Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 22:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe
-
Size
608KB
-
MD5
d5ba433194b6cd88db255dd1251f389a
-
SHA1
e95ce0c2fd9d1017dfa950fbf416bb29f39f786b
-
SHA256
4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1
-
SHA512
7323f085af82c7afebc24efca5b4a4e291251688eb1c4b35149d7788f30367753ae45274836bb2475ee81adc79af5cf113c452e1dab643564865c6ec574c5b26
-
SSDEEP
12288:2nAskY660fIaDZkY660f8jTK/XhdAwlt01A:2nAsgsaDZgQjGkwlp
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nilhhdga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaheie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdallnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qijdocfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhideol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eklqcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljnej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aeqabgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idmkdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhcmhdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odoloalf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfdabino.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bccmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccngld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckcepj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghqnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eniclh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdojfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omefkplm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jofbag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegcbjkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggicgopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkegeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mieeibkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnqned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckoilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bammlq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcmfmlen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajinjff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkoncdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olonpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajbggjfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iimcclni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqjfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gejebk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhiholof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapklimq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmpjagfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npolmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhmhhmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifdjeoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfliim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmjojo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clalod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akncimmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhkjm32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2800 Bmkmdk32.exe 2808 Bdgafdfp.exe 2724 Bmpfojmp.exe 2608 Bhkdeggl.exe 3052 Ccahbp32.exe 276 Ckoilb32.exe 2520 Caknol32.exe 2616 Ccngld32.exe 2920 Dliijipn.exe 592 Dojald32.exe 1868 Dhbfdjdp.exe 1588 Egjpkffe.exe 2148 Eqbddk32.exe 2132 Efcfga32.exe 1956 Eqijej32.exe 108 Fncdgcqm.exe 2992 Fnfamcoj.exe 1832 Fljafg32.exe 1324 Fnhnbb32.exe 3004 Fbdjbaea.exe 928 Fllnlg32.exe 2300 Gdgcpi32.exe 576 Gffoldhp.exe 2528 Ghelfg32.exe 1592 Gjdhbc32.exe 2208 Gjfdhbld.exe 2812 Giieco32.exe 2256 Gikaio32.exe 2612 Gljnej32.exe 288 Ghqnjk32.exe 604 Hlljjjnm.exe 800 Homclekn.exe 2652 Hbhomd32.exe 2376 Heglio32.exe 2788 Hoopae32.exe 1992 Hoamgd32.exe 1784 Hmdmcanc.exe 2120 Hkhnle32.exe 2976 Iccbqh32.exe 2196 Ipgbjl32.exe 2000 Icfofg32.exe 2248 Iompkh32.exe 768 Igchlf32.exe 1520 Iefhhbef.exe 760 Ilqpdm32.exe 1060 Ioolqh32.exe 2492 Iamimc32.exe 2416 Ieidmbcc.exe 1448 Ilcmjl32.exe 780 Icmegf32.exe 2780 Idnaoohk.exe 2940 Jnffgd32.exe 2628 Jfnnha32.exe 2728 Jgojpjem.exe 2128 Jofbag32.exe 2464 Jhngjmlo.exe 2872 Jkmcfhkc.exe 3060 Jgcdki32.exe 1852 Jjbpgd32.exe 2784 Jgfqaiod.exe 2456 Jjdmmdnh.exe 2052 Jmbiipml.exe 856 Jcmafj32.exe 1032 Jfknbe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2704 4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe 2704 4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe 2800 Bmkmdk32.exe 2800 Bmkmdk32.exe 2808 Bdgafdfp.exe 2808 Bdgafdfp.exe 2724 Bmpfojmp.exe 2724 Bmpfojmp.exe 2608 Bhkdeggl.exe 2608 Bhkdeggl.exe 3052 Ccahbp32.exe 3052 Ccahbp32.exe 276 Ckoilb32.exe 276 Ckoilb32.exe 2520 Caknol32.exe 2520 Caknol32.exe 2616 Ccngld32.exe 2616 Ccngld32.exe 2920 Dliijipn.exe 2920 Dliijipn.exe 592 Dojald32.exe 