Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 05:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe
-
Size
105KB
-
MD5
c3fe93674631768a8ae5803fc5276b3f
-
SHA1
ef81a2654283b9efddcce834acc9d8edb29b4585
-
SHA256
f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823
-
SHA512
67e2928be111ce2e9549a36e7d229df2f8c9aba2daaa8c8009289c2ee891c08e25f41c22862fa98f3fbef744aac9bc1e88ea88fffe930a458fb3efa1685981a7
-
SSDEEP
3072:xtNoFLCeplAarVsRxPcxkdeGZl2NkzwH5GJks8WYlOWeE:CdpuiaxEbY9zwZ9s8Sm
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Bqdblmhl.exeKkjeomld.exeGldglf32.exeFoqkdp32.exeOjgjndno.exeQoelkp32.exeDhjckcgi.exeKpjgaoqm.exeOmnjojpo.exeDeokon32.exeQqffjo32.exeBacjdbch.exeFohfbpgi.exeJbagbebm.exeNphhmj32.exeMpghkf32.exePkenjh32.exeEciplm32.exeHlegnjbm.exeHoeieolb.exeNqbpojnp.exeFbcfhibj.exePahilmoc.exeBknlbhhe.exeNookip32.exeIkbfgppo.exeMaiccajf.exeAkccap32.exeIefgbh32.exeGpaihooo.exeHnlodjpa.exeFknicb32.exeHjjnae32.exePolppg32.exeEclmamod.exeDflfac32.exeImiehfao.exeOakbehfe.exeAfjlnk32.exeDjklmo32.exeAamknj32.exeFkfcqb32.exeInpccihl.exeGgpbjkpl.exeKpmdfonj.exeLcgpni32.exeKcndbp32.exeAdcjop32.exeCkebcg32.exeAjhniccb.exeMjcngpjh.exeNfaemp32.exePjkmomfn.exeLfjjga32.exePoimpapp.exeHicpgc32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqdblmhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjeomld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Foqkdp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgjndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qoelkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjckcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpjgaoqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnjojpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deokon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qqffjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacjdbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nphhmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pkenjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eciplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hlegnjbm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoeieolb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqbpojnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbcfhibj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahilmoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknlbhhe.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nookip32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Maiccajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Akccap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gpaihooo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnlodjpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fknicb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjjnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Polppg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eclmamod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imiehfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oakbehfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Afjlnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djklmo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamknj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkfcqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inpccihl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggpbjkpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpmdfonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lcgpni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcndbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ajhniccb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcngpjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfaemp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjkmomfