Analysis
-
max time kernel
95s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-10-2024 01:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe
-
Size
128KB
-
MD5
ff7ded352ac10e21d83c2b37a3ced8a0
-
SHA1
d21fd9517e7c95fe937e1b2af7e8622087450c3c
-
SHA256
99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5
-
SHA512
12c8938d794e147da24d55522ef365c1c327767b564c35b5897fa980301bf9d555d945165e411b0a717f3c04f469982ecaf9924aee21660de00ac23fb9c93df9
-
SSDEEP
3072:VXPWZjw2H3fcOQBeilj9pui6yYPaI7DehizrVtN:VXPWZc2H3fxQUepui6yYPaIGc
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpdcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogqlgbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqmmja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qhadob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnjlcgnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdejpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Laacmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkjbcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gnfoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijmfiefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Efkfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mgnfgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockiklha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ngiikmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Omeged32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmcfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mncdhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nhalag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nbnmhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aeedhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpdide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gljfeimi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdiabcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfkkmaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpohplpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklpglom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ephihbnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpmkjlbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnlhibff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chkbjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohofimje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qkolil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Phlaqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iolojejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qolmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqdioaqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnebgcqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkiiom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gknhlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlofejig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mooppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oeobfgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbadcdgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jflfbdqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfhpkbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eaclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ecibjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhlgaedj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poapbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afmack32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkbhfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iolojejd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gndedhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pgionbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mdjppnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adkaib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikeldenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijpjik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgodgnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpabgb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2204 Mhpigk32.exe 2400 Mbhnpplb.exe 2828 Mffgfo32.exe 2744 Mhgpgjoj.exe 2656 Njjieace.exe 2676 Nkjeod32.exe 2692 Nfcfob32.exe 1028 Ncggifep.exe 1976 Ofklpa32.exe 2884 Obamebfc.exe 1704 Ohqbbi32.exe 2408 Pegpamoo.exe 1640 Pfjiod32.exe 2380 Pfmeddag.exe 2152 Pojgnf32.exe 1996 Qbhpddbf.exe 2496 Qdlialfb.exe 1036 Ahjahk32.exe 2388 Ahlnmjkf.exe 1352 Aimkeb32.exe 1772 Akmgoehg.exe 1464 Agchdfmk.exe 2372 Bjdqfajl.exe 1516 Bapejd32.exe 2596 Bhljlnma.exe 872 Bdbkaoce.exe 2220 Cjbpoeoj.exe 2976 Cghmni32.exe 960 Cjifpdib.exe 2232 Ccakij32.exe 2776 Dnpedghl.exe 2720 Djffihmp.exe 2792 Dabkla32.exe 2640 Eaegaaah.exe 3064 Ejpipf32.exe 1800 Elaego32.exe 2156 Eiefqc32.exe 2972 Ebmjihqn.exe 2188 Epakcm32.exe 1796 Fofhdidp.exe 2548 Fdemap32.exe 2316 Fdjfmolo.exe 3004 Gcocnk32.exe 996 Gljdlq32.exe 2112 Gcdmikma.exe 2248 Geeekf32.exe 1852 Gkancm32.exe 