Analysis
-
max time kernel
122s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 03:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe
-
Size
74KB
-
MD5
9d56e3019eb1b242a8f49944d2c7dace
-
SHA1
0de6d9532da1fdb6656710fe39788e723c9fe04b
-
SHA256
dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8
-
SHA512
9a9295ad8515b2869e205a98e897d54b6da017cd26ab2edd4eace25ad7f2f9346d1c18ba4042bed74fef853657bcf96393a45a100f7b202d5360d750833756ac
-
SSDEEP
1536:oi4z7bbnbAh4ZEvzy5NuiCgQx/VaxuV1X:q7vbC4qrOuiCfVzJ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnmehnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgagfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdlgpgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjhagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Labkdack.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbidgeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjlqhoba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Biicik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjojo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpcqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiqpop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmapm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aidnohbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enakbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfffnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejmebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efcfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jabbhcfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meijhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjebn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Chpmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmdadnkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkjfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdehon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqlhdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcbllb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckccgane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnfamcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abhimnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maedhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqgnokip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fekpnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfobbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgmalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idnaoohk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdgdempa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkmhaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emkaol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdniqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkaiqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckccgane.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejkima32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kilfcpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hmdmcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjbaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekelld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebodiofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bblogakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhhadmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laegiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidoim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipllekdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knpemf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhladfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcbllb32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2692 Pgioaa32.exe 2964 Qmfgjh32.exe 2624 Qjjgclai.exe 2756 Qcbllb32.exe 2660 Aipddi32.exe 3056 Abhimnma.exe 3064 Ahdaee32.exe 532 Abjebn32.exe 2648 Aidnohbk.exe 2764 Albjlcao.exe 2028 Aaobdjof.exe 2004 Ahikqd32.exe 1260 Anccmo32.exe 2980 Aemkjiem.exe 2492 Afohaa32.exe 1232 Amhpnkch.exe 752 Bdbhke32.exe 1820 Bjlqhoba.exe 328 Bmkmdk32.exe 1304 Bpiipf32.exe 1388 Bbhela32.exe 2532 Biamilfj.exe 2464 Bdgafdfp.exe 336 Bbjbaa32.exe 2116 Bpnbkeld.exe 1572 Bblogakg.exe 2812 Bghjhp32.exe 2796 Bldcpf32.exe 2840 Biicik32.exe 2604 Blgpef32.exe 2632 Ceodnl32.exe 1876 Clilkfnb.exe 3060 Cafecmlj.exe 768 Chpmpg32.exe 2388 Cojema32.exe 756 Cnmehnan.exe 2576 Cgejac32.exe 1724 Cjdfmo32.exe 1684 Cdikkg32.exe 1448 Ckccgane.exe 2256 Cldooj32.exe 1660 Cdlgpgef.exe 664 Djhphncm.exe 1152 Dlgldibq.exe 1396 Dpeekh32.exe 1628 Dbfabp32.exe 2112 Dknekeef.exe 1976 Dbhnhp32.exe 872 Dfdjhndl.exe 1588 Dhbfdjdp.exe 2864 Dkqbaecc.exe 2780 Dolnad32.exe 2584 Dfffnn32.exe 2036 Dhdcji32.exe 2684 Dkcofe32.exe 2336 Enakbp32.exe 652 Eqpgol32.exe 2900 Ehgppi32.exe 1288 Egjpkffe.exe 1644 Ekelld32.exe 2268 Ejhlgaeh.exe 1048 Ebodiofk.exe 900 Eqbddk32.exe 940 Ecqqpgli.exe -