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfjjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Poimpapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pjkmomfn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicpgc32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Nphhmj32.exeNcfdie32.exeNnlhfn32.exeNpjebj32.exeNcianepl.exeNfgmjqop.exeNlaegk32.exeNckndeni.exeNnqbanmo.exeOcnjidkf.exeOncofm32.exeOpakbi32.exeOjjolnaq.exeOlhlhjpd.exeOgnpebpj.exeOlkhmi32.exeOgpmjb32.exeOlmeci32.exeOddmdf32.exeOjaelm32.exePqknig32.exePgefeajb.exePqmjog32.exePmdkch32.exePflplnlg.exePmfhig32.exePgllfp32.exePfolbmje.exePqdqof32.exePcbmka32.exePgnilpah.exeQnhahj32.exeQqfmde32.exeQqijje32.exeQcgffqei.exeQffbbldm.exeAmpkof32.exeAgeolo32.exeAnogiicl.exeAfjlnk32.exeAmddjegd.exeAcnlgp32.exeAjhddjfn.exeAcqimo32.exeAminee32.exeBjmnoi32.exeBjokdipf.exeBmngqdpj.exeBchomn32.exeBmpcfdmg.exeBjddphlq.exeBhhdil32.exeBapiabak.exeCjinkg32.exeCenahpha.exeCfpnph32.exeCnffqf32.exeCeqnmpfo.exeCnicfe32.exeCeckcp32.exeChagok32.exeCnkplejl.exeCdhhdlid.exeCjbpaf32.exepid Process 1080 Nphhmj32.exe 3112 Ncfdie32.exe 3584 Nnlhfn32.exe 228 Npjebj32.exe 3832 Ncianepl.exe 4572 Nfgmjqop.exe 764 Nlaegk32.exe 1208 Nckndeni.exe 3316 Nnqbanmo.exe 1564 Ocnjidkf.exe 1940 Oncofm32.exe 3992 Opakbi32.exe 2660 Ojjolnaq.exe 1132 Olhlhjpd.exe 4804 Ognpebpj.exe 4384 Olkhmi32.exe 4696 Ogpmjb32.exe 2644 Olmeci32.exe 4476 Oddmdf32.exe 4060 Ojaelm32.exe 2128 Pqknig32.exe 4588 Pgefeajb.exe 2736 Pqmjog32.exe 2336 Pmdkch32.exe 4012 Pflplnlg.exe 1072 Pmfhig32.exe 4916 Pgllfp32.exe 1856 Pfolbmje.exe 3952 Pqdqof32.exe 1520 Pcbmka32.exe 4388 Pgnilpah.exe 3044 Qnhahj32.exe 4380 Qqfmde32.exe 3940 Qqijje32.exe 4452 Qcgffqei.exe 3684 Qffbbldm.exe 1452 Ampkof32.exe 3244 Ageolo32.exe 4124 Anogiicl.exe 3260 Afjlnk32.exe 4796 Amddjegd.exe 1992 Acnlgp32.exe 2952 Ajhddjfn.exe 348 Acqimo32.exe 2496 Aminee32.exe 2932 Bjmnoi32.exe 592 Bjokdipf.exe 5048 Bmngqdpj.exe 2008 Bchomn32.exe 744 Bmpcfdmg.exe 4900 Bjddphlq.exe 1860 Bhhdil32.exe 2436 Bapiabak.exe 64 Cjinkg32.exe 768 Cenahpha.exe 3312 Cfpnph32.exe 4172 Cnffqf32.exe 1984 Ceqnmpfo.exe 4868 Cnicfe32.exe 1972 Ceckcp32.exe 3452 Chagok32.exe 1488 Cnkplejl.exe 5040 Cdhhdlid.exe 5100 Cjbpaf32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Qemhbj32.exeFeoodn32.exePkbjjbda.exeDkahilkl.exeIlnlom32.exeIlibdmgp.exeOgpmjb32.exeAlcfei32.exeNjpdnedf.exeHbihjifh.exeMifcejnj.exeAmaqjp32.exeManmoq32.exePkpmdbfd.exeCmjemflb.exeCkclhn32.exeCpglnhad.exeKabcopmg.exeHiiggoaf.exeIngpmmgm.exeKcmfnd32.exeLlhikacp.exeDkdliame.exeJklinohd.exeHbhboolf.exeQhngolpo.exeOdjeljhd.exeBbdhiojo.exeHiipmhmk.exeOlijhmgj.exeJdgafjpn.exeFmgejhgn.exeHnaqgd32.exeCglbhhga.exeEonehbjg.exeAjqgidij.exeCadlbk32.exeDmihij32.exeEhfcfb32.exeKqbdldnq.exeMcecjmkl.exeAoabad32.exeKcbnnpka.exeGikkfqmf.exeCfogeb32.exeMjahlgpf.exeChiigadc.exeBchomn32.exedescription ioc Process File created C:\Windows\SysWOW64\Qhkdof32.exe Qemhbj32.exe File created C:\Windows\SysWOW64\Dmkalh32.dll Feoodn32.exe File created C:\Windows\SysWOW64\Cndepccb.dll Pkbjjbda.exe File opened for modification C:\Windows\SysWOW64\Dfglfdkb.exe Dkahilkl.exe File opened for modification C:\Windows\SysWOW64\Ibgdlg32.exe Ilnlom32.exe File opened for modification C:\Windows\SysWOW64\Iafkld32.exe Ilibdmgp.exe File created C:\Windows\SysWOW64\Jilkmnni.dll Ogpmjb32.exe File created C:\Windows\SysWOW64\Aoabad32.exe Alcfei32.exe File created C:\Windows\SysWOW64\Dfbiemdb.dll Njpdnedf.exe File opened for modification C:\Windows\SysWOW64\Hicpgc32.exe Hbihjifh.exe File opened for modification C:\Windows\SysWOW64\Mockmala.exe Mifcejnj.exe File opened for modification C:\Windows\SysWOW64\Aflaie32.exe Amaqjp32.exe File created C:\Windows\SysWOW64\Nclikl32.exe Manmoq32.exe File opened for modification C:\Windows\SysWOW64\Pajeam32.exe Pkpmdbfd.exe File created