912 Gcifdj32.exe 2340 Hdloab32.exe 2332 Hdolga32.exe 1808 Hbblpf32.exe 2284 Hkkaik32.exe 2840 Hmojfcdk.exe 2768 Igdndl32.exe 2304 Iiekkdjo.exe 2620 Ibnodj32.exe 1588 Icmlnmgb.exe 2888 Imepgbnc.exe 1868 Iodlcnmf.exe 2864 Ikkmho32.exe 1828 Ibeeeijg.exe 432 Ijpjik32.exe 2268 Jgdkbo32.exe 2796 Jmqckf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2352 99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe 2352 99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe 2204 Mhpigk32.exe 2204 Mhpigk32.exe 2400 Mbhnpplb.exe 2400 Mbhnpplb.exe 2828 Mffgfo32.exe 2828 Mffgfo32.exe 2744 Mhgpgjoj.exe 2744 Mhgpgjoj.exe 2656 Njjieace.exe 2656 Njjieace.exe 2676 Nkjeod32.exe 2676 Nkjeod32.exe 2692 Nfcfob32.exe 2692 Nfcfob32.exe 1028 Ncggifep.exe 1028 Ncggifep.exe 1976 Ofklpa32.exe 1976 Ofklpa32.exe 2884 Obamebfc.exe 2884 Obamebfc.exe 1704 Ohqbbi32.exe 1704 Ohqbbi32.exe 2408 Pegpamoo.exe 2408 Pegpamoo.exe 1640 Pfjiod32.exe 1640 Pfjiod32.exe 2380 Pfmeddag.exe 2380 Pfmeddag.exe 2152 Pojgnf32.exe 2152 Pojgnf32.exe 1996 Qbhpddbf.exe 1996 Qbhpddbf.exe 2496 Qdlialfb.exe 2496 Qdlialfb.exe 1036 Ahjahk32.exe 1036 Ahjahk32.exe 2388 Ahlnmjkf.exe 2388 Ahlnmjkf.exe 1352 Aimkeb32.exe 1352 Aimkeb32.exe 1772 Akmgoehg.exe 1772 Akmgoehg.exe 1464 Agchdfmk.exe 1464 Agchdfmk.exe 2372 Bjdqfajl.exe 2372 Bjdqfajl.exe 1516 Bapejd32.exe 1516 Bapejd32.exe 2596 Bhljlnma.exe 2596 Bhljlnma.exe 872 Bdbkaoce.exe 872 Bdbkaoce.exe 2220 Cjbpoeoj.exe 2220 Cjbpoeoj.exe 2976 Cghmni32.exe 2976 Cghmni32.exe 960 Cjifpdib.exe 960 Cjifpdib.exe 2232 Ccakij32.exe 2232 Ccakij32.exe 2776 Dnpedghl.exe 2776 Dnpedghl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Licpki32.exe Lpkkbcle.exe File created C:\Windows\SysWOW64\Jfnchd32.exe Jflfbdqe.exe File opened for modification C:\Windows\SysWOW64\Nkkjpf32.exe Nlfmoidh.exe File opened for modification C:\Windows\SysWOW64\Dpldkf32.exe Debcjiod.exe File created C:\Windows\SysWOW64\Ahgipegh.dll Imepio32.exe File opened for modification C:\Windows\SysWOW64\Onejljep.exe Omcmda32.exe File opened for modification C:\Windows\SysWOW64\Fhkhoedh.exe Fppcjcfn.exe File created C:\Windows\SysWOW64\Acnhhp32.dll Bhfjgh32.exe File opened for modification C:\Windows\SysWOW64\Kbonmjph.exe Kbmahjbk.exe File created C:\Windows\SysWOW64\Ojlmgg32.exe Ognakk32.exe File created C:\Windows\SysWOW64\Opoonh32.dll Bbkmki32.exe File opened for modification C:\Windows\SysWOW64\Cfimnmoa.exe Ciemdiph.exe File opened for modification C:\Windows\SysWOW64\Oaecne32.exe Ongfai32.exe File created C:\Windows\SysWOW64\Eibdep32.dll Hfnhcami.exe File opened for modification C:\Windows\SysWOW64\Gohjnf32.exe Gepeep32.exe File opened for modification C:\Windows\SysWOW64\Aeljmq32.exe Aghidl32.exe File created C:\Windows\SysWOW64\Baecgdbj.exe Blhkon32.exe File created C:\Windows\SysWOW64\Jobompob.dll Ilianckh.exe File created C:\Windows\SysWOW64\Iilndc32.dll Jhchlcjj.exe File created C:\Windows\SysWOW64\Ncddjjgn.dll Egbcne32.exe File created C:\Windows\SysWOW64\Bjjmbe32.dll Gckmgi32.exe File opened for modification C:\Windows\SysWOW64\Ncpjnahm.exe Nncaejie.exe File created C:\Windows\SysWOW64\Gjpgaohl.dll Odjikh32.exe File opened for modification C:\Windows\SysWOW64\Opghmjfg.exe Oimpppoj.exe File opened for modification C:\Windows\SysWOW64\Jcaahofh.exe Jjimpj32.exe File opened for modification C:\Windows\SysWOW64\Jfnchd32.exe Jflfbdqe.exe File opened for modification C:\Windows\SysWOW64\Cpccnp32.exe Cbpbek32.exe File created C:\Windows\SysWOW64\Igcopdgo.dll Mlbokapi.exe File created C:\Windows\SysWOW64\Cjqigkfp.exe Coghfn32.exe File opened for modification C:\Windows\SysWOW64\Dljoac32.exe Depgeiag.exe File opened for modification C:\Windows\SysWOW64\Dbadcdgp.exe Dqpgll32.exe File created C:\Windows\SysWOW64\Ikfbai32.dll Pbaebh32.exe File opened for modification C:\Windows\SysWOW64\Fpgpjdnf.exe Fjkgampo.exe File created C:\Windows\SysWOW64\Oikhfd32.dll Dkggel32.exe File created C:\Windows\SysWOW64\Ehfkpkhl.dll Gmhibenb.exe File created C:\Windows\SysWOW64\Daelkakn.dll Anjqdd32.exe File created C:\Windows\SysWOW64\Kcflbpnn.exe Kjngjj32.exe File created C:\Windows\SysWOW64\Dalaeicf.exe Dpldkf32.exe File opened for modification C:\Windows\SysWOW64\Gcfiqgfp.exe Gqgmdkgm.exe File created C:\Windows\SysWOW64\Nqffoa32.exe Nngjbfpa.exe File created C:\Windows\SysWOW64\Ennlmb32.dll Ioibde32.exe File created C:\Windows\SysWOW64\Gepeep32.exe Goemhfco.exe File created C:\Windows\SysWOW64\Haadlh32.exe Hdmdcc32.exe File opened for modification C:\Windows\SysWOW64\Djffihmp.exe Dnpedghl.exe File opened for modification C:\Windows\SysWOW64\Hdloab32.exe Gcifdj32.exe File created C:\Windows\SysWOW64\Kgagfk32.dll Ikkmho32.exe File created C:\Windows\SysWOW64\Kecpipck.exe Jmhkdnfp.exe File created C:\Windows\SysWOW64\Mdhdigjp.dll Eklicjkf.exe File opened for modification C:\Windows\SysWOW64\Hbdihbbn.exe Hkjqkhkq.exe File created C:\Windows\SysWOW64\Gjjoob32.exe Gqajfmpb.exe File created C:\Windows\SysWOW64\Mbhnpplb.exe Mhpigk32.exe File