592 Dojald32.exe 1868 Dhbfdjdp.exe 1868 Dhbfdjdp.exe 1588 Egjpkffe.exe 1588 Egjpkffe.exe 2148 Eqbddk32.exe 2148 Eqbddk32.exe 2132 Efcfga32.exe 2132 Efcfga32.exe 1956 Eqijej32.exe 1956 Eqijej32.exe 108 Fncdgcqm.exe 108 Fncdgcqm.exe 2992 Fnfamcoj.exe 2992 Fnfamcoj.exe 1832 Fljafg32.exe 1832 Fljafg32.exe 1324 Fnhnbb32.exe 1324 Fnhnbb32.exe 3004 Fbdjbaea.exe 3004 Fbdjbaea.exe 928 Fllnlg32.exe 928 Fllnlg32.exe 2300 Gdgcpi32.exe 2300 Gdgcpi32.exe 576 Gffoldhp.exe 576 Gffoldhp.exe 2528 Ghelfg32.exe 2528 Ghelfg32.exe 1592 Gjdhbc32.exe 1592 Gjdhbc32.exe 2208 Gjfdhbld.exe 2208 Gjfdhbld.exe 2812 Giieco32.exe 2812 Giieco32.exe 2256 Gikaio32.exe 2256 Gikaio32.exe 2612 Gljnej32.exe 2612 Gljnej32.exe 288 Ghqnjk32.exe 288 Ghqnjk32.exe 604 Hlljjjnm.exe 604 Hlljjjnm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hjdfjo32.exe Hlafnbal.exe File opened for modification C:\Windows\SysWOW64\Nagbgl32.exe Mlkjne32.exe File opened for modification C:\Windows\SysWOW64\Dpmdofno.exe Dnnhbjnk.exe File created C:\Windows\SysWOW64\Khlajd32.dll Mabphn32.exe File created C:\Windows\SysWOW64\Abkhkgbb.exe Amnocpdk.exe File created C:\Windows\SysWOW64\Gaiedd32.dll Olgmcmgh.exe File created C:\Windows\SysWOW64\Dcfmdh32.dll Pkdihhag.exe File created C:\Windows\SysWOW64\Anjlebjc.exe Akkoig32.exe File created C:\Windows\SysWOW64\Kkjnnn32.exe Kdpfadlm.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Danpemej.exe File created C:\Windows\SysWOW64\Ddbddikd.dll Kbfhbeek.exe File created C:\Windows\SysWOW64\Ajdlmi32.dll Mffimglk.exe File created C:\Windows\SysWOW64\Oidglb32.exe Ocjophem.exe File created C:\Windows\SysWOW64\Jbcdeq32.dll Opifnm32.exe File opened for modification C:\Windows\SysWOW64\Mjkndb32.exe Mlhnifmq.exe File created C:\Windows\SysWOW64\Elilld32.dll Egikjh32.exe File created C:\Windows\SysWOW64\Dpccjn32.dll Mapccndn.exe File created C:\Windows\SysWOW64\Ahmiofbn.dll Dhmhhmlm.exe File created C:\Windows\SysWOW64\Icmegf32.exe Ilcmjl32.exe File opened for modification C:\Windows\SysWOW64\Ocdmaj32.exe Oohqqlei.exe File created C:\Windows\SysWOW64\Hhbdee32.exe Hpkldg32.exe File opened for modification C:\Windows\SysWOW64\Mjhjdm32.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Jblnaq32.exe Jlpeij32.exe File created C:\Windows\SysWOW64\Pdakniag.exe Pmgbao32.exe File created C:\Windows\SysWOW64\Bhfnge32.dll Gdmdacnn.exe File created C:\Windows\SysWOW64\Ddliip32.exe Danmmd32.exe File created C:\Windows\SysWOW64\Kphnnlag.dll Gbdhjm32.exe File opened for modification C:\Windows\SysWOW64\Mmadbjkk.exe Mbkpeake.exe File created C:\Windows\SysWOW64\Okbpde32.exe Oeehln32.exe File created C:\Windows\SysWOW64\Klqahn32.dll Aqjdgmgd.exe File created C:\Windows\SysWOW64\Lclnemgd.exe Lanaiahq.exe File created C:\Windows\SysWOW64\Fcohbnpe.dll Bbikgk32.exe File opened for modification C:\Windows\SysWOW64\Cheido32.exe Cakqgeoi.exe File created C:\Windows\SysWOW64\Jpbbmeon.dll Kklkcn32.exe File created C:\Windows\SysWOW64\Gljnej32.exe Gikaio32.exe File created C:\Windows\SysWOW64\Aeidgbaf.exe Abkhkgbb.exe File opened for modification C:\Windows\SysWOW64\Hdlkcdog.exe Hjdfjo32.exe File created C:\Windows\SysWOW64\Cemdajgc.dll Iimcclni.exe File opened for modification C:\Windows\SysWOW64\Akhfoldn.exe Agljom32.exe File opened for modification C:\Windows\SysWOW64\Dbojdmcd.exe Ddliip32.exe File created C:\Windows\SysWOW64\Gfehan32.exe Glpdde32.exe File created C:\Windows\SysWOW64\Kalpeaik.dll Kopokehd.exe File created C:\Windows\SysWOW64\Lbpjpn32.dll Anahqh32.exe File opened for modification C:\Windows\SysWOW64\Ijclol32.exe Ihdpbq32.exe File opened for modification C:\Windows\SysWOW64\Klngkfge.exe Kklkcn32.exe File created C:\Windows\SysWOW64\Qkhgoi32.dll Jgcdki32.exe File opened for modification C:\Windows\SysWOW64\Odhfob32.exe Ookmfk32.exe File created C:\Windows\SysWOW64\Cmjbki32.dll Badnhbce.exe File created C:\Windows\SysWOW64\Bmnbjfam.dll Acmhepko.exe File opened for modification C:\Windows\SysWOW64\Pecgea32.exe Pdakniag.exe File created C:\Windows\SysWOW64\Ddpobo32.exe Dbncjf32.exe File created C:\Windows\SysWOW64\Ncnngfna.exe Njfjnpgp.exe File created C:\Windows\SysWOW64\Gjdhbc32.exe Ghelfg32.exe File opened for modification C:\Windows\SysWOW64\Gljnej32.exe Gikaio32.exe File created C:\Windows\SysWOW64\Hanedg32.dll Nilhhdga.exe File created C:\Windows\SysWOW64\Kcebfo32.dll Kgpmjf32.exe File created C:\Windows\SysWOW64\Dfocegkg.dll Emagacdm.exe File created C:\Windows\SysWOW64\Cinafkkd.exe Cagienkb.exe File opened for modification C:\Windows\SysWOW64\Eqbddk32.exe Egjpkffe.exe File opened for modification C:\Windows\SysWOW64\Lclnemgd.exe Lanaiahq.exe File created C:\Windows\SysWOW64\Fpahiebe.dll Mhjbjopf.exe File created C:\Windows\SysWOW64\Fiqhbk32.dll Akcomepg.exe File created C:\Windows\SysWOW64\Dddaaf32.dll Ipgbjl32.exe File created C:\Windows\SysWOW64\Gljpncgc.exe Gfmgelil.