C:\Windows\SysWOW64\Pgapfg32.dll Cmjemflb.exe File created C:\Windows\SysWOW64\Cdlqqcnl.exe Ckclhn32.exe File created C:\Windows\SysWOW64\Hegmlnbp.exe File created C:\Windows\SysWOW64\Khdoqefq.exe File created C:\Windows\SysWOW64\Cgndoeag.exe Cpglnhad.exe File created C:\Windows\SysWOW64\Khlklj32.exe Kabcopmg.exe File opened for modification C:\Windows\SysWOW64\Hdokdg32.exe Hiiggoaf.exe File created C:\Windows\SysWOW64\Idahjg32.exe Ingpmmgm.exe File opened for modification C:\Windows\SysWOW64\Kekbjo32.exe Kcmfnd32.exe File opened for modification C:\Windows\SysWOW64\Lhenai32.exe File created C:\Windows\SysWOW64\Odehaccj.dll File opened for modification C:\Windows\SysWOW64\Baepolni.exe File opened for modification C:\Windows\SysWOW64\Cpljehpo.exe File created C:\Windows\SysWOW64\Abcgjd32.dll Llhikacp.exe File created C:\Windows\SysWOW64\Dfjpfj32.exe Dkdliame.exe File opened for modification C:\Windows\SysWOW64\Jlmfeg32.exe Jklinohd.exe File created C:\Windows\SysWOW64\Pjmdlh32.dll Hbhboolf.exe File opened for modification C:\Windows\SysWOW64\Qkmdkgob.exe Qhngolpo.exe File opened for modification C:\Windows\SysWOW64\Ojdnid32.exe Odjeljhd.exe File opened for modification C:\Windows\SysWOW64\Bhoqeibl.exe Bbdhiojo.exe File created C:\Windows\SysWOW64\Mlkpophj.dll Hiipmhmk.exe File created C:\Windows\SysWOW64\Pnkibcle.dll File created C:\Windows\SysWOW64\Ggepalof.exe File opened for modification C:\Windows\SysWOW64\Obcceg32.exe Olijhmgj.exe File created C:\Windows\SysWOW64\Jgenbfoa.exe Jdgafjpn.exe File created C:\Windows\SysWOW64\Jjgkab32.exe File opened for modification C:\Windows\SysWOW64\Fnffhgon.exe File created C:\Windows\SysWOW64\Gnaecedp.exe File created C:\Windows\SysWOW64\Hifpcjin.dll Fmgejhgn.exe File created C:\Windows\SysWOW64\Hammhcij.exe Hnaqgd32.exe File created C:\Windows\SysWOW64\Cnfkdb32.exe Cglbhhga.exe File opened for modification C:\Windows\SysWOW64\Egijmegb.exe Eonehbjg.exe File opened for modification C:\Windows\SysWOW64\Amodep32.exe Ajqgidij.exe File created C:\Windows\SysWOW64\Cpglnhad.exe Cadlbk32.exe File created C:\Windows\SysWOW64\Dpgeee32.exe Dmihij32.exe File created C:\Windows\SysWOW64\Ejdocm32.exe Ehfcfb32.exe File opened for modification C:\Windows\SysWOW64\Kglmio32.exe Kqbdldnq.exe File opened for modification C:\Windows\SysWOW64\Mnkggfkb.exe Mcecjmkl.exe File created C:\Windows\SysWOW64\Oqpakfgb.dll Aoabad32.exe File created C:\Windows\SysWOW64\Kkjeomld.exe Kcbnnpka.exe File opened for modification C:\Windows\SysWOW64\Gbdoof32.exe Gikkfqmf.exe File created C:\Windows\SysWOW64\Nqaiecjd.exe File created C:\Windows\SysWOW64\Jaljbmkd.exe File opened for modification C:\Windows\SysWOW64\Ilfodgeg.exe File opened for modification C:\Windows\SysWOW64\Ieqpbm32.exe File created C:\Windows\SysWOW64\Cadlbk32.exe Cfogeb32.exe File created C:\Windows\SysWOW64\Dpglbfpm.dll Mjahlgpf.exe File created C:\Windows\SysWOW64\Aoqqpnlk.dll Chiigadc.exe File created C:\Windows\SysWOW64\Daeifj32.exe File opened for modification C:\Windows\SysWOW64\Bmpcfdmg.exe Bchomn32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 13060 11660 1363 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ncfdie32.exeAleckinj.exeJofalmmp.exeNckndeni.exeNhlpfgbb.exeEdemkd32.exeMqimikfj.exeJbagbebm.exeLoeolc32.exeFielph32.exePapfgbmg.exeIpmbjgpi.exeLnldla32.exePfiddm32.exeFnobem32.exeGglpibgm.exeFipkjb32.exeFqppci32.exeOocddono.exeOmbcji32.exePoodpmca.exeIlccoh32.exeAknifq32.exeAnogiicl.exeHoeieolb.exeLcgpni32.exeJadgnb32.exeHbmcbime.exeMbgjbkfg.exeGjfnedho.exeOanfen32.exeEbnfbcbc.exeKqmkae32.exeCfbcke32.exeIdgojc32.exeIhbdplfi.exeHigjaoci.exeKnchpiom.exeFihnomjp.exeNfjola32.exeJeapcq32.exeQcgffqei.exePhjenbhp.exeOjbacd32.exeKpmdfonj.