Analysis
-
max time kernel
33s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13/11/2024, 08:25
Static task
static1
Behavioral task
behavioral1
Sample
7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe
Resource
win10v2004-20241007-en
General
-
Target
7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe
-
Size
95KB
-
MD5
9ebc2688d3c39848b00e5b0bddd058c0
-
SHA1
3117a3ba2b86c4848e174edde9972a2d659fe2a6
-
SHA256
7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2
-
SHA512
f0a76e5934f2dc8828f13679f257d48be6d12b98151e240774db80fc04114f2fa75c2e39ef7aaea17f96fde14fd5aa7c5da532648420143aa5e2611bb33f2600
-
SSDEEP
1536:30r7Cp93QnF50BBP6LDw4kNU2xj3qfGnRLQg2YkY98DC2ylSOM6bOLXi8PmCofGV:h3KCnP6LRkNdj3veg2gFxlSDrLXfzoeV
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmabmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckbkfbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlifcqfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicpnhbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbnhfhoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mccaodgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afffgjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjdqfajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmifiahi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgboogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gccjpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdjpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdjioh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peapmhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhljlnma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Febmfcjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhlnngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkkeeikj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndnplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaiglnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pppnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pedmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gielchpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdhnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njaoeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcaghm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfflfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdhcinme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icponb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nglmifca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dndoof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdpjgjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kokppd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnihiad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgnfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nplkhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapejd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfnnpbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlefjpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aokfpjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnemlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhnpplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnipgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfmbfkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmiaknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcnhcdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmfjcajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idepdhia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhcokmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jffakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Effidg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnnbqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obgmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcibdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqgahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mekanbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqgahh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlialfb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1832 Jemiiqmh.exe 2188 Jkjaaglp.exe 2708 Jeofnpke.exe 2836 Jklnggjm.exe 2716 Jpigonhd.exe 2724 Jhpopk32.exe 3048 Kahciaog.exe 1776 Kdgoelnk.exe 2060 Kjchmclb.exe 1556 Kdilkllh.exe 988 Kfjibdbf.exe 956 Kldaon32.exe 1272 Kgjelg32.exe 272 Khkadoog.exe 2556 Kcqfahom.exe 2192 Kjjnnbfj.exe 948 Kkljfj32.exe 1964 Lbfcbdce.exe 684 Llkgpmck.exe 2400 Lnmcge32.exe 648 Lbhphdab.exe 1744 Lkqdajhc.exe 1988 Ldihjo32.exe 3060 Lggdfk32.exe 1240 Lqpiopdh.exe 2288 Lcneklck.exe 2728 Lmfjcajl.exe 2800 Lqbfdp32.exe 2660 Mmifiahi.exe 3032 Mcbofk32.exe 3044 Mfakbf32.exe 2576 Mqfooonp.exe 1624 Mcekkkmc.exe 2664 Mibdcakk.exe 792 Mkpppmko.exe 1484 Mffdmfjd.exe 1352 Mbmebgpi.exe 2000 Mekanbol.exe 880 Mifmoa32.exe 2208 Mbobgfnf.exe 2152 Memncbmj.exe 2568 Nbaomf32.exe 2056 Nnhobgag.exe 2952 Nafknbqk.exe 1740 Nebgoa32.exe 2552 Ndehjnpo.exe 1288 Njopgh32.exe 2852 Nmmlccfp.exe 2868 Naihdb32.exe 2860 Ndgdpn32.exe 2776 Nhbqqlfe.exe 1040 Njammhei.exe 2372 Nidmhd32.exe 1728 Nakeib32.exe 2028 Npneeocq.exe 1612 Nblaajbd.exe 1332 Nfhmai32.exe 2036 Nifjnd32.exe 2380 Nlefjpid.exe 904 Oppbjn32.exe 1808 Odlnkmjg.exe 2376 Oemjbe32.exe 1224 Oiifcdhn.exe 1800 Olgboogb.exe -
