Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 01:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe
-
Size
98KB
-
MD5
ad8237dd474909d95a1916ce47148d1a
-
SHA1
0bbde220ff0b1be886cc2de4bb843054a5e8059e
-
SHA256
a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe
-
SHA512
150e44c89d4787ebbdf18f054f9a22b7dbab7e3e5665340b333f0fcb8ad2b76f0084d1b9cfc087ce7174fde744ae998f02439feff04d1f9df2f9be4e92f84340
-
SSDEEP
3072:Dc4zrCI4BEPrh81kLrcWsEmH3ArE9eFKPD375lHzpa1Py:Lz14B0fcW9mkE9eYr75lHzpaFy
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihdnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmmbge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojndpqpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lckflc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapohbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdeeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmabqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhqokcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofofolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inepgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfiocfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmelpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpdcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnncfoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fapgblob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lidilk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmkne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhdnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cofofolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklepmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbjpqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmecbkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmlobg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglfcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojpomh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcjeaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aohgfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdankjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcichb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikapdqoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmnea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjiljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdfmpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfjhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cppobaeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Palpneop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmljcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeokba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmlkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhominh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbipdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkilgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgifd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qanolm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlhaaogd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdfiofhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjbjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmmjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njeelc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikimeff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnkcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieeqpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keoabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alofnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aicfgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Docopbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joppeeif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccqhdmbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfmijae.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2228 Jpepkk32.exe 3060 Jpgmpk32.exe 2444 Jbfilffm.exe 2720 Jmkmjoec.exe 2600 Jlnmel32.exe 1776 Jlqjkk32.exe 1844 Kbjbge32.exe 3056 Khgkpl32.exe 1260 Kbmome32.exe 2816 Kapohbfp.exe 2476 Kmfpmc32.exe 2344 Kenhopmf.exe 572 Kfodfh32.exe 884 Kpgionie.exe 2144 Kkmmlgik.exe 2092 Kmkihbho.exe 1016 Kpieengb.exe 2912 Libjncnc.exe 2540 Lmmfnb32.exe 1852 Lplbjm32.exe 2284 Llbconkd.exe 380 Llepen32.exe 1720 Lcohahpn.exe 748 Lofifi32.exe 2384 Lcadghnk.exe 2732 Ladebd32.exe 2876 Lohelidp.exe 1540 Lnkege32.exe 2972 Mkofaj32.exe 3020 Mojbaham.exe 2892 Mgegfk32.exe 2416 Mjdcbf32.exe 3068 Makkcc32.exe 1868 Mcodqkbi.exe 292 Mjilmejf.exe 2680 Mndhnd32.exe 1104 Mfpmbf32.exe 2844 Mjkibehc.exe 1532 Mlieoqgg.exe 2192 Nohaklfk.exe 1752 Nojnql32.exe 832 Ncfjajma.exe 764 Nhbciaki.exe 1292 Nmnojp32.exe 1600 Nomkfk32.exe 2252 Nbkgbg32.exe 976 Ndicnb32.exe 2388 Nkclkl32.exe 2108 Nbmdhfog.exe 2728 Nigldq32.exe 2736 Nndemg32.exe 2608 Nqbaic32.exe 2056 Ogliemkk.exe 2348 Onfabgch.exe 2632 Oqennbbl.exe 1680 Ogofkm32.exe 2840 Ofafgipc.exe 2124 Omlncc32.exe 1300 Oqgjdbpi.exe 1528 Ogabql32.exe 1164 Ojpomh32.exe 2120 Oaigib32.exe 1432 Ochcem32.exe 828 Obkcajde.exe -
Loads dropped DLL 64 IoCs
