Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 02:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe
-
Size
411KB
-
MD5
77c6725121e5b030671fb7e905575e0c
-
SHA1
56de6155acd1e0ff4105b6991fa676e8b26b3cbf
-
SHA256
aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64
-
SHA512
d24eb55b5034459c90710e6df064fdaeb7896039591c144ab4b61ae8fd2276c42bb9ea4c7e537fc59e228c0050b7784c3f79455cc4b17596a4d8836d149b5910
-
SSDEEP
6144:PO1GWoBu7oHbD5W3glbGFIasUDsIjost0A25evOloWgRLereLVmhgoBlaNxUnLqp:PdWTaH5W3ybwwUb6ls2oWdeVoo8ukp4
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkfddc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdpbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqoge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecmogln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbojpna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liqoflfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deenjpcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmdnfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjhabndo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hghillnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfkpknkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hboddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjoqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgghac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehnfpifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edaalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieponofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ielclkhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjacjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plmbkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imlhebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbpbmkan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdfqbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljkaeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Achjibcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgjldnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaojnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhcmhdke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlili32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeckfndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Injndk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihdpbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iphgln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmfgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ageompfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aknlofim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doecog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfkbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkdnhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ponklpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefqdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobbofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbifnj32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2380 Cohkpj32.exe 2944 Cdgpnqpo.exe 2868 Cffljlpc.exe 3044 Dlgnmb32.exe 1448 Dgmbkk32.exe 2892 Dpgcip32.exe 2780 Diphbfdi.exe 836 Eeielfhk.exe 2964 Ednbncmb.exe 2844 Ejkkfjkj.exe 812 Elldgehk.exe 2140 Fjbafi32.exe 532 Fkejcq32.exe 2084 Fnfcel32.exe 2060 Fnipkkdl.exe 3068 Gqiimfam.exe 1956 Gjbmelgm.exe 292 Gnpflj32.exe 1588 Gqnbhf32.exe 1724 Gmecmg32.exe 2456 Gcokiaji.exe 2452 Gjicfk32.exe 1628 Hmjlhfof.exe 1740 Hllmcc32.exe 2288 Hfbaql32.exe 1312 Hhcmhdke.exe 2800 Hegnahjo.exe 2880 Hhhgcc32.exe 2908 Hjfcpo32.exe 2772 Ipehmebh.exe 2636 Ifoqjo32.exe 2628 Ifampo32.exe 2656 Iipiljgf.exe 2848 Imnbbi32.exe 2980 Iplnnd32.exe 1864 Ibkkjp32.exe 2976 Ieigfk32.exe 2160 Ioakoq32.exe 480 Ielclkhe.exe 972 Jkkija32.exe 1772 Jaeafklf.exe 1920 Jnkakl32.exe 1720 Jpjngh32.exe 1812 Jhafhe32.exe 1184 Jnnnalph.exe 2448 Jdhgnf32.exe 900 Jkbojpna.exe 1980 Jnpkflne.exe 1632 Jpogbgmi.exe 1576 Kfkpknkq.exe 2420 Kpadhg32.exe 1908 Kcopdb32.exe 2704 Khlili32.exe 3004 Kpcqnf32.exe 2808 Kbdmeoob.exe 2156 Khoebi32.exe 2948 Kohnoc32.exe 3008 Kbgjkn32.exe 1760 Kllnhg32.exe 1612 Kokjdb32.exe 308 Kdhcli32.exe 1064 Lkakicam.exe 2324 Lqncaj32.exe 268 Lghlndfa.exe -
Loads dropped DLL 64 IoCs