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfdie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aleckinj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofalmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckndeni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlpfgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edemkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqimikfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbagbebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loeolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fielph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papfgbmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmbjgpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnldla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnobem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglpibgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipkjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqppci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocddono.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombcji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poodpmca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilccoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknifq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogiicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoeieolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcgpni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadgnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmcbime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgjbkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfnedho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnfbcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmkae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfbcke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgojc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbdplfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higjaoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knchpiom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihnomjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeapcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcgffqei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phjenbhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmdfonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Pjpfjl32.exeMimpolee.exeOgklelna.exeKnchpiom.exeBahdob32.exeGfdfgiid.exeDjhpgofm.exePgkelj32.exeJjdjoane.exeLnldla32.exeGnpphljo.exeDddhpjof.exeMlklkgei.exeGmfplibd.exeCeqnmpfo.exePfnegggi.exeKlfaapbl.exeHbihjifh.exeDkfadkgf.exeGidnkkpc.exeFkpool32.exeKnflpoqf.exeFgjccb32.exeJcdala32.exeLcgpni32.exeKcbnnpka.exeBmjkic32.exeEdplhjhi.exeKhbiello.exeAfjlnk32.exeCcpdoqgd.exeEmkndc32.exeMaggnali.exeConanfli.exeEkajec32.exeOlmeci32.exeKqpoakco.exeNnbnhedj.exeJgonlm32.exeJgkdbacp.exeDbqqkkbo.exeEciplm32.exeIjqmhnko.exeNqbpojnp.exeDfiafg32.exePkenjh32.exeFndpmndl.exeFbcfhibj.exePkbjjbda.exeNghekkmn.exeIfmqfm32.exeJcgnbaeo.exeOhcegi32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apgnjp32.dll" Pjpfjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mimpolee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogklelna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Knchpiom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbhhlfgd.dll" Bahdob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gfdfgiid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Djhpgofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pgkelj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jjdjoane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngckdnpn.dll" Gnpphljo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdpfkn32.dll" Dddhpjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mlklkgei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gmfplibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ceqnmpfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pfnegggi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Klfaapbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmaioi32.dll" Dkfadkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbohd32.dll" Gidnkkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fkpool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghoda32.dll" Knflpoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgpcnpb.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmllpik.dll" Ceqnmpfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efqidp32.dll" Fgjccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmock32.dll" Jcdala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcgpni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kcbnnpka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bmjkic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Edplhjhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Khbiello.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Afjlnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ccpdoqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Emkndc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Conanfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcpfdbd.dll" Ekajec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdkpdef.dll" Olmeci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kqpoakco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nnbnhedj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jgonlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaqdae32.dll" Jgkdbacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbqqkkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhidngmn.dll" Eciplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mociom32.dll" Ijqmhnko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binlfp32.dll" Nqbpojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijgd32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmfjodai.dll" Dfiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiilcp32.dll" Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fndpmndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fbcfhibj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cndepccb.dll" Pkbjjbda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ekajec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nghekkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbcih32.dll" Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jcgnbaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjijkmod.dll" Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Higplnpb.dll" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exeNphhmj32.exeNcfdie32.exeNnlhfn32.exeNpjebj32.exeNcianepl.exeNfgmjqop.exeNlaegk32.exeNckndeni.exeNnqbanmo.exeOcnjidkf.exeOncofm32.exeOpakbi32.exeOjjolnaq.exeOlhlhjpd.exeOgnpebpj.exeOlkhmi32.exeOgpmjb32.exeOlmeci32.exeOddmdf32.exeOjaelm32.exePqknig32.exedescription pid Process procid_target PID 4480 wrote to memory of 1080 4480 f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe 83 PID 4480 wrote to memory of 1080 4480 f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe 83 PID 4480 wrote to memory of 1080 4480 f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe 83 PID 1080 wrote to memory of 3112 1080 Nphhmj32.exe 84 PID 1080 wrote to memory of 3112 1080 Nphhmj32.exe 84 PID 1080 wrote to memory of 3112 1080 Nphhmj32.exe 84 PID 3112 wrote to memory of 3584 3112 Ncfdie32.exe 85 PID 3112 wrote to memory of 3584 3112 Ncfdie32.exe 85 PID 3112 wrote to memory of 3584 3112 Ncfdie32.exe 85 PID 3584 wrote to memory of 228 3584 Nnlhfn32.exe 86 PID 3584 wrote to memory of 228 3584 Nnlhfn32.exe 86 PID 3584 wrote to memory of 228 3584 Nnlhfn32.exe 86 PID 228 wrote to memory of 3832 228 