pid Process 2188 a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe 2188 a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe 2228 Jpepkk32.exe 2228 Jpepkk32.exe 3060 Jpgmpk32.exe 3060 Jpgmpk32.exe 2444 Jbfilffm.exe 2444 Jbfilffm.exe 2720 Jmkmjoec.exe 2720 Jmkmjoec.exe 2600 Jlnmel32.exe 2600 Jlnmel32.exe 1776 Jlqjkk32.exe 1776 Jlqjkk32.exe 1844 Kbjbge32.exe 1844 Kbjbge32.exe 3056 Khgkpl32.exe 3056 Khgkpl32.exe 1260 Kbmome32.exe 1260 Kbmome32.exe 2816 Kapohbfp.exe 2816 Kapohbfp.exe 2476 Kmfpmc32.exe 2476 Kmfpmc32.exe 2344 Kenhopmf.exe 2344 Kenhopmf.exe 572 Kfodfh32.exe 572 Kfodfh32.exe 884 Kpgionie.exe 884 Kpgionie.exe 2144 Kkmmlgik.exe 2144 Kkmmlgik.exe 2092 Kmkihbho.exe 2092 Kmkihbho.exe 1016 Kpieengb.exe 1016 Kpieengb.exe 2912 Libjncnc.exe 2912 Libjncnc.exe 2540 Lmmfnb32.exe 2540 Lmmfnb32.exe 1852 Lplbjm32.exe 1852 Lplbjm32.exe 2284 Llbconkd.exe 2284 Llbconkd.exe 380 Llepen32.exe 380 Llepen32.exe 1720 Lcohahpn.exe 1720 Lcohahpn.exe 748 Lofifi32.exe 748 Lofifi32.exe 2384 Lcadghnk.exe 2384 Lcadghnk.exe 2732 Ladebd32.exe 2732 Ladebd32.exe 2876 Lohelidp.exe 2876 Lohelidp.exe 1540 Lnkege32.exe 1540 Lnkege32.exe 2972 Mkofaj32.exe 2972 Mkofaj32.exe 3020 Mojbaham.exe 3020 Mojbaham.exe 2892 Mgegfk32.exe 2892 Mgegfk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Beadgdli.exe Bogljj32.exe File created C:\Windows\SysWOW64\Mhalngad.exe Mebpakbq.exe File opened for modification C:\Windows\SysWOW64\Kcimhpma.exe Kqkalenn.exe File opened for modification C:\Windows\SysWOW64\Kpgionie.exe Kfodfh32.exe File opened for modification C:\Windows\SysWOW64\Aahimb32.exe Aiaqle32.exe File created C:\Windows\SysWOW64\Apnfno32.exe Albjnplq.exe File opened for modification C:\Windows\SysWOW64\Objmgd32.exe Ojceef32.exe File created C:\Windows\SysWOW64\Cjjpag32.exe Ckhpejbf.exe File opened for modification C:\Windows\SysWOW64\Mdlfngcc.exe Mmbnam32.exe File opened for modification C:\Windows\SysWOW64\Pajeanhf.exe Pbgefa32.exe File created C:\Windows\SysWOW64\Cpmknp32.dll Aljmbknm.exe File created C:\Windows\SysWOW64\Goddjc32.exe Glfgnh32.exe File created C:\Windows\SysWOW64\Fnjfjc32.dll Mkgeehnl.exe File created C:\Windows\SysWOW64\Bfdbgnmd.dll Njchfc32.exe File opened for modification C:\Windows\SysWOW64\Ihpgce32.exe Ifbkgj32.exe File created C:\Windows\SysWOW64\Gjnkgi32.dll Lohelidp.exe File opened for modification C:\Windows\SysWOW64\Afcdpi32.exe Addhcn32.exe File opened for modification C:\Windows\SysWOW64\Cjjpag32.exe Ckhpejbf.exe File created C:\Windows\SysWOW64\Lehdhn32.exe Lmalgq32.exe File created C:\Windows\SysWOW64\Pcnfdl32.exe Oqojhp32.exe File opened for modification C:\Windows\SysWOW64\Gefolhja.exe Golgon32.exe File opened for modification C:\Windows\SysWOW64\Pofldf32.exe Pildgl32.exe File opened for modification C:\Windows\SysWOW64\Dpaqmnap.exe Dleelp32.exe File created C:\Windows\SysWOW64\Dkmljcdh.exe Dmjlof32.exe File created C:\Windows\SysWOW64\Lmjqcd32.dll Dkmljcdh.exe File created C:\Windows\SysWOW64\Joppeeif.exe Imacijjb.exe File created C:\Windows\SysWOW64\Gecklbih.exe Gmlckehe.exe File created C:\Windows\SysWOW64\Ljjhdm32.exe Lfnlcnih.exe File opened for modification C:\Windows\SysWOW64\Jjpgfbom.exe Jgbjjf32.exe File created C:\Windows\SysWOW64\Mghomh32.dll Klmbjh32.exe File created C:\Windows\SysWOW64\Nnodgbed.exe Njchfc32.exe File created C:\Windows\SysWOW64\Knaeeo32.exe Kghmhegc.exe File opened for modification C:\Windows\SysWOW64\Pjpmdd32.exe Pioamlkk.exe File created C:\Windows\SysWOW64\Oqennbbl.exe Onfabgch.exe File created C:\Windows\SysWOW64\Cdedde32.exe Cbghhj32.exe File opened for modification C:\Windows\SysWOW64\Dkjpdcfj.exe Dilchhgg.exe File created C:\Windows\SysWOW64\Ogliemkk.exe Nqbaic32.exe File created C:\Windows\SysWOW64\Piadma32.exe Pfchqf32.exe File created C:\Windows\SysWOW64\Nacgfd32.dll Beadgdli.exe File opened for modification C:\Windows\SysWOW64\Ckecpjdh.exe Chggdoee.exe File created C:\Windows\SysWOW64\Fakmpf32.dll Enhaeldn.exe File created C:\Windows\SysWOW64\Jmnpoagb.dll Mbdcepcm.exe File opened for modification C:\Windows\SysWOW64\Dofnnkfg.exe Dlhaaogd.exe File opened for modification C:\Windows\SysWOW64\Kfopdk32.exe Kkilgb32.exe File created C:\Windows\SysWOW64\Lohelidp.exe Ladebd32.exe File created C:\Windows\SysWOW64\Bfgdmjlp.exe Bchhqo32.exe File opened for modification C:\Windows\SysWOW64\Eejjnhgc.exe Ebknblho.exe File created C:\Windows\SysWOW64\Npkfff32.exe Nmmjjk32.exe File created C:\Windows\SysWOW64\Ccoemihm.dll Knohpo32.exe File created C:\Windows\SysWOW64\Dggekf32.dll Aeenapck.exe File created C:\Windows\SysWOW64\Dgkiih32.exe Dpaqmnap.exe File created C:\Windows\SysWOW64\Nojnql32.exe Nohaklfk.exe File opened for modification C:\Windows\SysWOW64\Ofafgipc.exe Ogofkm32.exe File created C:\Windows\SysWOW64\Bkcojhgk.dll Pcnfdl32.exe File created C:\Windows\SysWOW64\Fheoiqgi.exe Fcichb32.exe File created C:\Windows\SysWOW64\Fjhdpk32.exe Fhjhdp32.exe File created C:\Windows\SysWOW64\Kmfjlmef.dll Lfdpjp32.exe File created C:\Windows\SysWOW64\Hmecge32.dll Aalofa32.exe File created C:\Windows\SysWOW64\Gbbbjg32.exe Gjljij32.exe File opened for modification C:\Windows\SysWOW64\Nhbciaki.exe Ncfjajma.exe File created C:\Windows\SysWOW64\Bccoeo32.exe Bpebidam.exe File created C:\Windows\SysWOW64\Klfmijae.exe Kihpmnbb.exe File created C:\Windows\SysWOW64\Plbbmj32.dll Maapjjml.exe File opened for modification C:\Windows\SysWOW64\Aalofa32.exe Abinjdad.