Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 20:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe
-
Size
104KB
-
MD5
eb6a9fd24891236cf24fa8a0783564e3
-
SHA1
e533cb7912de5a765c7a0cb21b35e4d7611c3b87
-
SHA256
29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8
-
SHA512
1c259be494d1095d94a88ab9404739d882778cd6342b3765afc2e2826a5b8b71028a389f656202175e99f5fa14d8f7b287de2160e8439f75fcb37e25bd81814b
-
SSDEEP
3072:ZSZDepa60xToiI4X49e58x7cEGrhkngpDvchkqbAIQ:wXTo/E58x4brq2Ah
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbnphngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hjcaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jibnop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgngbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pdppqbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fliook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnagmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anjnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dafoikjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbchni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imggplgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qmhahkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadojlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bdkhjgeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkielpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbdleol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgfkhpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbgjgomc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajhddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimoiopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnchhllf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpbmqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpggei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppfafcpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jabponba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ldgnklmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fglfgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cfoaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihmpinj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmpolof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhgha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pbigmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknjfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjjdhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Khldkllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaogognm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bknjfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gaagcpdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijaaae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnofgg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2772 Kcginj32.exe 2548 Keeeje32.exe 3040 Lhcafa32.exe 2552 Lkbmbl32.exe 2816 Lgingm32.exe 1732 Lgkkmm32.exe 2908 Ljigih32.exe 2160 Lgngbmjp.exe 2032 Lngpog32.exe 2764 Lcdhgn32.exe 572 Lfbdci32.exe 1464 Llmmpcfe.exe 1852 Mgbaml32.exe 2180 Mfeaiime.exe 2416 Mloiec32.exe 2152 Mjcjog32.exe 944 Mhfjjdjf.exe 1456 Mfjkdh32.exe 1636 Mdmkoepk.exe 2280 Mflgih32.exe 1980 Mhjcec32.exe 2428 Mgmdapml.exe 2956 Mbchni32.exe 1944 Njnmbk32.exe 2748 Nbeedh32.exe 1516 Nqhepeai.exe 2936 Nknimnap.exe 2804 Nqjaeeog.exe 2812 Ncinap32.exe 1412 Nppofado.exe 1440 Nckkgp32.exe 2884 Nmcopebh.exe 2636 Npbklabl.exe 1432 Nbpghl32.exe 2272 Nmflee32.exe 1232 Obbdml32.exe 2832 Ofnpnkgf.exe 1260 Oeaqig32.exe 1548 Opfegp32.exe 2436 Oioipf32.exe 2352 Olmela32.exe 1780 Oefjdgjk.exe 2848 Oiafee32.exe 1236 Onnnml32.exe 1268 Oalkih32.exe 2236 Ojeobm32.exe 1960 Onqkclni.exe 1420 Oaogognm.exe 2632 Odmckcmq.exe 1520 Oflpgnld.exe 2776 Ojglhm32.exe 1604 Pnchhllf.exe 2616 Ppddpd32.exe 2588 Pdppqbkn.exe 2728 Pfnmmn32.exe 2984 Pjihmmbk.exe 2108 Pmhejhao.exe 1644 Ppfafcpb.exe 836 Pbemboof.exe 2396 Pfpibn32.exe 2116 Pioeoi32.exe 1084 Pmjaohol.exe 984 Pddjlb32.exe 1460 Pbgjgomc.exe -
Loads dropped DLL 64 IoCs
pid Process 2644 29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe 2644 29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe 2772 Kcginj32.exe 2772 Kcginj32.exe 2548 Keeeje32.exe 2548 Keeeje32.exe 3040 Lhcafa32.exe 3040 Lhcafa32.exe 2552 Lkbmbl32.exe 2552 Lkbmbl32.exe 2816 Lgingm32.exe 2816 Lgingm32.exe 1732 Lgkkmm32.exe 1732 Lgkkmm32.exe 2908 Ljigih32.exe 2908 Ljigih32.exe 2160 Lgngbmjp.exe 2160 Lgngbmjp.exe 2032 Lngpog32.exe 2032 Lngpog32.exe 2764 Lcdhgn32.exe 2764 Lcdhgn32.exe 572 Lfbdci32.exe 572 Lfbdci32.exe 1464 Llmmpcfe.exe 1464 Llmmpcfe.exe 1852 Mgbaml32.exe 1852 Mgbaml32.exe 2180 Mfeaiime.exe 2180 Mfeaiime.exe 2416 Mloiec32.exe 2416 Mloiec32.exe 2152 Mjcjog32.exe 2152 Mjcjog32.exe 944 Mhfjjdjf.exe 944 Mhfjjdjf.exe 1456 Mfjkdh32.exe 1456 