Npjebj32.exe 87 PID 228 wrote to memory of 3832 228 Npjebj32.exe 87 PID 228 wrote to memory of 3832 228 Npjebj32.exe 87 PID 3832 wrote to memory of 4572 3832 Ncianepl.exe 88 PID 3832 wrote to memory of 4572 3832 Ncianepl.exe 88 PID 3832 wrote to memory of 4572 3832 Ncianepl.exe 88 PID 4572 wrote to memory of 764 4572 Nfgmjqop.exe 89 PID 4572 wrote to memory of 764 4572 Nfgmjqop.exe 89 PID 4572 wrote to memory of 764 4572 Nfgmjqop.exe 89 PID 764 wrote to memory of 1208 764 Nlaegk32.exe 90 PID 764 wrote to memory of 1208 764 Nlaegk32.exe 90 PID 764 wrote to memory of 1208 764 Nlaegk32.exe 90 PID 1208 wrote to memory of 3316 1208 Nckndeni.exe 91 PID 1208 wrote to memory of 3316 1208 Nckndeni.exe 91 PID 1208 wrote to memory of 3316 1208 Nckndeni.exe 91 PID 3316 wrote to memory of 1564 3316 Nnqbanmo.exe 92 PID 3316 wrote to memory of 1564 3316 Nnqbanmo.exe 92 PID 3316 wrote to memory of 1564 3316 Nnqbanmo.exe 92 PID 1564 wrote to memory of 1940 1564 Ocnjidkf.exe 93 PID 1564 wrote to memory of 1940 1564 Ocnjidkf.exe 93 PID 1564 wrote to memory of 1940 1564 Ocnjidkf.exe 93 PID 1940 wrote to memory of 3992 1940 Oncofm32.exe 94 PID 1940 wrote to memory of 3992 1940 Oncofm32.exe 94 PID 1940 wrote to memory of 3992 1940 Oncofm32.exe 94 PID 3992 wrote to memory of 2660 3992 Opakbi32.exe 95 PID 3992 wrote to memory of 2660 3992 Opakbi32.exe 95 PID 3992 wrote to memory of 2660 3992 Opakbi32.exe 95 PID 2660 wrote to memory of 1132 2660 Ojjolnaq.exe 96 PID 2660 wrote to memory of 1132 2660 Ojjolnaq.exe 96 PID 2660 wrote to memory of 1132 2660 Ojjolnaq.exe 96 PID 1132 wrote to memory of 4804 1132 Olhlhjpd.exe 97 PID 1132 wrote to memory of 4804 1132 Olhlhjpd.exe 97 PID 1132 wrote to memory of 4804 1132 Olhlhjpd.exe 97 PID 4804 wrote to memory of 4384 4804 Ognpebpj.exe 98 PID 4804 wrote to memory of 4384 4804 Ognpebpj.exe 98 PID 4804 wrote to memory of 4384 4804 Ognpebpj.exe 98 PID 4384 wrote to memory of 4696 4384 Olkhmi32.exe 99 PID 4384 wrote to memory of 4696 4384 Olkhmi32.exe 99 PID 4384 wrote to memory of 4696 4384 Olkhmi32.exe 99 PID 4696 wrote to memory of 2644 4696 Ogpmjb32.exe 100 PID 4696 wrote to memory of 2644 4696 Ogpmjb32.exe 100 PID 4696 wrote to memory of 2644 4696 Ogpmjb32.exe 100 PID 2644 wrote to memory of 4476 2644 Olmeci32.exe 101 PID 2644 wrote to memory of 4476 2644 Olmeci32.exe 101 PID 2644 wrote to memory of 4476 2644 Olmeci32.exe 101 PID 4476 wrote to memory of 4060 4476 Oddmdf32.exe 102 PID 4476 wrote to memory of 4060 4476 Oddmdf32.exe 102 PID 4476 wrote to memory of 4060 4476 Oddmdf32.exe 102 PID 4060 wrote to memory of 2128 4060 Ojaelm32.exe 103 PID 4060 wrote to memory of 2128 4060 Ojaelm32.exe 103 PID 4060 wrote to memory of 2128 4060 Ojaelm32.exe 103 PID 2128 wrote to memory of 4588 2128 Pqknig32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe"C:\Users\Admin\AppData\Local\Temp\f444b84179baffadd0c1d1fe6be692838611deca88e30cfb600c76e2eff61823.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Nphhmj32.exeC:\Windows\system32\Nphhmj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Ncfdie32.exeC:\Windows\system32\Ncfdie32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Nlaegk32.exeC:\Windows\system32\Nlaegk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Olhlhjpd.exeC:\Windows\system32\Olhlhjpd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Olkhmi32.exeC:\Windows\system32\Olkhmi32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Ogpmjb32.exeC:\Windows\system32\Ogpmjb32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Ojaelm32.exeC:\Windows\system32\Ojaelm32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Pgefeajb.exeC:\Windows\system32\Pgefeajb.exe23⤵