Loads dropped DLL 64 IoCs
pid Process 2468 dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe 2468 dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe 2692 Pgioaa32.exe 2692 Pgioaa32.exe 2964 Qmfgjh32.exe 2964 Qmfgjh32.exe 2624 Qjjgclai.exe 2624 Qjjgclai.exe 2756 Qcbllb32.exe 2756 Qcbllb32.exe 2660 Aipddi32.exe 2660 Aipddi32.exe 3056 Abhimnma.exe 3056 Abhimnma.exe 3064 Ahdaee32.exe 3064 Ahdaee32.exe 532 Abjebn32.exe 532 Abjebn32.exe 2648 Aidnohbk.exe 2648 Aidnohbk.exe 2764 Albjlcao.exe 2764 Albjlcao.exe 2028 Aaobdjof.exe 2028 Aaobdjof.exe 2004 Ahikqd32.exe 2004 Ahikqd32.exe 1260 Anccmo32.exe 1260 Anccmo32.exe 2980 Aemkjiem.exe 2980 Aemkjiem.exe 2492 Afohaa32.exe 2492 Afohaa32.exe 1232 Amhpnkch.exe 1232 Amhpnkch.exe 752 Bdbhke32.exe 752 Bdbhke32.exe 1820 Bjlqhoba.exe 1820 Bjlqhoba.exe 328 Bmkmdk32.exe 328 Bmkmdk32.exe 1304 Bpiipf32.exe 1304 Bpiipf32.exe 1388 Bbhela32.exe 1388 Bbhela32.exe 2532 Biamilfj.exe 2532 Biamilfj.exe 2464 Bdgafdfp.exe 2464 Bdgafdfp.exe 336 Bbjbaa32.exe 336 Bbjbaa32.exe 2116 Bpnbkeld.exe 2116 Bpnbkeld.exe 1572 Bblogakg.exe 1572 Bblogakg.exe 2812 Bghjhp32.exe 2812 Bghjhp32.exe 2796 Bldcpf32.exe 2796 Bldcpf32.exe 2840 Biicik32.exe 2840 Biicik32.exe 2604 Blgpef32.exe 2604 Blgpef32.exe 2632 Ceodnl32.exe 2632 Ceodnl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dljnnb32.dll Idcokkak.exe File created C:\Windows\SysWOW64\Magqncba.exe Mmldme32.exe File opened for modification C:\Windows\SysWOW64\Lpjdjmfp.exe Lmlhnagm.exe File created C:\Windows\SysWOW64\Mahqjm32.dll Nlekia32.exe File opened for modification C:\Windows\SysWOW64\Ipgbjl32.exe Inifnq32.exe File opened for modification C:\Windows\SysWOW64\Jkjfah32.exe Jgojpjem.exe File created C:\Windows\SysWOW64\Mgalqkbk.exe Mdcpdp32.exe File opened for modification C:\Windows\SysWOW64\Ebjglbml.exe Eplkpgnh.exe File created C:\Windows\SysWOW64\Jbhnql32.dll Hpefdl32.exe File created C:\Windows\SysWOW64\Gmbdnn32.exe Gjdhbc32.exe File created C:\Windows\SysWOW64\Hfjiem32.dll Ljffag32.exe File created C:\Windows\SysWOW64\Keefji32.dll Bbjbaa32.exe File created C:\Windows\SysWOW64\Ppnidgoj.dll Fncdgcqm.exe File created C:\Windows\SysWOW64\Poceplpj.dll Lpjdjmfp.exe File created C:\Windows\SysWOW64\Ldhnfd32.dll Qmfgjh32.exe File created C:\Windows\SysWOW64\Ghcoqh32.exe Gedbdlbb.exe File created C:\Windows\SysWOW64\Jgojpjem.exe Jfnnha32.exe File opened for modification C:\Windows\SysWOW64\Kincipnk.exe Kfpgmdog.exe File created C:\Windows\SysWOW64\Mapjmehi.exe Moanaiie.exe File created C:\Windows\SysWOW64\Dkcinege.dll Hmdmcanc.exe File created C:\Windows\SysWOW64\Habfipdj.exe Hgmalg32.exe File created C:\Windows\SysWOW64\Nmmhnm32.dll Hoopae32.exe File created C:\Windows\SysWOW64\Knklagmb.exe Kohkfj32.exe File created C:\Windows\SysWOW64\Cldooj32.exe Ckccgane.exe File created C:\Windows\SysWOW64\Eqijej32.exe Ejobhppq.exe File created C:\Windows\SysWOW64\Dhffckeo.dll Mdcpdp32.exe File created C:\Windows\SysWOW64\Nmnace32.exe Nkpegi32.exe File created C:\Windows\SysWOW64\Dbfabp32.exe Dpeekh32.exe File created C:\Windows\SysWOW64\Hoopae32.exe Hdildlie.exe File created C:\Windows\SysWOW64\Jaqddb32.dll Emkaol32.exe File created C:\Windows\SysWOW64\Hdildlie.exe Hakphqja.exe File created C:\Windows\SysWOW64\Mpjmjp32.dll Igakgfpn.exe File created C:\Windows\SysWOW64\Nplmop32.exe Nmnace32.exe File opened for modification C:\Windows\SysWOW64\Qcbllb32.exe Qjjgclai.exe File created C:\Windows\SysWOW64\Clilkfnb.exe Ceodnl32.exe File created C:\Windows\SysWOW64\Iefmgahq.dll Bldcpf32.exe File created C:\Windows\SysWOW64\Fnkjhb32.exe Fjongcbl.exe File created C:\Windows\SysWOW64\Gjfdhbld.exe Gdllkhdg.exe File opened for modification C:\Windows\SysWOW64\Jdehon32.exe Jqilooij.exe File created C:\Windows\SysWOW64\Nelkpj32.dll Jdehon32.exe File opened for modification C:\Windows\SysWOW64\Ngibaj32.exe Ncmfqkdj.exe File opened for modification C:\Windows\SysWOW64\Bbjbaa32.exe Bdgafdfp.exe File created C:\Windows\SysWOW64\Okphjd32.dll Bghjhp32.exe File opened for modification C:\Windows\SysWOW64\Nplmop32.exe Nmnace32.exe File created C:\Windows\SysWOW64\Apbfblll.dll