Loads dropped DLL 64 IoCs
pid Process 2544 7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe 2544 7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe 1832 Jemiiqmh.exe 1832 Jemiiqmh.exe 2188 Jkjaaglp.exe 2188 Jkjaaglp.exe 2708 Jeofnpke.exe 2708 Jeofnpke.exe 2836 Jklnggjm.exe 2836 Jklnggjm.exe 2716 Jpigonhd.exe 2716 Jpigonhd.exe 2724 Jhpopk32.exe 2724 Jhpopk32.exe 3048 Kahciaog.exe 3048 Kahciaog.exe 1776 Kdgoelnk.exe 1776 Kdgoelnk.exe 2060 Kjchmclb.exe 2060 Kjchmclb.exe 1556 Kdilkllh.exe 1556 Kdilkllh.exe 988 Kfjibdbf.exe 988 Kfjibdbf.exe 956 Kldaon32.exe 956 Kldaon32.exe 1272 Kgjelg32.exe 1272 Kgjelg32.exe 272 Khkadoog.exe 272 Khkadoog.exe 2556 Kcqfahom.exe 2556 Kcqfahom.exe 2192 Kjjnnbfj.exe 2192 Kjjnnbfj.exe 948 Kkljfj32.exe 948 Kkljfj32.exe 1964 Lbfcbdce.exe 1964 Lbfcbdce.exe 684 Llkgpmck.exe 684 Llkgpmck.exe 2400 Lnmcge32.exe 2400 Lnmcge32.exe 648 Lbhphdab.exe 648 Lbhphdab.exe 1744 Lkqdajhc.exe 1744 Lkqdajhc.exe 1988 Ldihjo32.exe 1988 Ldihjo32.exe 3060 Lggdfk32.exe 3060 Lggdfk32.exe 1240 Lqpiopdh.exe 1240 Lqpiopdh.exe 2288 Lcneklck.exe 2288 Lcneklck.exe 2728 Lmfjcajl.exe 2728 Lmfjcajl.exe 2800 Lqbfdp32.exe 2800 Lqbfdp32.exe 2660 Mmifiahi.exe 2660 Mmifiahi.exe 3032 Mcbofk32.exe 3032 Mcbofk32.exe 3044 Mfakbf32.exe 3044 Mfakbf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Olbpmelm.dll Fdbgia32.exe File created C:\Windows\SysWOW64\Fbjpjphf.dll Gnhkkjbf.exe File created C:\Windows\SysWOW64\Amhigkdj.dll Onhnjclg.exe File created C:\Windows\SysWOW64\Bdieho32.dll Ccakij32.exe File opened for modification C:\Windows\SysWOW64\Hcfenn32.exe Hqhiab32.exe File opened for modification C:\Windows\SysWOW64\Peapmhnk.exe Pgopak32.exe File opened for modification C:\Windows\SysWOW64\Agebam32.exe Aonjpp32.exe File opened for modification C:\Windows\SysWOW64\Epjbienl.exe Eagbnh32.exe File created C:\Windows\SysWOW64\Qfcnmmom.dll Mnlilb32.exe File opened for modification C:\Windows\SysWOW64\Mdhnnl32.exe Mmafmo32.exe File created C:\Windows\SysWOW64\Aghalcja.dll Oegflcbj.exe File created C:\Windows\SysWOW64\Gplknnnh.dll Fgcpkldh.exe File created C:\Windows\SysWOW64\Fhfihd32.exe Fehmlh32.exe File created C:\Windows\SysWOW64\Npldppbn.dll Ankabh32.exe File created C:\Windows\SysWOW64\Bqabknfl.dll Ccceeqfl.exe File opened for modification C:\Windows\SysWOW64\Lcieef32.exe Lpjiik32.exe File opened for modification C:\Windows\SysWOW64\Lcnhcdkp.exe Ldlghhde.exe File created C:\Windows\SysWOW64\Gofhgafa.dll Gcdmikma.exe File created C:\Windows\SysWOW64\Nfbgen32.dll Gphmbolk.exe File created C:\Windows\SysWOW64\Mljgmiaq.dll Ibhieo32.exe File created C:\Windows\SysWOW64\Aqkohg32.dll Jpnfdbig.exe File opened for modification C:\Windows\SysWOW64\Kmpfgklo.exe Kkajkoml.exe File created C:\Windows\SysWOW64\Fdbgia32.exe Flkohc32.exe File created C:\Windows\SysWOW64\Onhnjclg.exe Oljanhmc.exe File created C:\Windows\SysWOW64\Eponmmaj.exe Elcbmn32.exe File opened for modification C:\Windows\SysWOW64\Faljqcmk.exe Fomndhng.exe File created C:\Windows\SysWOW64\Pfplmh32.dll Hhjhgpcn.exe File created C:\Windows\SysWOW64\Gdnlhg32.dll Fkapkq32.exe File created C:\Windows\SysWOW64\Kaillp32.exe Kokppd32.exe File created C:\Windows\SysWOW64\Flkohc32.exe Fmholgpj.exe File created C:\Windows\SysWOW64\Cjqigm32.dll Ncejcg32.exe File created C:\Windows\SysWOW64\Mfakbf32.exe Mcbofk32.exe File created C:\Windows\SysWOW64\Cdmfml32.dll Eipjmk32.exe File opened for modification C:\Windows\SysWOW64\Nijcgp32.exe Mflgkd32.exe File created C:\Windows\SysWOW64\Dlnjjc32.exe Ccceeqfl.exe File created C:\Windows\SysWOW64\Gmabknal.dll Flphccbp.exe File created C:\Windows\SysWOW64\Eelgce32.dll Jemkai32.exe File created C:\Windows\SysWOW64\Jbapjpfp.dll Ggmldj32.exe File created C:\Windows\SysWOW64\Abfcdgde.dll Hdailaib.exe File created C:\Windows\SysWOW64\Pmabmf32.exe Pooaaink.exe File created C:\Windows\SysWOW64\Qchmll32.exe Ppiapp32.exe File created C:\Windows\SysWOW64\Chapbi32.dll Afkccffq.exe File created C:\Windows\SysWOW64\Eehfdldj.dll Jkfnaa32.exe File created C:\Windows\SysWOW64\Nbgakd32.exe Nnkekfkd.exe File created C:\Windows\SysWOW64\Epljpl32.dll Ikbndqnc.exe File opened for modification C:\Windows\SysWOW64\Eefdgeig.exe Ebghkjjc.exe File created C:\Windows\SysWOW64\Cdjabn32.exe Cmbiap32.exe File created C:\Windows\SysWOW64\Hbjbmonp.dll Cjfjjd32.exe File created C:\Windows\SysWOW64\Fdneoh32.dll Elcbmn32.exe File opened for modification C:\Windows\SysWOW64\Efifjg32.exe Eponmmaj.exe File opened for modification C:\Windows\SysWOW64\Aklefm32.exe Agaifnhi.exe File created