Mfjkdh32.exe 1636 Mdmkoepk.exe 1636 Mdmkoepk.exe 2280 Mflgih32.exe 2280 Mflgih32.exe 1980 Mhjcec32.exe 1980 Mhjcec32.exe 2428 Mgmdapml.exe 2428 Mgmdapml.exe 2956 Mbchni32.exe 2956 Mbchni32.exe 1944 Njnmbk32.exe 1944 Njnmbk32.exe 2748 Nbeedh32.exe 2748 Nbeedh32.exe 1516 Nqhepeai.exe 1516 Nqhepeai.exe 2936 Nknimnap.exe 2936 Nknimnap.exe 2804 Nqjaeeog.exe 2804 Nqjaeeog.exe 2812 Ncinap32.exe 2812 Ncinap32.exe 1412 Nppofado.exe 1412 Nppofado.exe 1440 Nckkgp32.exe 1440 Nckkgp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pioeoi32.exe Pfpibn32.exe File opened for modification C:\Windows\SysWOW64\Giolnomh.exe Ggapbcne.exe File created C:\Windows\SysWOW64\Kjpndcho.dll Kmfpmc32.exe File opened for modification C:\Windows\SysWOW64\Koflgf32.exe Kkjpggkn.exe File opened for modification C:\Windows\SysWOW64\Ejcmmp32.exe Efhqmadd.exe File created C:\Windows\SysWOW64\Fmfocnjg.exe Fkhbgbkc.exe File opened for modification C:\Windows\SysWOW64\Bbjpil32.exe Bnochnpm.exe File opened for modification C:\Windows\SysWOW64\Cnejim32.exe Cfoaho32.exe File created C:\Windows\SysWOW64\Hqhepmkh.dll Gonale32.exe File created C:\Windows\SysWOW64\Iddpheep.dll Jbfilffm.exe File created C:\Windows\SysWOW64\Pkkkap32.dll Mfeaiime.exe File created C:\Windows\SysWOW64\Dcoaml32.dll Aclpaali.exe File created C:\Windows\SysWOW64\Gonale32.exe Gkcekfad.exe File created C:\Windows\SysWOW64\Khldkllj.exe Kdphjm32.exe File created C:\Windows\SysWOW64\Dijdkh32.dll Emoldlmc.exe File created C:\Windows\SysWOW64\Hellqgnm.dll Goqnae32.exe File opened for modification C:\Windows\SysWOW64\Jnmiag32.exe Jlnmel32.exe File created C:\Windows\SysWOW64\Mgbaml32.exe Llmmpcfe.exe File created C:\Windows\SysWOW64\Mfeaiime.exe Mgbaml32.exe File created C:\Windows\SysWOW64\Plpopddd.exe Peefcjlg.exe File created C:\Windows\SysWOW64\Qdfmchqk.dll Bnochnpm.exe File created C:\Windows\SysWOW64\Clgmpqdg.dll Dnqlmq32.exe File created C:\Windows\SysWOW64\Fglfgd32.exe Fdnjkh32.exe File created C:\Windows\SysWOW64\Cmpppdfa.dll Kcginj32.exe File created C:\Windows\SysWOW64\Jcdaaanl.dll Ccgklc32.exe File created C:\Windows\SysWOW64\Dboeco32.exe Dppigchi.exe File opened for modification C:\Windows\SysWOW64\Qejpoi32.exe Pblcbn32.exe File opened for modification C:\Windows\SysWOW64\Jpbcek32.exe Japciodd.exe File created C:\Windows\SysWOW64\Hailie32.dll Qemldifo.exe File created C:\Windows\SysWOW64\Hnnikfij.dll Kablnadm.exe File created C:\Windows\SysWOW64\Kdbepm32.exe Kadica32.exe File created C:\Windows\SysWOW64\Jdilhpcp.dll Pfebnmcj.exe File opened for modification C:\Windows\SysWOW64\Dnefhpma.exe Dlgjldnm.exe File created C:\Windows\SysWOW64\Dokggo32.dll Epeoaffo.exe File created C:\Windows\SysWOW64\Gacdld32.dll Fdnjkh32.exe File opened for modification C:\Windows\SysWOW64\Ikqnlh32.exe Icifjk32.exe File opened for modification C:\Windows\SysWOW64\Mfjkdh32.exe Mhfjjdjf.exe File created C:\Windows\SysWOW64\Iebldo32.exe Ifolhann.exe File created C:\Windows\SysWOW64\Imggplgm.exe Ieponofk.exe File created C:\Windows\SysWOW64\Phoogg32.dll Anadojlo.exe File opened for modification C:\Windows\SysWOW64\Bnochnpm.exe Bkpglbaj.exe File opened for modification C:\Windows\SysWOW64\Mgmdapml.exe Mhjcec32.exe File opened for modification C:\Windows\SysWOW64\Bhdhefpc.exe Bbjpil32.exe File opened for modification C:\Windows\SysWOW64\Eihjolae.exe Efjmbaba.exe File opened for modification C:\Windows\SysWOW64\Gdnfjl32.exe Gekfnoog.exe File created C:\Windows\SysWOW64\Hhkopj32.exe Hdpcokdo.exe File created C:\Windows\SysWOW64\Ggegqe32.dll Hddmjk32.exe File opened for modification C:\Windows\SysWOW64\Jbhebfck.exe Jnmiag32.exe File opened for modification C:\Windows\SysWOW64\Lmmfnb32.exe Kkojbf32.exe File opened for modification C:\Windows\SysWOW64\Lcdhgn32.exe Lngpog32.exe File opened for modification C:\Windows\SysWOW64\Qhkipdeb.exe Qemldifo.exe File created C:\Windows\SysWOW64\Cfanmogq.exe Cqdfehii.exe File created C:\Windows\SysWOW64\Dfcllk32.dll Hmdkjmip.exe File opened for modification C:\Windows\SysWOW64\Peefcjlg.exe Pbgjgomc.exe File created C:\Windows\SysWOW64\Aehngihn.dll Qbnphngk.exe File created C:\Windows\SysWOW64\Oieqmphd.dll Cncmcm32.exe File opened for modification C:\Windows\SysWOW64\Dafoikjb.exe Dnhbmpkn.exe File created C:\Windows\SysWOW64\Imldmnjj.dll Ebnabb32.exe File created C:\Windows\SysWOW64\Ocfqdk32.dll Fdiqpigl.exe File created C:\Windows\SysWOW64\Koflgf32.exe Kkjpggkn.exe File created C:\Windows\SysWOW64\Njnmbk32.exe Mbchni32.exe File created C:\Windows\SysWOW64\Opfegp32.exe Oeaqig32.exe File created C:\Windows\SysWOW64\Fmaeho32.exe Fkcilc32.exe File opened for modification C:\Windows\SysWOW64\Iclbpj32.exe Iamfdo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4724 4700 WerFault.exe 372 