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 832 8228 WerFault.exe 1017 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofafgipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpmjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaholp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojceef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdhhdqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmefaan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehaolpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngkdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfkihon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keango32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leegbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmqffonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nejkdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhbci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joppeeif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpaeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekbgbpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpqjfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmkhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nickoldp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mghfdcdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcofid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgfgkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpniokan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiockd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfnlcnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjbba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombddbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaeqmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibillk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhklha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqddmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geilah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipabfcdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppipdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmqmpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djafaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiebnjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iijfoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndemg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkhpadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgecq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmpgjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfinam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flabdecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfkeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djghpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajldkhjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjgio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emhnqbjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimjhnnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmoilni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gedbfimc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbhfajia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gibkmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnpmio.dll" Ojbnkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlbgkgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcgi32.dll" Nohaklfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geqlnjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhmhcigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilmaf32.dll" Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpbhe32.dll" Opaqpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjemo32.dll" Alodeacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnkhfnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdnoa32.dll" Jacibm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfcmlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fnadkjlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cikipfim.dll" Jojloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpfecckm.dll" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpmodqio.dll" Mghfdcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flcojeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkimpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphmpc32.dll" Lehdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeppfdk.dll" Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhbbcail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldeka32.dll" Fjaoplho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbhfajia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdfmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hajhpgag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfgdmjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmcmif32.dll" Lbbnjgik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onamle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ienjoljk.dll" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkiob32.dll" Ikjjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lfkfkopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll" Kapohbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kimlqfeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagiph32.dll" Odnobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcoljb32.dll" Mlgkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpief32.dll" Jopbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gleaik32.dll" Kobkbaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plbbmj32.dll" Maapjjml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amgjnepn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fopnpaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbihoo32.dll" Gdfiofhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iianmlfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofiopaap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mgegfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nqpdcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hclhjpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khljoh32.dll" Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmbfnakd.dll" Ahedjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnngcook.dll" Ckhfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpophbkc.dll" Gjemoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adjhicpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iomcpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbcelp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Padccpal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpdhna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfojpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihijhpdo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2228 