pid Process 2408 aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe 2408 aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe 2380 Cohkpj32.exe 2380 Cohkpj32.exe 2944 Cdgpnqpo.exe 2944 Cdgpnqpo.exe 2868 Cffljlpc.exe 2868 Cffljlpc.exe 3044 Dlgnmb32.exe 3044 Dlgnmb32.exe 1448 Dgmbkk32.exe 1448 Dgmbkk32.exe 2892 Dpgcip32.exe 2892 Dpgcip32.exe 2780 Diphbfdi.exe 2780 Diphbfdi.exe 836 Eeielfhk.exe 836 Eeielfhk.exe 2964 Ednbncmb.exe 2964 Ednbncmb.exe 2844 Ejkkfjkj.exe 2844 Ejkkfjkj.exe 812 Elldgehk.exe 812 Elldgehk.exe 2140 Fjbafi32.exe 2140 Fjbafi32.exe 532 Fkejcq32.exe 532 Fkejcq32.exe 2084 Fnfcel32.exe 2084 Fnfcel32.exe 2060 Fnipkkdl.exe 2060 Fnipkkdl.exe 3068 Gqiimfam.exe 3068 Gqiimfam.exe 1956 Gjbmelgm.exe 1956 Gjbmelgm.exe 292 Gnpflj32.exe 292 Gnpflj32.exe 1588 Gqnbhf32.exe 1588 Gqnbhf32.exe 1724 Gmecmg32.exe 1724 Gmecmg32.exe 2456 Gcokiaji.exe 2456 Gcokiaji.exe 2452 Gjicfk32.exe 2452 Gjicfk32.exe 1628 Hmjlhfof.exe 1628 Hmjlhfof.exe 1740 Hllmcc32.exe 1740 Hllmcc32.exe 2288 Hfbaql32.exe 2288 Hfbaql32.exe 1312 Hhcmhdke.exe 1312 Hhcmhdke.exe 2800 Hegnahjo.exe 2800 Hegnahjo.exe 2880 Hhhgcc32.exe 2880 Hhhgcc32.exe 2908 Hjfcpo32.exe 2908 Hjfcpo32.exe 2772 Ipehmebh.exe 2772 Ipehmebh.exe 2636 Ifoqjo32.exe 2636 Ifoqjo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mihdgkpp.exe Mbnljqic.exe File created C:\Windows\SysWOW64\Fphoebme.dll Cmmagpef.exe File created C:\Windows\SysWOW64\Igcphbih.dll Bpbmqe32.exe File created C:\Windows\SysWOW64\Pdjiflem.dll Dgnjqe32.exe File created C:\Windows\SysWOW64\Qffhlolm.dll Eddeladm.exe File opened for modification C:\Windows\SysWOW64\Kklkcn32.exe Kdbbgdjj.exe File created C:\Windows\SysWOW64\Djdgic32.exe Ccjoli32.exe File created C:\Windows\SysWOW64\Mhcmedli.exe Mgbaml32.exe File created C:\Windows\SysWOW64\Oecmogln.exe Opfegp32.exe File created C:\Windows\SysWOW64\Gdkjdl32.exe Gonale32.exe File created C:\Windows\SysWOW64\Aaogad32.dll Nbniid32.exe File created C:\Windows\SysWOW64\Hjjpmh32.dll Olkfmi32.exe File created C:\Windows\SysWOW64\Lonibk32.exe Ldheebad.exe File created C:\Windows\SysWOW64\Pmmneg32.exe Pbgjgomc.exe File created C:\Windows\SysWOW64\Fppaej32.exe Fkcilc32.exe File created C:\Windows\SysWOW64\Gonale32.exe Ghdiokbq.exe File opened for modification C:\Windows\SysWOW64\Fnipkkdl.exe Fnfcel32.exe File opened for modification C:\Windows\SysWOW64\Omnipjni.exe Ojomdoof.exe File opened for modification C:\Windows\SysWOW64\Dahkok32.exe Djocbqpb.exe File opened for modification C:\Windows\SysWOW64\Kjahej32.exe Kddomchg.exe File opened for modification C:\Windows\SysWOW64\Aohdmdoh.exe Alihaioe.exe File created C:\Windows\SysWOW64\Imafcg32.dll Alihaioe.exe File created C:\Windows\SysWOW64\Gkalhgfd.exe Gdhdkn32.exe File created C:\Windows\SysWOW64\Iinkmi32.dll Njbfnjeg.exe File created C:\Windows\SysWOW64\Madnjdee.dll Cmfmojcb.exe File created C:\Windows\SysWOW64\Nenakoho.exe Ndmecgba.exe File opened for modification C:\Windows\SysWOW64\Oijjka32.exe Ohhmcinf.exe File created C:\Windows\SysWOW64\Iddlde32.dll Ldheebad.exe File opened for modification C:\Windows\SysWOW64\Pbigmn32.exe Ponklpcg.exe File created C:\Windows\SysWOW64\Fliook32.exe Fkhbgbkc.exe File created C:\Windows\SysWOW64\Omppei32.dll Lkakicam.exe File created C:\Windows\SysWOW64\Jpjngh32.exe Jnkakl32.exe File created C:\Windows\SysWOW64\Ladpkl32.dll Mpebmc32.exe File opened for modification C:\Windows\SysWOW64\Eodicd32.exe Ehjqgjmp.exe File created C:\Windows\SysWOW64\Hahnac32.exe Hnjbeh32.exe File created C:\Windows\SysWOW64\Kdnild32.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Lbhnia32.dll Bfioia32.exe File created C:\Windows\SysWOW64\Dllnnkld.dll Iichjc32.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Cgcnghpl.exe File created C:\Windows\SysWOW64\Hmdkjmip.exe Hbofmcij.exe File created C:\Windows\SysWOW64\Ohceeg32.dll Ecbhdi32.exe File created C:\Windows\SysWOW64\Mqdkghnj.dll Qcogbdkg.exe File created C:\Windows\SysWOW64\Mcknhm32.exe Mhfjjdjf.exe File created C:\Windows\SysWOW64\Kbhbai32.exe Kipmhc32.exe File opened for modification C:\Windows\SysWOW64\Akfkbd32.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Fbonbipa.dll Dpeiligo.exe File created C:\Windows\SysWOW64\Koaclfgl.exe Keioca32.exe File created C:\Windows\SysWOW64\Echjfecq.dll Dfbnoc32.exe File opened for modification C:\Windows\SysWOW64\Aclpaali.exe Ajckilei.exe File created C:\Windows\SysWOW64\Pnmjop32.dll Cfehhn32.exe File created C:\Windows\SysWOW64\Epnhpglg.exe Eicpcm32.exe File opened for modification C:\Windows\SysWOW64\Gdkjdl32.exe Gonale32.exe File created C:\Windows\SysWOW64\Npneccok.dll Inmmbc32.exe File created C:\Windows\SysWOW64\Kmnfciac.dll Jbhebfck.exe File opened for modification C:\Windows\SysWOW64\Bdqlajbb.exe Bnfddp32.exe File created C:\Windows\SysWOW64\Bkjdndjo.exe Bdqlajbb.exe File created C:\Windows\SysWOW64\Debadpeg.exe Dbdehdfc.exe File opened for modification C:\Windows\SysWOW64\Npmphinm.exe Najpll32.exe File opened for modification C:\Windows\SysWOW64\Ijqoilii.exe Iedfqeka.exe File created C:\Windows\SysWOW64\Mpebmc32.exe Mfmndn32.exe File opened for modification C:\Windows\SysWOW64\Gqdgom32.exe