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgfkhpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggapbcne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgqlafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccglehn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnkdmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfanmogq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoebgcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcepqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqiqjlga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmkoepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqkclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponklpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agihgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinhdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpibn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpopddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coicfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpggei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefmcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgciff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgfekpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkojbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnpnkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiflohqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkmeiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfnnajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbclgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeaelok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhahkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkhjgeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcedad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfmojcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggmldfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbofmcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqgddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igceej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmmpcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picojhcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldhkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadojlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafoikjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaclfgl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fieacp32.dll" Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhigkm32.dll" Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgljaj32.dll" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dnhbmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lndglp32.dll" Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjmkeb32.dll" Hqiqjlga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Difqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gdnfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apppkekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Onqkclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkddnqcm.dll" Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnlnhm32.dll" Gehiioaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mjcjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biklma32.dll" Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbfchlee.dll" Ifolhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcginj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nehhoand.dll" Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehiknbl.dll" Agihgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cncmcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgpml32.dll" Hiioin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqjcnfeg.dll" Mbchni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oieqmphd.dll" Cncmcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Apkgpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bdkhjgeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mfjkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpqkajf.dll" Dboeco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpppdfa.dll" Kcginj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fniamd32.dll" Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dafoikjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bgghac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dijdkh32.dll" Emoldlmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fefqdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Icncgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hgnokgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jnmiag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bbjpil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojeobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnpaigk.dll" Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoaml32.dll" Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll" Inhdgdmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kgcnahoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aognbnkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpepkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kbjbge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kdphjm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 