2188 a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe 30 PID 2188 wrote to memory of 2228 2188 a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe 30 PID 2188 wrote to memory of 2228 2188 a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe 30 PID 2188 wrote to memory of 2228 2188 a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe 30 PID 2228 wrote to memory of 3060 2228 Jpepkk32.exe 31 PID 2228 wrote to memory of 3060 2228 Jpepkk32.exe 31 PID 2228 wrote to memory of 3060 2228 Jpepkk32.exe 31 PID 2228 wrote to memory of 3060 2228 Jpepkk32.exe 31 PID 3060 wrote to memory of 2444 3060 Jpgmpk32.exe 32 PID 3060 wrote to memory of 2444 3060 Jpgmpk32.exe 32 PID 3060 wrote to memory of 2444 3060 Jpgmpk32.exe 32 PID 3060 wrote to memory of 2444 3060 Jpgmpk32.exe 32 PID 2444 wrote to memory of 2720 2444 Jbfilffm.exe 33 PID 2444 wrote to memory of 2720 2444 Jbfilffm.exe 33 PID 2444 wrote to memory of 2720 2444 Jbfilffm.exe 33 PID 2444 wrote to memory of 2720 2444 Jbfilffm.exe 33 PID 2720 wrote to memory of 2600 2720 Jmkmjoec.exe 34 PID 2720 wrote to memory of 2600 2720 Jmkmjoec.exe 34 PID 2720 wrote to memory of 2600 2720 Jmkmjoec.exe 34 PID 2720 wrote to memory of 2600 2720 Jmkmjoec.exe 34 PID 2600 wrote to memory of 1776 2600 Jlnmel32.exe 35 PID 2600 wrote to memory of 1776 2600 Jlnmel32.exe 35 PID 2600 wrote to memory of 1776 2600 Jlnmel32.exe 35 PID 2600 wrote to memory of 1776 2600 Jlnmel32.exe 35 PID 1776 wrote to memory of 1844 1776 Jlqjkk32.exe 36 PID 1776 wrote to memory of 1844 1776 Jlqjkk32.exe 36 PID 1776 wrote to memory of 1844 1776 Jlqjkk32.exe 36 PID 1776 wrote to memory of 1844 1776 Jlqjkk32.exe 36 PID 1844 wrote to memory of 3056 1844 Kbjbge32.exe 37 PID 1844 wrote to memory of 3056 1844 Kbjbge32.exe 37 PID 1844 wrote to memory of 3056 1844 Kbjbge32.exe 37 PID 1844 wrote to memory of 3056 1844 Kbjbge32.exe 37 PID 3056 wrote to memory of 1260 3056 Khgkpl32.exe 38 PID 3056 wrote to memory of 1260 3056 Khgkpl32.exe 38 PID 3056 wrote to memory of 1260 3056 Khgkpl32.exe 38 PID 3056 wrote to memory of 1260 3056 Khgkpl32.exe 38 PID 1260 wrote to memory of 2816 1260 Kbmome32.exe 39 PID 1260 wrote to memory of 2816 1260 Kbmome32.exe 39 PID 1260 wrote to memory of 2816 1260 Kbmome32.exe 39 PID 1260 wrote to memory of 2816 1260 Kbmome32.exe 39 PID 2816 wrote to memory of 2476 2816 Kapohbfp.exe 40 PID 2816 wrote to memory of 2476 2816 Kapohbfp.exe 40 PID 2816 wrote to memory of 2476 2816 Kapohbfp.exe 40 PID 2816 wrote to memory of 2476 2816 Kapohbfp.exe 40 PID 2476 wrote to memory of 2344 2476 Kmfpmc32.exe 41 PID 2476 wrote to memory of 2344 2476 Kmfpmc32.exe 41 PID 2476 wrote to memory of 2344 2476 Kmfpmc32.exe 41 PID 2476 wrote to memory of 2344 2476 Kmfpmc32.exe 41 PID 2344 wrote to memory of 572 2344 Kenhopmf.exe 42 PID 2344 wrote to memory of 572 2344 Kenhopmf.exe 42 PID 2344 wrote to memory of 572 2344 Kenhopmf.exe 42 PID 2344 wrote to memory of 572 2344 Kenhopmf.exe 42 PID 572 wrote to memory of 884 572 Kfodfh32.exe 43 PID 572 wrote to memory of 884 572 Kfodfh32.exe 43 PID 572 wrote to memory of 884 572 Kfodfh32.exe 43 PID 572 wrote to memory of 884 572 Kfodfh32.exe 43 PID 884 wrote to memory of 2144 884 Kpgionie.exe 44 PID 884 wrote to memory of 2144 884 Kpgionie.exe 44 PID 884 wrote to memory of 2144 884 Kpgionie.exe 44 PID 884 wrote to memory of 2144 884 Kpgionie.exe 44 PID 2144 wrote to memory of 2092 2144 Kkmmlgik.exe 45 PID 2144 wrote to memory of 2092 2144 Kkmmlgik.exe 45 PID 2144 wrote to memory of 2092 2144 Kkmmlgik.exe 45 PID 2144 wrote to memory of 2092 2144 Kkmmlgik.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe"C:\Users\Admin\AppData\Local\Temp\a64603b7b949aff3725e3b7ce4d536476e71e5ffb40690ee2d6e5d3434bb2bbe.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jpepkk32.exeC:\Windows\system32\Jpepkk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Jbfilffm.exeC:\Windows\system32\Jbfilffm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Jmkmjoec.exeC:\Windows\system32\Jmkmjoec.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Kbjbge32.exeC:\Windows\system32\Kbjbge32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Khgkpl32.exeC:\Windows\system32\Khgkpl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Kbmome32.exeC:\Windows\system32\Kbmome32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Kapohbfp.exeC:\Windows\system32\Kapohbfp.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Kmfpmc32.exeC:\Windows\system32\Kmfpmc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Kenhopmf.exeC:\Windows\system32\Kenhopmf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Kfodfh32.exeC:\Windows\system32\Kfodfh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:884 -