Gockgdeh.exe File opened for modification C:\Windows\SysWOW64\Ndmecgba.exe Nigafnck.exe File created C:\Windows\SysWOW64\Feglhlfm.dll Elajgpmj.exe File created C:\Windows\SysWOW64\Qpceaipi.dll Ljfapjbi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7124 7088 WerFault.exe 670 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkakicam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbohehoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijpdfhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemldifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomdoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdojgmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikifegp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdogedmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Einjdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkibhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqnbhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpkflne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhmcmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgchgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaclfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfjnpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edaalk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpglbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhbgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kohnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpamde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngjeamd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domccejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhleh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenakoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehdan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndjmifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjqamme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbpqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdflqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbikbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjdaqgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqlfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebqngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnhngjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjicjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfcpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcqnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbicoamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcppidk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeafklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgbkbjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfnkqgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqoflfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmlcp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmmagpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiimgf32.dll" Eoblnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ecfnmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iipejmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajcipc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anbkipok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhbdleol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkoadgf.dll" Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjeeidhg.dll" Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll" Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll" Keioca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kokjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkmggbfb.dll" Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnhgha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heapkela.dll" Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkalhgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oaogognm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obgneo32.dll" Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inajahoe.dll" Ageompfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqqpgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liqoflfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgfma32.dll" Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nenkqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cenljmgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhkfeeek.dll" Bgghac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfglep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edaalk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcepfhka.dll" Hcgmfgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll" Bfioia