2772 2644 29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe 30 PID 2644 wrote to memory of 2772 2644 29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe 30 PID 2644 wrote to memory of 2772 2644 29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe 30 PID 2644 wrote to memory of 2772 2644 29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe 30 PID 2772 wrote to memory of 2548 2772 Kcginj32.exe 31 PID 2772 wrote to memory of 2548 2772 Kcginj32.exe 31 PID 2772 wrote to memory of 2548 2772 Kcginj32.exe 31 PID 2772 wrote to memory of 2548 2772 Kcginj32.exe 31 PID 2548 wrote to memory of 3040 2548 Keeeje32.exe 32 PID 2548 wrote to memory of 3040 2548 Keeeje32.exe 32 PID 2548 wrote to memory of 3040 2548 Keeeje32.exe 32 PID 2548 wrote to memory of 3040 2548 Keeeje32.exe 32 PID 3040 wrote to memory of 2552 3040 Lhcafa32.exe 33 PID 3040 wrote to memory of 2552 3040 Lhcafa32.exe 33 PID 3040 wrote to memory of 2552 3040 Lhcafa32.exe 33 PID 3040 wrote to memory of 2552 3040 Lhcafa32.exe 33 PID 2552 wrote to memory of 2816 2552 Lkbmbl32.exe 34 PID 2552 wrote to memory of 2816 2552 Lkbmbl32.exe 34 PID 2552 wrote to memory of 2816 2552 Lkbmbl32.exe 34 PID 2552 wrote to memory of 2816 2552 Lkbmbl32.exe 34 PID 2816 wrote to memory of 1732 2816 Lgingm32.exe 35 PID 2816 wrote to memory of 1732 2816 Lgingm32.exe 35 PID 2816 wrote to memory of 1732 2816 Lgingm32.exe 35 PID 2816 wrote to memory of 1732 2816 Lgingm32.exe 35 PID 1732 wrote to memory of 2908 1732 Lgkkmm32.exe 36 PID 1732 wrote to memory of 2908 1732 Lgkkmm32.exe 36 PID 1732 wrote to memory of 2908 1732 Lgkkmm32.exe 36 PID 1732 wrote to memory of 2908 1732 Lgkkmm32.exe 36 PID 2908 wrote to memory of 2160 2908 Ljigih32.exe 37 PID 2908 wrote to memory of 2160 2908 Ljigih32.exe 37 PID 2908 wrote to memory of 2160 2908 Ljigih32.exe 37 PID 2908 wrote to memory of 2160 2908 Ljigih32.exe 37 PID 2160 wrote to memory of 2032 2160 Lgngbmjp.exe 38 PID 2160 wrote to memory of 2032 2160 Lgngbmjp.exe 38 PID 2160 wrote to memory of 2032 2160 Lgngbmjp.exe 38 PID 2160 wrote to memory of 2032 2160 Lgngbmjp.exe 38 PID 2032 wrote to memory of 2764 2032 Lngpog32.exe 39 PID 2032 wrote to memory of 2764 2032 Lngpog32.exe 39 PID 2032 wrote to memory of 2764 2032 Lngpog32.exe 39 PID 2032 wrote to memory of 2764 2032 Lngpog32.exe 39 PID 2764 wrote to memory of 572 2764 Lcdhgn32.exe 40 PID 2764 wrote to memory of 572 2764 Lcdhgn32.exe 40 PID 2764 wrote to memory of 572 2764 Lcdhgn32.exe 40 PID 2764 wrote to memory of 572 2764 Lcdhgn32.exe 40 PID 572 wrote to memory of 1464 572 Lfbdci32.exe 41 PID 572 wrote to memory of 1464 572 Lfbdci32.exe 41 PID 572 wrote to memory of 1464 572 Lfbdci32.exe 41 PID 572 wrote to memory of 1464 572 Lfbdci32.exe 41 PID 1464 wrote to memory of 1852 1464 Llmmpcfe.exe 42 PID 1464 wrote to memory of 1852 1464 Llmmpcfe.exe 42 PID 1464 wrote to memory of 1852 1464 Llmmpcfe.exe 42 PID 1464 wrote to memory of 1852 1464 Llmmpcfe.exe 42 PID 1852 wrote to memory of 2180 1852 Mgbaml32.exe 43 PID 1852 wrote to memory of 2180 1852 Mgbaml32.exe 43 PID 1852 wrote to memory of 2180 1852 Mgbaml32.exe 43 PID 1852 wrote to memory of 2180 1852 Mgbaml32.exe 43 PID 2180 wrote to memory of 2416 2180 Mfeaiime.exe 44 PID 2180 wrote to memory of 2416 2180 Mfeaiime.exe 44 PID 2180 wrote to memory of 2416 2180 Mfeaiime.exe 44 PID 2180 wrote to memory of 2416 2180 Mfeaiime.exe 44 PID 2416 wrote to memory of 2152 2416 Mloiec32.exe 45 PID 2416 wrote to memory of 2152 2416 Mloiec32.exe 45 PID 2416 wrote to memory of 2152 2416 Mloiec32.exe 45 PID 2416 wrote to memory of 2152 2416 Mloiec32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe"C:\Users\Admin\AppData\Local\Temp\29ee0a6f23e4babc91b4ae2efa38264401718c5efc07c504b13af44379c9aef8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Lfbdci32.exeC:\Windows\system32\Lfbdci32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Mloiec32.exeC:\Windows\system32\Mloiec32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Mflgih32.exeC:\Windows\system32\Mflgih32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Mbchni32.exeC:\Windows\system32\Mbchni32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1440 -
