkghjq32.exe 39 PID 2548 wrote to memory of 2044 2548 Bbapgknp.exe 40 PID 2548 wrote to memory of 2044 2548 Bbapgknp.exe 40 PID 2548 wrote to memory of 2044 2548 Bbapgknp.exe 40 PID 2548 wrote to memory of 2044 2548 Bbapgknp.exe 40 PID 2044 wrote to memory of 560 2044 Boeppomj.exe 41 PID 2044 wrote to memory of 560 2044 Boeppomj.exe 41 PID 2044 wrote to memory of 560 2044 Boeppomj.exe 41 PID 2044 wrote to memory of 560 2044 Boeppomj.exe 41 PID 560 wrote to memory of 2372 560 Bklaepbn.exe 42 PID 560 wrote to memory of 2372 560 Bklaepbn.exe 42 PID 560 wrote to memory of 2372 560 Bklaepbn.exe 42 PID 560 wrote to memory of 2372 560 Bklaepbn.exe 42 PID 2372 wrote to memory of 1768 2372 Bipaodah.exe 43 PID 2372 wrote to memory of 1768 2372 Bipaodah.exe 43 PID 2372 wrote to memory of 1768 2372 Bipaodah.exe 43 PID 2372 wrote to memory of 1768 2372 Bipaodah.exe 43 PID 1768 wrote to memory of 1968 1768 Ckajqo32.exe 44 PID 1768 wrote to memory of 1968 1768 Ckajqo32.exe 44 PID 1768 wrote to memory of 1968 1768 Ckajqo32.exe 44 PID 1768 wrote to memory of 1968 1768 Ckajqo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe"C:\Users\Admin\AppData\Local\Temp\9ba6588cc93c49945803b7b77c9b186c9bf613dc6afe5a425f2ce96f4ce7009a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ahioobed.exeC:\Windows\system32\Ahioobed.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Boeppomj.exeC:\Windows\system32\Boeppomj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Cnacbj32.exeC:\Windows\system32\Cnacbj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Dibjcg32.exeC:\Windows\system32\Dibjcg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Dlcceboa.exeC:\Windows\system32\Dlcceboa.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Dekhnh32.exeC:\Windows\system32\Dekhnh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Dhlapc32.exeC:\Windows\system32\Dhlapc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Ekofgnna.exeC:\Windows\system32\Ekofgnna.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2476 -
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Fnkblm32.exeC:\Windows\system32\Fnkblm32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Fkocfa32.exeC:\Windows\system32\Fkocfa32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Fleihi32.exeC:\Windows\system32\Fleihi32.exe37⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Gbfklolh.exeC:\Windows\system32\Gbfklolh.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1180 -
C:\Windows\SysWOW64\Gkoodd32.exeC:\Windows\system32\Gkoodd32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Gbkdgn32.exeC:\Windows\system32\Gbkdgn32.exe41⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Hfdpaqej.exeC:\Windows\system32\Hfdpaqej.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Hiehbl32.exeC:\Windows\system32\Hiehbl32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe46⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Ijmkkc32.exeC:\Windows\system32\Ijmkkc32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe50⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Iokdaa32.exeC:\Windows\system32\Iokdaa32.exe51⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Jdhlih32.exeC:\Windows\system32\Jdhlih32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Jfkbqcam.exeC:\Windows\system32\Jfkbqcam.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Jpcfih32.exeC:\Windows\system32\Jpcfih32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Jmggcmgg.exeC:\Windows\system32\Jmggcmgg.exe57⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Jeblgodb.exeC:\Windows\system32\Jeblgodb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Kphpdhdh.exeC:\Windows\system32\Kphpdhdh.exe60⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe61⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Kciifc32.exeC:\Windows\system32\Kciifc32.exe62⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Kdjenkgh.exeC:\Windows\system32\Kdjenkgh.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:712 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe67⤵PID:1008
-
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Kcdljghj.exeC:\Windows\system32\Kcdljghj.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe70⤵
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Lnlmmo32.exeC:\Windows\system32\Lnlmmo32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe72⤵PID:1288
-
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Lbnbfb32.exeC:\Windows\system32\Lbnbfb32.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Lkffohon.exeC:\Windows\system32\Lkffohon.exe75⤵PID:2956
-
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe78⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Mqhhbn32.exeC:\Windows\system32\Mqhhbn32.exe79⤵PID:2360
-
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe83⤵PID:2424
-
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe85⤵
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe87⤵PID:1428
-
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe88⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Npieoi32.exeC:\Windows\system32\Npieoi32.exe91⤵PID:3028
-
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2884 -
C:\Windows\SysWOW64\Nnnbqeib.exeC:\Windows\system32\Nnnbqeib.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe94⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe95⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe98⤵PID:1280
-
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Ofpmegpe.exeC:\Windows\system32\Ofpmegpe.exe100⤵PID:1544
-
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe101⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe102⤵PID:1060
-
C:\Windows\SysWOW64\Oicbma32.exeC:\Windows\system32\Oicbma32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1356 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe105⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Pkihpi32.exeC:\Windows\system32\Pkihpi32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:472 -
C:\Windows\SysWOW64\Pmjaadjm.exeC:\Windows\system32\Pmjaadjm.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe109⤵PID:3036
-
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe110⤵
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe112⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe115⤵PID:1340
-
C:\Windows\SysWOW64\Qdkpomkb.exeC:\Windows\system32\Qdkpomkb.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe117⤵PID:816
-
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe118⤵
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe119⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Adhohapp.exeC:\Windows\system32\Adhohapp.exe121⤵PID:940
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-