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fennoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndcapd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Keioca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcohghbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeqopcld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmjbf32.dll" Jpogbgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Plolgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddpheep.dll" Jpgmpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknehn32.dll" Liqoflfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaacem32.dll" Pacajg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbhbai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hllmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfkpknkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhakcfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbemboof.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2408 wrote to memory of 2380 2408 aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe 30 PID 2408 wrote to memory of 2380 2408 aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe 30 PID 2408 wrote to memory of 2380 2408 aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe 30 PID 2408 wrote to memory of 2380 2408 aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe 30 PID 2380 wrote to memory of 2944 2380 Cohkpj32.exe 31 PID 2380 wrote to memory of 2944 2380 Cohkpj32.exe 31 PID 2380 wrote to memory of 2944 2380 Cohkpj32.exe 31 PID 2380 wrote to memory of 2944 2380 Cohkpj32.exe 31 PID 2944 wrote to memory of 2868 2944 Cdgpnqpo.exe 32 PID 2944 wrote to memory of 2868 2944 Cdgpnqpo.exe 32 PID 2944 wrote to memory of 2868 2944 Cdgpnqpo.exe 32 PID 2944 wrote to memory of 2868 2944 Cdgpnqpo.exe 32 PID 2868 wrote to memory of 3044 2868 Cffljlpc.exe 33 PID 2868 wrote to memory of 3044 2868 Cffljlpc.exe 33 PID 2868 wrote to memory of 3044 2868 Cffljlpc.exe 33 PID 2868 wrote to memory of 3044 2868 Cffljlpc.exe 33 PID 3044 wrote to memory of 1448 3044 Dlgnmb32.exe 34 PID 3044 wrote to memory of 1448 3044 Dlgnmb32.exe 34 PID 3044 wrote to memory of 1448 3044 Dlgnmb32.exe 34 PID 3044 wrote to memory of 1448 3044 Dlgnmb32.exe 34 PID 1448 wrote to memory of 2892 1448 Dgmbkk32.exe 35 PID 1448 wrote to memory of 2892 1448 Dgmbkk32.exe 35 PID 1448 wrote to memory of 2892 1448 Dgmbkk32.exe 35 PID 1448 wrote to memory of 2892 1448 Dgmbkk32.exe 35 PID 2892 wrote to memory of 2780 2892 Dpgcip32.exe 36 PID 2892 wrote to memory of 2780 2892 Dpgcip32.exe 36 PID 2892 wrote to memory of 2780 2892 Dpgcip32.exe 36 PID 2892 wrote to memory of 2780 2892 Dpgcip32.exe 36 PID 2780 wrote to memory of 836 2780 Diphbfdi.exe 37 PID 2780 wrote to memory of 836 2780 Diphbfdi.exe 37 PID 2780 wrote to memory of 836 2780 Diphbfdi.exe 37 PID 2780 wrote to memory of 836 2780 Diphbfdi.exe 37 PID 836 wrote to memory of 2964 836 Eeielfhk.exe 38 PID 836 wrote to memory of 2964 836 Eeielfhk.exe 38 PID 836 wrote to memory of 2964 836 Eeielfhk.exe 38 PID 836 wrote to memory of 2964 836 Eeielfhk.exe 38 PID 2964 wrote to memory of 2844 2964 Ednbncmb.exe 39 PID 2964 wrote to memory of 2844 2964 Ednbncmb.exe 39 PID 2964 wrote to memory of 2844 2964 Ednbncmb.exe 39 PID 2964 wrote to memory of 2844 2964 Ednbncmb.exe 39 PID 2844 wrote to memory of 812 2844 Ejkkfjkj.exe 40 PID 2844 wrote to memory of 812 2844 Ejkkfjkj.exe 40 PID 2844 wrote to memory of 812 2844 Ejkkfjkj.exe 40 PID 2844 wrote to memory of 812 2844 Ejkkfjkj.exe 40 PID 812 wrote to memory of 2140 812 Elldgehk.exe 41 PID 812 wrote to memory of 2140 812 Elldgehk.exe 41 PID 812 wrote to memory of 2140 812 Elldgehk.exe 41 PID 812 wrote to memory of 2140 812 Elldgehk.exe 41 PID 2140 wrote to memory of 532 2140 Fjbafi32.exe 42 PID 2140 wrote to memory of 532 2140 Fjbafi32.exe 42 PID 2140 wrote to memory of 532 2140 Fjbafi32.exe 42 PID 2140 wrote to memory of 532 2140 Fjbafi32.exe 42 PID 532 wrote to memory of 2084 532 Fkejcq32.exe 43 PID 532 wrote to memory of 2084 532 Fkejcq32.exe 43 PID 532 wrote to memory of 2084 532 Fkejcq32.exe 43 PID 532 wrote to memory of 2084 532 Fkejcq32.exe 43 PID 2084 wrote to memory of 2060 2084 Fnfcel32.exe 44 PID 2084 wrote to memory of 2060 2084 Fnfcel32.exe 44 PID 2084 wrote to memory of 2060 2084 Fnfcel32.exe 44 PID 2084 wrote to memory of 2060 2084 Fnfcel32.exe 44 PID 2060 wrote to memory of 3068 2060 Fnipkkdl.exe 45 PID 2060 wrote to memory of 3068 2060 Fnipkkdl.exe 45 PID 2060 wrote to memory of 3068 2060 Fnipkkdl.exe 45 PID 2060 wrote to memory of 3068 2060 Fnipkkdl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe"C:\Users\Admin\AppData\Local\Temp\aad19c02dc9799c615765807f9cf01842129b556383287b156134922e5dacc64.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:292 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe33⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe34⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe36⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe37⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe39⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe41⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe44⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe45⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe46⤵