C:\Windows\SysWOW64\Kkmmlgik.exeC:\Windows\system32\Kkmmlgik.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Kmkihbho.exeC:\Windows\system32\Kmkihbho.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2912 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Llbconkd.exeC:\Windows\system32\Llbconkd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:380 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Mojbaham.exeC:\Windows\system32\Mojbaham.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Mjdcbf32.exeC:\Windows\system32\Mjdcbf32.exe33⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Makkcc32.exeC:\Windows\system32\Makkcc32.exe34⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe35⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe36⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Mndhnd32.exeC:\Windows\system32\Mndhnd32.exe37⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe38⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Mjkibehc.exeC:\Windows\system32\Mjkibehc.exe39⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe40⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Nojnql32.exeC:\Windows\system32\Nojnql32.exe42⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe44⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe45⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe46⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe47⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe48⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe49⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe50⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe52⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe55⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Onfabgch.exeC:\Windows\system32\Onfabgch.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe57⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe60⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe61⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe62⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe64⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe65⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe66⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe67⤵PID:1924
-
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe68⤵PID:776
-
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe69⤵PID:1488
-
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe70⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe71⤵PID:2808
-
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe72⤵
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe73⤵
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe74⤵PID:1004
-
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe75⤵PID:1820
-
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe76⤵PID:1652
-
C:\Windows\SysWOW64\Pbajbi32.exeC:\Windows\system32\Pbajbi32.exe77⤵PID:2456
-
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe78⤵PID:2152
-
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe79⤵PID:2332
-
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe80⤵PID:2024
-
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe81⤵PID:2928
-
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe82⤵PID:2552
-
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe83⤵PID:1756
-
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe84⤵PID:2492
-
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe85⤵PID:1484
-
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe86⤵PID:2780
-
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe87⤵PID:2740
-
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe89⤵PID:2696
-
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe90⤵PID:1228
-
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe91⤵PID:2080
-
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe92⤵PID:540
-
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe93⤵PID:948
-
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe94⤵PID:1632
-
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe95⤵PID:1144
-
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1424 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe97⤵PID:2076
-
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe98⤵PID:1536
-
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe99⤵
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe101⤵PID:2744
-
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe102⤵PID:2268
-
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe103⤵PID:2280
-
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe104⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe105⤵PID:328
-
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe106⤵PID:1524
-
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe107⤵
- Modifies registry class
PID:944 -
C:\Windows\SysWOW64\Abhlak32.exeC:\Windows\system32\Abhlak32.exe108⤵PID:1620
-
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe109⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe110⤵
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe111⤵PID:2176
-
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe112⤵PID:2712
-
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe113⤵PID:2688
-
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe114⤵PID:2644
-
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe115⤵PID:2604
-
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe116⤵PID:1884
-
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe117⤵PID:1200
-
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe118⤵PID:2852
-
C:\Windows\SysWOW64\Bpebidam.exeC:\Windows\system32\Bpebidam.exe119⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe120⤵PID:1748
-
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe121⤵PID:2548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-