C:\Windows\SysWOW64\Cnjbfhqa.exe Clkfjman.exe File created C:\Windows\SysWOW64\Jjhfan32.dll Dbqajk32.exe File created C:\Windows\SysWOW64\Nmjicn32.exe Niombolm.exe File opened for modification C:\Windows\SysWOW64\Jidngh32.exe Jffakm32.exe File created C:\Windows\SysWOW64\Bplmhi32.dll Ldndng32.exe File created C:\Windows\SysWOW64\Opqjjalh.dll Oafjfokk.exe File opened for modification C:\Windows\SysWOW64\Aekelo32.exe Amdmkb32.exe File created C:\Windows\SysWOW64\Pinnoafp.dll Khkadoog.exe File created C:\Windows\SysWOW64\Npneeocq.exe Nakeib32.exe File created C:\Windows\SysWOW64\Ihlbih32.exe Ienfml32.exe File opened for modification C:\Windows\SysWOW64\Bbdoec32.exe Bnicddki.exe File created C:\Windows\SysWOW64\Bjmgmelp.dll Dlcfnk32.exe File opened for modification C:\Windows\SysWOW64\Dfpcdh32.exe Dhmchljg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9680 9652 WerFault.exe 1042 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcgebhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jalmcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inajql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncggifep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phckglbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldihjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfakbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkidclbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgigpgkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlqdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephhmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkgpmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjmfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahioobed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghjmlnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpccgppq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcekkkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omoehf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfflfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bineidcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekoljgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoamoefh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakeib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifjnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agebam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdpinhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfihd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkadoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhphdab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollljo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fomndhng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkebgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccceeqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieqbbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckamihfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkbkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjikk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgmka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feppqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakfcfoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qckcdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cghmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkfkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagbnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiblmldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphpdhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdcbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpbgbdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkeol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnhkkjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkjocjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfbfln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imqdcjkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ododdlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkapkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdllci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiefqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjelg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhgkp32.dll" Jekoljgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhbjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Onhnjclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmeanaca.dll" Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifghji32.dll" Jkjaaglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagjap32.dll" Bmbkid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ekmjanpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecmhqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidldm32.dll" Epjdbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdjke32.dll" Fhlogo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Faljqcmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gljdlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olgboogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgnbg32.dll" Cafbmdbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhdlbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aboope32.dll" Iefeaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnllpnpo.dll" Lhbjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfpnifnh.dll" Dabkla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcaghm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfbfln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpqlke32.dll" Cfekkgla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljoia32.dll" Hcqcoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqpbhhnh.dll" Ifahpnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanhpabf.dll" Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noddcolo.dll" Bfkobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iniglajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bcjhig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckopch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgpjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijbjpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjcajn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfdpaqej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhchjgoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkffohon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmholgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbjoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omddmkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agnbbk32.dll" Dkhpfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajghbjhl.dll" Ienfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgodjico.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnemlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edfqclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpmeojbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhabgpel.dll" Bjlnaghp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhfihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lojeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laeqgcbl.dll" Gkchpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalga32.dll" Qamjmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adbmjbif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpcapia.dll" Oaiglnih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Alcqcjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgiahe32.dll" Fpcghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibmmkaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnmiaib.dll" Jjbdfbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnffkn32.dll" Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdkpomkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnolpa32.dll" Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmgmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdqaf32.dll" Hfflfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnpaali.dll" Clkfjman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqkiai32.dll" Kkajkoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagdqj32.dll" Olokighn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2544 wrote to memory of 1832 2544 7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe 29 PID 2544 wrote to memory of 1832 2544 7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe 29 PID 2544 wrote to memory of 1832 2544 7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe 29 PID 2544 wrote to memory of 1832 2544 7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe 29 PID 1832 wrote to memory of 2188 1832 Jemiiqmh.exe 30 PID 1832 wrote to memory of 2188 1832 Jemiiqmh.exe 30 PID 1832 wrote to memory of 2188 1832 Jemiiqmh.exe 30 PID 1832 wrote to memory of 2188 1832 Jemiiqmh.exe 30 PID 2188 wrote to memory of 2708 2188 Jkjaaglp.exe 31 PID 2188 wrote to memory of 2708 2188 Jkjaaglp.exe 31 PID 2188 wrote to memory of 2708 2188 Jkjaaglp.exe 31 PID 2188 wrote to memory of 2708 2188 Jkjaaglp.exe 31 PID 2708 wrote to memory of 2836 2708 Jeofnpke.exe 32 PID 2708 wrote to memory of 2836 2708 Jeofnpke.exe 32 PID 2708 wrote to memory of 2836 2708 Jeofnpke.exe 32 PID 2708 wrote to memory of 2836 2708 Jeofnpke.exe 32 PID 2836 wrote to memory of 2716 2836 Jklnggjm.exe 33 PID 2836 wrote to memory of 2716 2836 Jklnggjm.exe 33 PID 2836 wrote to memory of 2716 2836 Jklnggjm.exe 33 PID 2836 wrote to memory of 2716 2836 Jklnggjm.exe 33 PID 2716 wrote to memory of 2724 2716 Jpigonhd.exe 34 PID 2716 wrote to memory of 2724 2716 Jpigonhd.exe 34 PID 2716 wrote to memory of 2724 2716 Jpigonhd.exe 34 PID 2716 wrote to memory of 2724 2716 Jpigonhd.exe 34 PID 2724 wrote to memory of 3048 2724 