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Pqmjog32.exeC:\Windows\system32\Pqmjog32.exe24⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe25⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe26⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Pmfhig32.exeC:\Windows\system32\Pmfhig32.exe27⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe28⤵
- Executes dropped EXE
PID:4916 -
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe29⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Pqdqof32.exeC:\Windows\system32\Pqdqof32.exe30⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\Pcbmka32.exeC:\Windows\system32\Pcbmka32.exe31⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe32⤵
- Executes dropped EXE
PID:4388 -
C:\Windows\SysWOW64\Qnhahj32.exeC:\Windows\system32\Qnhahj32.exe33⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe34⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Qqijje32.exeC:\Windows\system32\Qqijje32.exe35⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe37⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe38⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe39⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Anogiicl.exeC:\Windows\system32\Anogiicl.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4124 -
C:\Windows\SysWOW64\Afjlnk32.exeC:\Windows\system32\Afjlnk32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3260 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe42⤵
- Executes dropped EXE
PID:4796 -
C:\Windows\SysWOW64\Acnlgp32.exeC:\Windows\system32\Acnlgp32.exe43⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe44⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Acqimo32.exeC:\Windows\system32\Acqimo32.exe45⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Aminee32.exeC:\Windows\system32\Aminee32.exe46⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe47⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe48⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe49⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Bchomn32.exeC:\Windows\system32\Bchomn32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe51⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe52⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe53⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe54⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe55⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Cenahpha.exeC:\Windows\system32\Cenahpha.exe56⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe57⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe58⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Cnicfe32.exeC:\Windows\system32\Cnicfe32.exe60⤵
- Executes dropped EXE
PID:4868 -
C:\Windows\SysWOW64\Ceckcp32.exeC:\Windows\system32\Ceckcp32.exe61⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe62⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Cnkplejl.exeC:\Windows\system32\Cnkplejl.exe63⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Cdhhdlid.exeC:\Windows\system32\Cdhhdlid.exe64⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Cjbpaf32.exeC:\Windows\system32\Cjbpaf32.exe65⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Dfiafg32.exeC:\Windows\system32\Dfiafg32.exe66⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe67⤵PID:556
-
C:\Windows\SysWOW64\Ddmaok32.exeC:\Windows\system32\Ddmaok32.exe68⤵PID:1156
-
C:\Windows\SysWOW64\Dmefhako.exeC:\Windows\system32\Dmefhako.exe69⤵PID:5036
-
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe70⤵PID:1528
-
C:\Windows\SysWOW64\Dkifae32.exeC:\Windows\system32\Dkifae32.exe71⤵PID:3672
-
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3580 -
C:\Windows\SysWOW64\Dddhpjof.exeC:\Windows\system32\Dddhpjof.exe73⤵
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe74⤵PID:1476
-
C:\Windows\SysWOW64\Eolhbc32.exeC:\Windows\system32\Eolhbc32.exe75⤵PID:548
-