opened for modification C:\Windows\SysWOW64\Lmpdoffo.exe Ldgpea32.exe File created C:\Windows\SysWOW64\Qnmfmoaa.exe Qipmdhcj.exe File created C:\Windows\SysWOW64\Egooijaa.dll Kamncagl.exe File opened for modification C:\Windows\SysWOW64\Hdlkpd32.exe Hfhjfp32.exe File created C:\Windows\SysWOW64\Kggomknp.dll Abkqle32.exe File created C:\Windows\SysWOW64\Anonqq32.exe Adgihkmf.exe File created C:\Windows\SysWOW64\Mdbido32.dll Pjemgibi.exe File created C:\Windows\SysWOW64\Libmghda.dll Abmkhmfe.exe File created C:\Windows\SysWOW64\Inqjbhhh.exe Ibjing32.exe File created C:\Windows\SysWOW64\Ehaleg32.exe Ehnpph32.exe File created C:\Windows\SysWOW64\Mljnoo32.exe Mjlbcd32.exe File opened for modification C:\Windows\SysWOW64\Nfafci32.exe Nllafq32.exe File created C:\Windows\SysWOW64\Opmpenbj.exe Oichhc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2096 1748 WerFault.exe 1047 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmjihqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbgkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfejn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhbffkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdpcnfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnmfmoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dldndf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbpph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofdicodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnffoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imepio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccamabgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcflbpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdfjekmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppedg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnppei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npecjdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqjdon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjhfkqdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nelgkhdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiefqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiljjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeegfkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbeoggic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipbidbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbpof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpplfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqjceidf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Debcjiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaiknk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggbif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfcai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didbifoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioibde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbmgapgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdlehlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmfdfpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Finhinmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfpaqdnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinchq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfhqmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danblfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeakmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcfpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqhfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccqedfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccehgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhficcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ildhcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ianmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooianpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcgnmlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ognakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpdhiaoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnojpdfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjpcmjg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Abmkhmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpaggdbo.dll" Pncgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klimjkaf.dll" Qpfmageg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjebbkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jgeoda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Doflofbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ncggifep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Opicgenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pidggp32.dll" Bjomoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fecool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onhokqml.dll" Cmcjldbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obhdpaqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