- Executes dropped EXE
PID:1184 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe47⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe52⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe53⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe56⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe57⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3008 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe60⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe62⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe64⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe65⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe66⤵PID:1716
-
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe67⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe69⤵PID:2280
-
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe70⤵PID:1776
-
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe72⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe73⤵PID:2836
-
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe74⤵PID:1928
-
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe76⤵
- System Location Discovery: System Language Discovery
PID:1824 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe77⤵PID:464
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe78⤵PID:1224
-
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe79⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe80⤵PID:352
-
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe81⤵PID:2176
-
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe82⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe83⤵PID:612
-
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe84⤵
- System Location Discovery: System Language Discovery
PID:576 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe85⤵PID:908
-
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe86⤵PID:2284
-
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe87⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe88⤵PID:884
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe89⤵PID:2860
-
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe90⤵PID:2940
-
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe91⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe92⤵
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe93⤵PID:2824
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:264 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe95⤵PID:808
-
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe96⤵
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe97⤵
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe98⤵
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe99⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe100⤵PID:2384
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe103⤵PID:2888
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe104⤵PID:2608
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe105⤵PID:3016
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe107⤵PID:1600
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe108⤵PID:2320
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe109⤵
- Drops file in System32 directory
PID:440 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe110⤵PID:1852
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe111⤵PID:1972
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe112⤵PID:2332
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe113⤵PID:3024
-
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe114⤵PID:2460
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe115⤵PID:2716
-
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe116⤵PID:2732
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe117⤵PID:1952
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe118⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Pomhcg32.exeC:\Windows\system32\Pomhcg32.exe119⤵PID:1988
-
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe120⤵PID:2088
-
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe121⤵PID:1540
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-