C:\Windows\SysWOW64\Eonehbjg.exeC:\Windows\system32\Eonehbjg.exe76⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Egijmegb.exeC:\Windows\system32\Egijmegb.exe77⤵PID:4308
-
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe78⤵PID:5004
-
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe79⤵PID:3896
-
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe80⤵PID:2608
-
C:\Windows\SysWOW64\Fdbdah32.exeC:\Windows\system32\Fdbdah32.exe81⤵PID:3132
-
C:\Windows\SysWOW64\Foghnabl.exeC:\Windows\system32\Foghnabl.exe82⤵PID:3512
-
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe83⤵PID:316
-
C:\Windows\SysWOW64\Fknicb32.exeC:\Windows\system32\Fknicb32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3284 -
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe85⤵PID:3188
-
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe86⤵PID:3476
-
C:\Windows\SysWOW64\Fhbimf32.exeC:\Windows\system32\Fhbimf32.exe87⤵PID:4092
-
C:\Windows\SysWOW64\Fkqeib32.exeC:\Windows\system32\Fkqeib32.exe88⤵PID:2576
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe89⤵
- System Location Discovery: System Language Discovery
PID:3852 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe90⤵PID:4676
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe91⤵PID:5064
-
C:\Windows\SysWOW64\Fdkggg32.exeC:\Windows\system32\Fdkggg32.exe92⤵PID:2764
-
C:\Windows\SysWOW64\Fgjccb32.exeC:\Windows\system32\Fgjccb32.exe93⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Foqkdp32.exeC:\Windows\system32\Foqkdp32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:412 -
C:\Windows\SysWOW64\Gdncmghi.exeC:\Windows\system32\Gdncmghi.exe95⤵PID:448
-
C:\Windows\SysWOW64\Gglpibgm.exeC:\Windows\system32\Gglpibgm.exe96⤵
- System Location Discovery: System Language Discovery
PID:5140 -
C:\Windows\SysWOW64\Gaadfkgc.exeC:\Windows\system32\Gaadfkgc.exe97⤵PID:5188
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe98⤵PID:5232
-
C:\Windows\SysWOW64\Gkjhoq32.exeC:\Windows\system32\Gkjhoq32.exe99⤵PID:5284
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe100⤵PID:5328
-
C:\Windows\SysWOW64\Ggqida32.exeC:\Windows\system32\Ggqida32.exe101⤵PID:5372
-
C:\Windows\SysWOW64\Gafmaj32.exeC:\Windows\system32\Gafmaj32.exe102⤵PID:5416
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe103⤵PID:5460
-
C:\Windows\SysWOW64\Gfdfgiid.exeC:\Windows\system32\Gfdfgiid.exe104⤵
- Modifies registry class
PID:5504 -
C:\Windows\SysWOW64\Hheoid32.exeC:\Windows\system32\Hheoid32.exe105⤵PID:5552
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe106⤵PID:5604
-
C:\Windows\SysWOW64\Hbmcbime.exeC:\Windows\system32\Hbmcbime.exe107⤵
- System Location Discovery: System Language Discovery
PID:5648 -
C:\Windows\SysWOW64\Hkehkocf.exeC:\Windows\system32\Hkehkocf.exe108⤵PID:5692
-
C:\Windows\SysWOW64\Hfklhhcl.exeC:\Windows\system32\Hfklhhcl.exe109⤵PID:5736
-
C:\Windows\SysWOW64\Hnfamjqg.exeC:\Windows\system32\Hnfamjqg.exe110⤵PID:5780
-
C:\Windows\SysWOW64\Hofmfmhj.exeC:\Windows\system32\Hofmfmhj.exe111⤵PID:5828
-
C:\Windows\SysWOW64\Hdbfodfa.exeC:\Windows\system32\Hdbfodfa.exe112⤵PID:5868
-
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe113⤵PID:5912
-
C:\Windows\SysWOW64\Ibffhhek.exeC:\Windows\system32\Ibffhhek.exe114⤵PID:5952
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe115⤵PID:5996
-
C:\Windows\SysWOW64\Iokgal32.exeC:\Windows\system32\Iokgal32.exe116⤵PID:6040
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe117⤵
- System Location Discovery: System Language Discovery
PID:6084 -
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe118⤵PID:6132
-
C:\Windows\SysWOW64\Inpccihl.exeC:\Windows\system32\Inpccihl.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5152 -
C:\Windows\SysWOW64\Ioopml32.exeC:\Windows\system32\Ioopml32.exe120⤵PID:5224
-
C:\Windows\SysWOW64\Ieliebnf.exeC:\Windows\system32\Ieliebnf.exe121⤵PID:5280
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-