anokok32.dll" Iiekkdjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Imepgbnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqfcci32.dll" Jdfche32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hepffelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmpjoi32.dll" Hbohblcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kkbdib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Egegnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Alemjfpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Chkbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgcooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlfmoidh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdajc32.dll" Dhcanahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbnfgk32.dll" Jjjaak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpohplpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nmlgcbei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldkglcdh.dll" Ancfbhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nhmbfhfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnodmd32.dll" Jnadfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hecibc32.dll" Jebojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ndofjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnogai32.dll" Mmojcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmggfmjg.dll" Cnhjbjam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cdphbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Anbcio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Capopb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cckhlhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpbilpm.dll" Pfabbmeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogphdb32.dll" Onqaonnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjgnb32.dll" Ckgogfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhidjd32.dll" Ncellpog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qnmfmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amieek32.dll" Capopb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dpldkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekecoocc.dll" Adkaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfpgbcf.dll" Dafchi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kcjcefbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpcmb32.dll" Mooppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ebmjihqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgdhlfc.dll" Pmgpjgph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Apjbpemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gpdfph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mikochhm.dll" Hkdmaenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npcmhi32.dll" Fcipaien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hffkhlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iibgmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giemme32.dll" Gjjoob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmngef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gmoghklh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cjbpoeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgagfk32.dll" Ikkmho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehpljpaj.dll" Blhkon32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2352 wrote to memory of 2204 2352 99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe 29 PID 2352 wrote to memory of 2204 2352 99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe 29 PID 2352 wrote to memory of 2204 2352 99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe 29 PID 2352 wrote to memory of 2204 2352 99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe 29 PID 2204 wrote to memory of 2400 2204 Mhpigk32.exe 30 PID 2204 wrote to memory of 2400 2204 Mhpigk32.exe 30 PID 2204 wrote to memory of 2400 2204 Mhpigk32.exe 30 PID 2204 wrote to memory of 2400 2204 Mhpigk32.exe 30 PID 2400 wrote to memory of 2828 2400 Mbhnpplb.exe 31 PID 2400 wrote to memory of 2828 2400 Mbhnpplb.exe 31 PID 2400 wrote to memory of 2828 2400 Mbhnpplb.exe 31 PID 2400 wrote to memory of 2828 2400 Mbhnpplb.exe 31 PID 2828 wrote to memory of 2744 2828 Mffgfo32.exe 32 PID 2828 wrote to memory of 2744 2828 Mffgfo32.exe 32 PID 2828 wrote to memory of 2744 2828 Mffgfo32.exe 32 PID 2828 wrote to memory of 2744 2828 Mffgfo32.exe 32 PID 2744 wrote to memory of 2656 2744 Mhgpgjoj.exe 33 PID 2744 wrote to memory of 2656 2744 Mhgpgjoj.exe 33 PID 2744 wrote to memory of 2656 2744 Mhgpgjoj.exe 33 PID 2744 wrote to memory of 2656 2744 Mhgpgjoj.exe 33 PID 2656 wrote to memory of 2676 2656 Njjieace.exe 34 PID 2656 wrote to memory of 2676 2656 Njjieace.exe 34 PID 2656 wrote to memory of 2676 2656 Njjieace.exe 34 PID 2656 wrote to memory of 2676 2656 Njjieace.exe 34 PID 2676 wrote to memory of 2692 2676 Nkjeod32.exe 35 PID 2676 wrote to memory of 2692 2676 Nkjeod32.exe 35 PID 2676 wrote to