Jhpopk32.exe 35 PID 2724 wrote to memory of 3048 2724 Jhpopk32.exe 35 PID 2724 wrote to memory of 3048 2724 Jhpopk32.exe 35 PID 2724 wrote to memory of 3048 2724 Jhpopk32.exe 35 PID 3048 wrote to memory of 1776 3048 Kahciaog.exe 36 PID 3048 wrote to memory of 1776 3048 Kahciaog.exe 36 PID 3048 wrote to memory of 1776 3048 Kahciaog.exe 36 PID 3048 wrote to memory of 1776 3048 Kahciaog.exe 36 PID 1776 wrote to memory of 2060 1776 Kdgoelnk.exe 37 PID 1776 wrote to memory of 2060 1776 Kdgoelnk.exe 37 PID 1776 wrote to memory of 2060 1776 Kdgoelnk.exe 37 PID 1776 wrote to memory of 2060 1776 Kdgoelnk.exe 37 PID 2060 wrote to memory of 1556 2060 Kjchmclb.exe 38 PID 2060 wrote to memory of 1556 2060 Kjchmclb.exe 38 PID 2060 wrote to memory of 1556 2060 Kjchmclb.exe 38 PID 2060 wrote to memory of 1556 2060 Kjchmclb.exe 38 PID 1556 wrote to memory of 988 1556 Kdilkllh.exe 39 PID 1556 wrote to memory of 988 1556 Kdilkllh.exe 39 PID 1556 wrote to memory of 988 1556 Kdilkllh.exe 39 PID 1556 wrote to memory of 988 1556 Kdilkllh.exe 39 PID 988 wrote to memory of 956 988 Kfjibdbf.exe 40 PID 988 wrote to memory of 956 988 Kfjibdbf.exe 40 PID 988 wrote to memory of 956 988 Kfjibdbf.exe 40 PID 988 wrote to memory of 956 988 Kfjibdbf.exe 40 PID 956 wrote to memory of 1272 956 Kldaon32.exe 41 PID 956 wrote to memory of 1272 956 Kldaon32.exe 41 PID 956 wrote to memory of 1272 956 Kldaon32.exe 41 PID 956 wrote to memory of 1272 956 Kldaon32.exe 41 PID 1272 wrote to memory of 272 1272 Kgjelg32.exe 42 PID 1272 wrote to memory of 272 1272 Kgjelg32.exe 42 PID 1272 wrote to memory of 272 1272 Kgjelg32.exe 42 PID 1272 wrote to memory of 272 1272 Kgjelg32.exe 42 PID 272 wrote to memory of 2556 272 Khkadoog.exe 43 PID 272 wrote to memory of 2556 272 Khkadoog.exe 43 PID 272 wrote to memory of 2556 272 Khkadoog.exe 43 PID 272 wrote to memory of 2556 272 Khkadoog.exe 43 PID 2556 wrote to memory of 2192 2556 Kcqfahom.exe 44 PID 2556 wrote to memory of 2192 2556 Kcqfahom.exe 44 PID 2556 wrote to memory of 2192 2556 Kcqfahom.exe 44 PID 2556 wrote to memory of 2192 2556 Kcqfahom.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe"C:\Users\Admin\AppData\Local\Temp\7794032876dec3ce9c1f7f71642b74a172f7cb18d21d17c677e3efc3c95b2db2N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Jemiiqmh.exeC:\Windows\system32\Jemiiqmh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Jkjaaglp.exeC:\Windows\system32\Jkjaaglp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Jklnggjm.exeC:\Windows\system32\Jklnggjm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Jhpopk32.exeC:\Windows\system32\Jhpopk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Kdgoelnk.exeC:\Windows\system32\Kdgoelnk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Kdilkllh.exeC:\Windows\system32\Kdilkllh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Kfjibdbf.exeC:\Windows\system32\Kfjibdbf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Kldaon32.exeC:\Windows\system32\Kldaon32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Kgjelg32.exeC:\Windows\system32\Kgjelg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Kkljfj32.exeC:\Windows\system32\Kkljfj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Lbfcbdce.exeC:\Windows\system32\Lbfcbdce.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Lbhphdab.exeC:\Windows\system32\Lbhphdab.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:648 -
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Ldihjo32.exeC:\Windows\system32\Ldihjo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Lcneklck.exeC:\Windows\system32\Lcneklck.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Lmfjcajl.exeC:\Windows\system32\Lmfjcajl.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Lqbfdp32.exeC:\Windows\system32\Lqbfdp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2660 -
C:\Windows\SysWOW64\Mcbofk32.exeC:\Windows\system32\Mcbofk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Mfakbf32.exeC:\Windows\system32\Mfakbf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Mqfooonp.exeC:\Windows\system32\Mqfooonp.exe33⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe35⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Mkpppmko.exeC:\Windows\system32\Mkpppmko.exe36⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Mffdmfjd.exeC:\Windows\system32\Mffdmfjd.exe37⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe38⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe40⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe41⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Memncbmj.exeC:\Windows\system32\Memncbmj.exe42⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe43⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe44⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe45⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe46⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ndehjnpo.exeC:\Windows\system32\Ndehjnpo.exe47⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe48⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe49⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe50⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe51⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe52⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe53⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe54⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe56⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe57⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe58⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe61⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe62⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe63⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe64⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe66⤵PID:1256
-
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe67⤵PID:2880
-
C:\Windows\SysWOW64\Oikcicfl.exeC:\Windows\system32\Oikcicfl.exe68⤵PID:2916
-
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe69⤵PID:1680
-
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe70⤵PID:3024
-
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe71⤵PID:2872
-
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe72⤵PID:2308
-
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe73⤵PID:2592
-
C:\Windows\SysWOW64\Ollljo32.exeC:\Windows\system32\Ollljo32.exe74⤵
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe75⤵PID:1020
-
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe76⤵PID:544
-
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe77⤵PID:2216
-
C:\Windows\SysWOW64\Oahdce32.exeC:\Windows\system32\Oahdce32.exe78⤵PID:992
-
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe79⤵PID:1940
-
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe80⤵PID:488
-
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Oefmid32.exeC:\Windows\system32\Oefmid32.exe82⤵PID:932
-
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe83⤵PID:396
-
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe84⤵PID:2756
-
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe85⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Pmabmf32.exeC:\Windows\system32\Pmabmf32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Pppnia32.exeC:\Windows\system32\Pppnia32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe88⤵PID:2920
-
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe89⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Pmdocf32.exeC:\Windows\system32\Pmdocf32.exe90⤵PID:1648
-
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe91⤵PID:2428
-
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe92⤵PID:1920
-
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe93⤵PID:1536
-
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe94⤵PID:1532
-
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe95⤵PID:2116
-
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe96⤵PID:1928
-
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe97⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Peapmhnk.exeC:\Windows\system32\Peapmhnk.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe99⤵PID:2692
-
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe100⤵PID:1108
-
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe101⤵PID:2968
-
C:\Windows\SysWOW64\Pedmbg32.exeC:\Windows\system32\Pedmbg32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe103⤵PID:344
-
C:\Windows\SysWOW64\Ppiapp32.exeC:\Windows\system32\Ppiapp32.exe104⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Qchmll32.exeC:\Windows\system32\Qchmll32.exe105⤵PID:2424
-
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe106⤵PID:1004
-
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe107⤵PID:2816
-
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe108⤵PID:2628
-
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe109⤵PID:2636
-
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe110⤵
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe111⤵PID:1692
-
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe112⤵PID:2256
-
C:\Windows\SysWOW64\Qkeofnfk.exeC:\Windows\system32\Qkeofnfk.exe113⤵PID:2440
-
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe114⤵PID:2500
-
C:\Windows\SysWOW64\Afkccffq.exeC:\Windows\system32\Afkccffq.exe115⤵
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Ahioobed.exeC:\Windows\system32\Ahioobed.exe116⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe117⤵PID:2760
-
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe118⤵PID:1628
-
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe119⤵PID:1608
-
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe120⤵PID:2964
-
C:\Windows\SysWOW64\Akjham32.exeC:\Windows\system32\Akjham32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe122⤵PID:780
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-