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe33⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe34⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Oeaqig32.exeC:\Windows\system32\Oeaqig32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1260 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe41⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Oefjdgjk.exeC:\Windows\system32\Oefjdgjk.exe43⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Oalkih32.exeC:\Windows\system32\Oalkih32.exe46⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe50⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe51⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe52⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe54⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe56⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe57⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe58⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe60⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe62⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe63⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe64⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Pbgjgomc.exeC:\Windows\system32\Pbgjgomc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Peefcjlg.exeC:\Windows\system32\Peefcjlg.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe67⤵
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe68⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2792 -
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe70⤵
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Picojhcm.exeC:\Windows\system32\Picojhcm.exe71⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe73⤵
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Pblcbn32.exeC:\Windows\system32\Pblcbn32.exe74⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Qejpoi32.exeC:\Windows\system32\Qejpoi32.exe75⤵PID:1356
-
C:\Windows\SysWOW64\Qiflohqk.exeC:\Windows\system32\Qiflohqk.exe76⤵
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Qobdgo32.exeC:\Windows\system32\Qobdgo32.exe78⤵PID:356
-
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Qemldifo.exeC:\Windows\system32\Qemldifo.exe80⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Aeoijidl.exeC:\Windows\system32\Aeoijidl.exe84⤵PID:2968
-
C:\Windows\SysWOW64\Adaiee32.exeC:\Windows\system32\Adaiee32.exe85⤵PID:2496
-
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Aognbnkm.exeC:\Windows\system32\Aognbnkm.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Anjnnk32.exeC:\Windows\system32\Anjnnk32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Ahpbkd32.exeC:\Windows\system32\Ahpbkd32.exe90⤵PID:1408
-
C:\Windows\SysWOW64\Agbbgqhh.exeC:\Windows\system32\Agbbgqhh.exe91⤵PID:2196
-
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe92⤵
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe93⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Adfbpega.exeC:\Windows\system32\Adfbpega.exe94⤵PID:2880
-
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe95⤵PID:1192
-
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe96⤵
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Anogijnb.exeC:\Windows\system32\Anogijnb.exe97⤵
- Modifies registry class
PID:1076 -
C:\Windows\SysWOW64\Apmcefmf.exeC:\Windows\system32\Apmcefmf.exe98⤵PID:1660
-
C:\Windows\SysWOW64\Aclpaali.exeC:\Windows\system32\Aclpaali.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Aejlnmkm.exeC:\Windows\system32\Aejlnmkm.exe100⤵PID:2796
-
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe102⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Aobpfb32.exeC:\Windows\system32\Aobpfb32.exe103⤵PID:2392
-
C:\Windows\SysWOW64\Agihgp32.exeC:\Windows\system32\Agihgp32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Ajhddk32.exeC:\Windows\system32\Ajhddk32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Bhkeohhn.exeC:\Windows\system32\Bhkeohhn.exe106⤵PID:2184
-
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:448 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe108⤵PID:1772
-
C:\Windows\SysWOW64\Bacihmoo.exeC:\Windows\system32\Bacihmoo.exe109⤵PID:1360
-
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe110⤵PID:2036
-
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe111⤵PID:2668
-
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe112⤵PID:2696
-
C:\Windows\SysWOW64\Bcbfbp32.exeC:\Windows\system32\Bcbfbp32.exe113⤵PID:2544
-
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe114⤵PID:1104
-
C:\Windows\SysWOW64\Bhonjg32.exeC:\Windows\system32\Bhonjg32.exe115⤵PID:808
-
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Boifga32.exeC:\Windows\system32\Boifga32.exe117⤵PID:2132
-
C:\Windows\SysWOW64\Bbhccm32.exeC:\Windows\system32\Bbhccm32.exe118⤵PID:2120
-
C:\Windows\SysWOW64\Bdfooh32.exeC:\Windows\system32\Bdfooh32.exe119⤵PID:900
-
C:\Windows\SysWOW64\Bgdkkc32.exeC:\Windows\system32\Bgdkkc32.exe120⤵PID:1968
-
C:\Windows\SysWOW64\Bkpglbaj.exeC:\Windows\system32\Bkpglbaj.exe121⤵
- Drops file in System32 directory
PID:2444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-