memory of 2692 2676 Nkjeod32.exe 35 PID 2676 wrote to memory of 2692 2676 Nkjeod32.exe 35 PID 2692 wrote to memory of 1028 2692 Nfcfob32.exe 36 PID 2692 wrote to memory of 1028 2692 Nfcfob32.exe 36 PID 2692 wrote to memory of 1028 2692 Nfcfob32.exe 36 PID 2692 wrote to memory of 1028 2692 Nfcfob32.exe 36 PID 1028 wrote to memory of 1976 1028 Ncggifep.exe 37 PID 1028 wrote to memory of 1976 1028 Ncggifep.exe 37 PID 1028 wrote to memory of 1976 1028 Ncggifep.exe 37 PID 1028 wrote to memory of 1976 1028 Ncggifep.exe 37 PID 1976 wrote to memory of 2884 1976 Ofklpa32.exe 38 PID 1976 wrote to memory of 2884 1976 Ofklpa32.exe 38 PID 1976 wrote to memory of 2884 1976 Ofklpa32.exe 38 PID 1976 wrote to memory of 2884 1976 Ofklpa32.exe 38 PID 2884 wrote to memory of 1704 2884 Obamebfc.exe 39 PID 2884 wrote to memory of 1704 2884 Obamebfc.exe 39 PID 2884 wrote to memory of 1704 2884 Obamebfc.exe 39 PID 2884 wrote to memory of 1704 2884 Obamebfc.exe 39 PID 1704 wrote to memory of 2408 1704 Ohqbbi32.exe 40 PID 1704 wrote to memory of 2408 1704 Ohqbbi32.exe 40 PID 1704 wrote to memory of 2408 1704 Ohqbbi32.exe 40 PID 1704 wrote to memory of 2408 1704 Ohqbbi32.exe 40 PID 2408 wrote to memory of 1640 2408 Pegpamoo.exe 41 PID 2408 wrote to memory of 1640 2408 Pegpamoo.exe 41 PID 2408 wrote to memory of 1640 2408 Pegpamoo.exe 41 PID 2408 wrote to memory of 1640 2408 Pegpamoo.exe 41 PID 1640 wrote to memory of 2380 1640 Pfjiod32.exe 42 PID 1640 wrote to memory of 2380 1640 Pfjiod32.exe 42 PID 1640 wrote to memory of 2380 1640 Pfjiod32.exe 42 PID 1640 wrote to memory of 2380 1640 Pfjiod32.exe 42 PID 2380 wrote to memory of 2152 2380 Pfmeddag.exe 43 PID 2380 wrote to memory of 2152 2380 Pfmeddag.exe 43 PID 2380 wrote to memory of 2152 2380 Pfmeddag.exe 43 PID 2380 wrote to memory of 2152 2380 Pfmeddag.exe 43 PID 2152 wrote to memory of 1996 2152 Pojgnf32.exe 44 PID 2152 wrote to memory of 1996 2152 Pojgnf32.exe 44 PID 2152 wrote to memory of 1996 2152 Pojgnf32.exe 44 PID 2152 wrote to memory of 1996 2152 Pojgnf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe"C:\Users\Admin\AppData\Local\Temp\99807b5c6cb3c8bef27c03f67dd5b8716f84735e6202526374f01513889682a5N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Mhpigk32.exeC:\Windows\system32\Mhpigk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Mbhnpplb.exeC:\Windows\system32\Mbhnpplb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Mffgfo32.exeC:\Windows\system32\Mffgfo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Mhgpgjoj.exeC:\Windows\system32\Mhgpgjoj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Nfcfob32.exeC:\Windows\system32\Nfcfob32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Pegpamoo.exeC:\Windows\system32\Pegpamoo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Qbhpddbf.exeC:\Windows\system32\Qbhpddbf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Qdlialfb.exeC:\Windows\system32\Qdlialfb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Ahjahk32.exeC:\Windows\system32\Ahjahk32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Aimkeb32.exeC:\Windows\system32\Aimkeb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Cjbpoeoj.exeC:\Windows\system32\Cjbpoeoj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Ccakij32.exeC:\Windows\system32\Ccakij32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Djffihmp.exeC:\Windows\system32\Djffihmp.exe33⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe34⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Eaegaaah.exeC:\Windows\system32\Eaegaaah.exe35⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe36⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe37⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Eiefqc32.exeC:\Windows\system32\Eiefqc32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Ebmjihqn.exeC:\Windows\system32\Ebmjihqn.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Epakcm32.exeC:\Windows\system32\Epakcm32.exe40⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Fofhdidp.exeC:\Windows\system32\Fofhdidp.exe41⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe42⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Fdjfmolo.exeC:\Windows\system32\Fdjfmolo.exe43⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe44⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe46⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe47⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe48⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Hdloab32.exeC:\Windows\system32\Hdloab32.exe50⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe51⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe52⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Hkkaik32.exeC:\Windows\system32\Hkkaik32.exe53⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe54⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Igdndl32.exeC:\Windows\system32\Igdndl32.exe55⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Ibnodj32.exeC:\Windows\system32\Ibnodj32.exe57⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe58⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Imepgbnc.exeC:\Windows\system32\Imepgbnc.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Iodlcnmf.exeC:\Windows\system32\Iodlcnmf.exe60⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Ikkmho32.exeC:\Windows\system32\Ikkmho32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Ibeeeijg.exeC:\Windows\system32\Ibeeeijg.exe62⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe64⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe65⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Jckkhplq.exeC:\Windows\system32\Jckkhplq.exe66⤵PID:864