Lgjfkk32.exe File created C:\Windows\SysWOW64\Lndohedg.exe Ljibgg32.exe File created C:\Windows\SysWOW64\Bghjhp32.exe Bblogakg.exe File created C:\Windows\SysWOW64\Hanlnp32.exe Hoopae32.exe File opened for modification C:\Windows\SysWOW64\Hdnepk32.exe Hapicp32.exe File opened for modification C:\Windows\SysWOW64\Ileiplhn.exe Idnaoohk.exe File opened for modification C:\Windows\SysWOW64\Kiijnq32.exe Kjfjbdle.exe File created C:\Windows\SysWOW64\Almjnp32.dll Mpmapm32.exe File opened for modification C:\Windows\SysWOW64\Pgioaa32.exe dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe File created C:\Windows\SysWOW64\Phccmbca.dll Amhpnkch.exe File opened for modification C:\Windows\SysWOW64\Dkqbaecc.exe Dhbfdjdp.exe File created C:\Windows\SysWOW64\Dfffnn32.exe Dolnad32.exe File created C:\Windows\SysWOW64\Eqpgol32.exe Enakbp32.exe File created C:\Windows\SysWOW64\Abkphdmd.dll Ehgppi32.exe File created C:\Windows\SysWOW64\Pefgcifd.dll Gedbdlbb.exe File created C:\Windows\SysWOW64\Higeofeq.dll Ghcoqh32.exe File opened for modification C:\Windows\SysWOW64\Bmkmdk32.exe Bjlqhoba.exe File opened for modification C:\Windows\SysWOW64\Blgpef32.exe Biicik32.exe File created C:\Windows\SysWOW64\Lhpbmi32.dll Hgmalg32.exe File created C:\Windows\SysWOW64\Eiiddiab.dll Jnicmdli.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3208 3112 WerFault.exe 294 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieidmbcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileiplhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joaeeklp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdhbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhpnkch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojema32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmalg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdgdempa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjojo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labkdack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahikqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlgpgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enakbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfdaigg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cafecmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knklagmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albjlcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglipi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgojpjem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbkjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbhke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npagjpcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipgcaob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdnepk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcbllb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoopae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hapicp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aemkjiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcoqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamimc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhqbkhch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapebchh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkolkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdjbaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbidgeci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhlgaeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlcbenjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lapnnafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcqaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjpeifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefhhbef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilfcpqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenobfak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaobdjof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfamcoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagjnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdacop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afohaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolnad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccmffjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncdgcqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipgbjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcokkak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmehnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbfdjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgejac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figlolbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbbbffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpclh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cldooj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnmhkin.dll" Hapicp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgalgjnb.dll" Jdbkjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jfiale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacch32.dll" Kilfcpqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfpgmdog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljmlbfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdgafdfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llcohjcg.dll" Modkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmpgio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kocbkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfkdmglc.dll" Magqncba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbdjbaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmggi32.dll" Ejhlgaeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ichllgfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljibgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpnbkeld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfmjgeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elonamqm.dll" Mmldme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gakcimgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfacfkje.dll" Djhphncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmdadnkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maedhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmkmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ilncom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafcif32.dll" Ihgainbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdgdempa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpjdjmfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mabgcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdilpjih.dll" Eojnkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oegjkb32.dll" Bdbhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emkaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpfhnffp.dll" Fbmcbbki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehdqecfo.dll" Gfmemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhqpo32.dll" Ieidmbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiemmk32.dll" Jfnnha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kiqpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qjjgclai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlcdpk.dll" Linphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnbbbffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjhhpp32.dll" Cafecmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khknah32.dll" Ebjglbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fglipi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gdllkhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipikqbi.dll" Joaeeklp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deeieqod.dll" Kgemplap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Magqncba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clilkfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chpmpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdlgpgef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dkcofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmfgh32.dll" Hdlhjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joaeeklp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpjqiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll" Ncmfqkdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qcbllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdgafdfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffklhqao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjakmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhbld32.dll" Gpejeihi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 2692 2468 dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe 30 PID 2468 wrote to memory of 2692 2468 dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe 30 PID 2468 wrote to memory of 2692 2468 dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe 30 PID 2468 wrote to memory of 2692 2468 dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe 30 PID 2692 wrote to memory of 2964 2692 Pgioaa32.exe 31 PID 2692 wrote to memory of 2964 2692 Pgioaa32.exe 31 PID 2692 wrote to memory of 2964 2692 Pgioaa32.exe 31 PID 2692 wrote to memory of 2964 2692 Pgioaa32.exe 31 PID 2964 wrote to memory of 2624 2964 Qmfgjh32.exe 32 PID 2964 wrote to memory of 2624 2964 Qmfgjh32.exe 32 PID 2964 wrote to memory of 2624 2964 Qmfgjh32.exe 32 PID 2964 wrote to memory of 2624 2964 Qmfgjh32.exe 32 PID 2624 wrote to memory of 2756 2624 Qjjgclai.exe 33 PID 2624 wrote to memory of 2756 2624 Qjjgclai.exe 33 PID 2624 wrote to memory of 2756 2624 Qjjgclai.exe 33 PID 2624 wrote to memory of 2756 2624 Qjjgclai.exe 33 PID 2756 wrote to memory of 2660 2756 Qcbllb32.exe 34 PID 2756 wrote to memory of 2660 2756 Qcbllb32.exe 34 PID 2756 wrote to memory of 2660 2756 Qcbllb32.exe 34 PID 2756 wrote to memory of 2660 2756 Qcbllb32.exe 34 PID 2660 wrote to memory of 3056 2660 Aipddi32.exe 35 PID 2660 wrote to memory of 3056 2660 Aipddi32.exe 35 PID 2660 wrote to memory of 3056 2660 Aipddi32.exe 35 PID 2660 wrote to memory of 3056 2660 Aipddi32.exe 35 PID 3056 wrote to memory of 3064 3056 Abhimnma.exe 36 PID 3056 wrote to memory of 3064 3056 Abhimnma.exe 36 PID 3056 wrote to memory of 3064 3056 Abhimnma.exe 36 PID 3056 wrote to memory of 3064 3056 Abhimnma.exe 36 PID 3064 wrote to memory of 532 3064 Ahdaee32.exe 37 PID 3064 wrote to memory of 532 3064 Ahdaee32.exe 37 PID 3064 wrote to memory of 532 3064 Ahdaee32.exe 37 PID 3064 wrote to memory of 532 3064 Ahdaee32.exe 37 PID 532 wrote to memory of 2648 532 Abjebn32.exe 38 PID 532 wrote to memory of 2648 532 Abjebn32.exe 38 PID 532 wrote to memory of 2648 532 Abjebn32.exe 38 PID 532 wrote to memory of 2648 532 Abjebn32.exe 38 PID 2648 wrote to memory of 2764 2648 Aidnohbk.exe 39 PID 2648 wrote to memory of 2764 2648 Aidnohbk.exe 39 PID 2648 wrote to memory of 2764 2648 Aidnohbk.exe 39 PID 2648 wrote to memory of 2764 2648 Aidnohbk.exe 39 PID 2764 wrote to memory of 2028 2764 Albjlcao.exe 40 PID 2764 wrote to memory of 2028 2764 Albjlcao.exe 40 PID 2764 wrote to memory of 2028 2764 Albjlcao.exe 40 PID 2764 wrote to memory of 2028 2764 Albjlcao.exe 40 PID 2028 wrote to memory of 2004 2028 Aaobdjof.exe 41 PID 2028 wrote to memory of 2004 2028 Aaobdjof.exe 41 PID 2028 wrote to memory of 2004 2028 Aaobdjof.exe 41 PID 2028 wrote to memory of 2004 2028 Aaobdjof.exe 41 PID 2004 wrote to memory of 1260 2004 Ahikqd32.exe 42 PID 2004 wrote to memory of 1260 2004 Ahikqd32.exe 42 PID 2004 wrote to memory of 1260 2004 Ahikqd32.exe 42 PID 2004 wrote to memory of 1260 2004 Ahikqd32.exe 42 PID 1260 wrote to memory of 2980 1260 Anccmo32.exe 43 PID 1260 wrote to memory of 2980 1260 Anccmo32.exe 43 PID 1260 wrote to memory of 2980 1260 Anccmo32.exe 43 PID 1260 wrote to memory of 2980 1260 Anccmo32.exe 43 PID 2980 wrote to memory of 2492 2980 Aemkjiem.exe 44 PID 2980 wrote to memory of 2492 2980 Aemkjiem.exe 44 PID 2980 wrote to memory of 2492 2980 Aemkjiem.exe 44 PID 2980 wrote to memory of 2492 2980 Aemkjiem.exe 44 PID 2492 wrote to memory of 1232 2492 Afohaa32.exe 45 PID 2492 wrote to memory of 1232 2492 Afohaa32.exe 45 PID 2492 wrote to memory of 1232 2492 Afohaa32.exe 45 PID 2492 wrote to memory of 1232 2492 Afohaa32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe"C:\Users\Admin\AppData\Local\Temp\dc26a6e1c3ecb8b1b242d9eb0dbc9a23f62ec686e98dab06955c121d0cff12e8.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Pgioaa32.exeC:\Windows\system32\Pgioaa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Qmfgjh32.exeC:\Windows\system32\Qmfgjh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Qjjgclai.exeC:\Windows\system32\Qjjgclai.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Qcbllb32.exeC:\Windows\system32\Qcbllb32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Aipddi32.exeC:\Windows\system32\Aipddi32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Abhimnma.exeC:\Windows\system32\Abhimnma.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ahdaee32.exeC:\Windows\system32\Ahdaee32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Abjebn32.exeC:\Windows\system32\Abjebn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Aidnohbk.exeC:\Windows\system32\Aidnohbk.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Albjlcao.exeC:\Windows\system32\Albjlcao.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Aaobdjof.exeC:\Windows\system32\Aaobdjof.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Ahikqd32.exeC:\Windows\system32\Ahikqd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Anccmo32.exeC:\Windows\system32\Anccmo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Aemkjiem.exeC:\Windows\system32\Aemkjiem.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Afohaa32.exeC:\Windows\system32\Afohaa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Amhpnkch.exeC:\Windows\system32\Amhpnkch.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Bdbhke32.exeC:\Windows\system32\Bdbhke32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Bjlqhoba.exeC:\Windows\system32\Bjlqhoba.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Bpiipf32.exeC:\Windows\system32\Bpiipf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Bbhela32.exeC:\Windows\system32\Bbhela32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Biamilfj.exeC:\Windows\system32\Biamilfj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Bbjbaa32.exeC:\Windows\system32\Bbjbaa32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:336 -
C:\Windows\SysWOW64\Bpnbkeld.exeC:\Windows\system32\Bpnbkeld.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Bblogakg.exeC:\Windows\system32\Bblogakg.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Bghjhp32.exeC:\Windows\system32\Bghjhp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Bldcpf32.exeC:\Windows\system32\Bldcpf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Biicik32.exeC:\Windows\system32\Biicik32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Blgpef32.exeC:\Windows\system32\Blgpef32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Ceodnl32.exeC:\Windows\system32\Ceodnl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2632 -
C:\Windows\SysWOW64\Clilkfnb.exeC:\Windows\system32\Clilkfnb.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Cafecmlj.exeC:\Windows\system32\Cafecmlj.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Chpmpg32.exeC:\Windows\system32\Chpmpg32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Cojema32.exeC:\Windows\system32\Cojema32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Cnmehnan.exeC:\Windows\system32\Cnmehnan.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Cgejac32.exeC:\Windows\system32\Cgejac32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Cjdfmo32.exeC:\Windows\system32\Cjdfmo32.exe39⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Cdikkg32.exeC:\Windows\system32\Cdikkg32.exe40⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ckccgane.exeC:\Windows\system32\Ckccgane.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Cldooj32.exeC:\Windows\system32\Cldooj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Cdlgpgef.exeC:\Windows\system32\Cdlgpgef.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Djhphncm.exeC:\Windows\system32\Djhphncm.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Dlgldibq.exeC:\Windows\system32\Dlgldibq.exe45⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Dpeekh32.exeC:\Windows\system32\Dpeekh32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1396 -
C:\Windows\SysWOW64\Dbfabp32.exeC:\Windows\system32\Dbfabp32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\Dknekeef.exeC:\Windows\system32\Dknekeef.exe48⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Dbhnhp32.exeC:\Windows\system32\Dbhnhp32.exe49⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Dfdjhndl.exeC:\Windows\system32\Dfdjhndl.exe50⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Dkqbaecc.exeC:\Windows\system32\Dkqbaecc.exe52⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Dolnad32.exeC:\Windows\system32\Dolnad32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Dfffnn32.exeC:\Windows\system32\Dfffnn32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Dhdcji32.exeC:\Windows\system32\Dhdcji32.exe55⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Dkcofe32.exeC:\Windows\system32\Dkcofe32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Enakbp32.exeC:\Windows\system32\Enakbp32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Eqpgol32.exeC:\Windows\system32\Eqpgol32.exe58⤵