-
C:\Windows\SysWOW64\Jnppei32.exeC:\Windows\system32\Jnppei32.exe67⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Jcmhmp32.exeC:\Windows\system32\Jcmhmp32.exe68⤵PID:2504
-
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe69⤵PID:2308
-
C:\Windows\SysWOW64\Jpdibapb.exeC:\Windows\system32\Jpdibapb.exe70⤵PID:368
-
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe71⤵
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Jcaahofh.exeC:\Windows\system32\Jcaahofh.exe72⤵PID:1328
-
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe73⤵PID:2256
-
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe74⤵PID:2760
-
C:\Windows\SysWOW64\Kehgkgha.exeC:\Windows\system32\Kehgkgha.exe75⤵PID:2904
-
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe76⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Kanhph32.exeC:\Windows\system32\Kanhph32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe78⤵PID:1240
-
C:\Windows\SysWOW64\Kkiiom32.exeC:\Windows\system32\Kkiiom32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:888 -
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe80⤵PID:1128
-
C:\Windows\SysWOW64\Lkkfdmpq.exeC:\Windows\system32\Lkkfdmpq.exe81⤵PID:2492
-
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe82⤵PID:1644
-
C:\Windows\SysWOW64\Lpkkbcle.exeC:\Windows\system32\Lpkkbcle.exe83⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe84⤵PID:2520
-
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe85⤵PID:572
-
C:\Windows\SysWOW64\Mgbcha32.exeC:\Windows\system32\Mgbcha32.exe86⤵PID:952
-
C:\Windows\SysWOW64\Mgdpnqfn.exeC:\Windows\system32\Mgdpnqfn.exe87⤵PID:2280
-
C:\Windows\SysWOW64\Mkbhco32.exeC:\Windows\system32\Mkbhco32.exe88⤵PID:2984
-
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe89⤵PID:2168
-
C:\Windows\SysWOW64\Ngiiip32.exeC:\Windows\system32\Ngiiip32.exe90⤵PID:2824
-
C:\Windows\SysWOW64\Nncaejie.exeC:\Windows\system32\Nncaejie.exe91⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe92⤵PID:2956
-
C:\Windows\SysWOW64\Nhmbfhfd.exeC:\Windows\system32\Nhmbfhfd.exe93⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe94⤵PID:2952
-
C:\Windows\SysWOW64\Noighakn.exeC:\Windows\system32\Noighakn.exe95⤵PID:740
-
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Nfeljlqh.exeC:\Windows\system32\Nfeljlqh.exe97⤵PID:3016
-
C:\Windows\SysWOW64\Ngfhbd32.exeC:\Windows\system32\Ngfhbd32.exe98⤵PID:1572
-
C:\Windows\SysWOW64\Onqaonnc.exeC:\Windows\system32\Onqaonnc.exe99⤵
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Odjikh32.exeC:\Windows\system32\Odjikh32.exe100⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Ogiegc32.exeC:\Windows\system32\Ogiegc32.exe101⤵PID:1632
-
C:\Windows\SysWOW64\Oemfahcn.exeC:\Windows\system32\Oemfahcn.exe102⤵PID:1272
-
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe103⤵PID:2072
-
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe104⤵PID:2212
-
C:\Windows\SysWOW64\Oeobfgak.exeC:\Windows\system32\Oeobfgak.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Ojlkonpb.exeC:\Windows\system32\Ojlkonpb.exe106⤵PID:2668
-
C:\Windows\SysWOW64\Oafclh32.exeC:\Windows\system32\Oafclh32.exe107⤵PID:2816
-
C:\Windows\SysWOW64\Opicgenj.exeC:\Windows\system32\Opicgenj.exe108⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe109⤵PID:2856
-
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe110⤵PID:1048
-
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe111⤵PID:2288
-
C:\Windows\SysWOW64\Ofehiocd.exeC:\Windows\system32\Ofehiocd.exe112⤵PID:2444
-
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe113⤵PID:1444
-
C:\Windows\SysWOW64\Pciiccbm.exeC:\Windows\system32\Pciiccbm.exe114⤵PID:1780
-
C:\Windows\SysWOW64\Pembpkfi.exeC:\Windows\system32\Pembpkfi.exe115⤵PID:1232
-
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe116⤵PID:2704
-
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe117⤵PID:2208
-
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe118⤵PID:2660
-
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe119⤵PID:956
-
C:\Windows\SysWOW64\Qahlpkhh.exeC:\Windows\system32\Qahlpkhh.exe120⤵PID:2968
-
C:\Windows\SysWOW64\Qolmip32.exeC:\Windows\system32\Qolmip32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2556
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-