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Ehgppi32.exeC:\Windows\system32\Ehgppi32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe60⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Ekelld32.exeC:\Windows\system32\Ekelld32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ejhlgaeh.exeC:\Windows\system32\Ejhlgaeh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Ebodiofk.exeC:\Windows\system32\Ebodiofk.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe64⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Ecqqpgli.exeC:\Windows\system32\Ecqqpgli.exe65⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Ekhhadmk.exeC:\Windows\system32\Ekhhadmk.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Ejkima32.exeC:\Windows\system32\Ejkima32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1372 -
C:\Windows\SysWOW64\Emieil32.exeC:\Windows\system32\Emieil32.exe68⤵PID:2052
-
C:\Windows\SysWOW64\Eccmffjf.exeC:\Windows\system32\Eccmffjf.exe69⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Efaibbij.exeC:\Windows\system32\Efaibbij.exe70⤵PID:2696
-
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Emkaol32.exeC:\Windows\system32\Emkaol32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Eqgnokip.exeC:\Windows\system32\Eqgnokip.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Eojnkg32.exeC:\Windows\system32\Eojnkg32.exe74⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Ejobhppq.exeC:\Windows\system32\Ejobhppq.exe76⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe77⤵PID:2848
-
C:\Windows\SysWOW64\Eplkpgnh.exeC:\Windows\system32\Eplkpgnh.exe78⤵
- Drops file in System32 directory
PID:2912 -
C:\Windows\SysWOW64\Ebjglbml.exeC:\Windows\system32\Ebjglbml.exe79⤵
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Fidoim32.exeC:\Windows\system32\Fidoim32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Fpngfgle.exeC:\Windows\system32\Fpngfgle.exe81⤵PID:1016
-
C:\Windows\SysWOW64\Fbmcbbki.exeC:\Windows\system32\Fbmcbbki.exe82⤵
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Fekpnn32.exeC:\Windows\system32\Fekpnn32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe84⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Ffklhqao.exeC:\Windows\system32\Ffklhqao.exe86⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Fiihdlpc.exeC:\Windows\system32\Fiihdlpc.exe87⤵PID:2872
-
C:\Windows\SysWOW64\Fglipi32.exeC:\Windows\system32\Fglipi32.exe88⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Fpcqaf32.exeC:\Windows\system32\Fpcqaf32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Fadminnn.exeC:\Windows\system32\Fadminnn.exe91⤵PID:2340
-
C:\Windows\SysWOW64\Fepiimfg.exeC:\Windows\system32\Fepiimfg.exe92⤵PID:1604
-
C:\Windows\SysWOW64\Fhneehek.exeC:\Windows\system32\Fhneehek.exe93⤵PID:1740
-
C:\Windows\SysWOW64\Fjmaaddo.exeC:\Windows\system32\Fjmaaddo.exe94⤵PID:1992
-
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Fagjnn32.exeC:\Windows\system32\Fagjnn32.exe96⤵
- System Location Discovery: System Language Discovery
PID:444 -
C:\Windows\SysWOW64\Fhqbkhch.exeC:\Windows\system32\Fhqbkhch.exe97⤵
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe98⤵
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Fnkjhb32.exeC:\Windows\system32\Fnkjhb32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Gedbdlbb.exeC:\Windows\system32\Gedbdlbb.exe100⤵
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Gjakmc32.exeC:\Windows\system32\Gjakmc32.exe102⤵
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Gmpgio32.exeC:\Windows\system32\Gmpgio32.exe103⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Gakcimgf.exeC:\Windows\system32\Gakcimgf.exe104⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Gdjpeifj.exeC:\Windows\system32\Gdjpeifj.exe105⤵
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\Gfhladfn.exeC:\Windows\system32\Gfhladfn.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Gmbdnn32.exeC:\Windows\system32\Gmbdnn32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Gdllkhdg.exeC:\Windows\system32\Gdllkhdg.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe110⤵PID:2376
-
C:\Windows\SysWOW64\Gmdadnkh.exeC:\Windows\system32\Gmdadnkh.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Glgaok32.exeC:\Windows\system32\Glgaok32.exe112⤵PID:2960
-
C:\Windows\SysWOW64\Gdniqh32.exeC:\Windows\system32\Gdniqh32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe114⤵
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe115⤵PID:2072
-
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe116⤵
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Ginnnooi.exeC:\Windows\system32\Ginnnooi.exe118⤵PID:2984
-
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe119⤵PID:876
-
C:\Windows\SysWOW64\Hpgfki32.exeC:\Windows\system32\Hpgfki32.exe120⤵PID:1340
-
C:\Windows\SysWOW64\Hojgfemq.exeC:\Windows\system32\Hojgfemq.exe121⤵PID:2728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-