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8188 2256 WerFault.exe 864 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panaeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdakniag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbcmpfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqbecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmhbplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbggjfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbhee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioliqbjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knjegqif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liklhmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjhmfekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heglio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpadnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnocpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eniclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bammlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halbai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmhaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljieppcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqjdgmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejbqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjpbign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egahen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbafi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmeid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqnoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcnbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caknol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkogj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgpbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhkjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdghaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqejbiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnbcmkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbfhbeek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkegeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degiggjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hboddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeafjiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabopjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjqdmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poklngnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheecbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnfcel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnnhbjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fblmglgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhnifmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhplhc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnkcpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Clalod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdhgnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkbcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onkkja32.dll" Jkgcab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohagbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aojojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eabcggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbiiog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eldglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeamlkj.dll" Pmagdbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhjho32.dll" Mcnpojca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkjaa32.dll" Afjjed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkoicb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jjbpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Libicbma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndnlnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eamilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epecke32.dll" Jmbiipml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eholdq32.dll" Egiiapci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pnalad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjfigdn.dll" Fgldnkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogkkfmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fciang32.dll" Jfemlpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bagkmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmdmcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnpmfqap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefhqhka.dll" Nfkapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbamn32.dll" Jpigma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjjmbgi.dll" Pcaepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndkhngdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egglkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeqkmn32.dll" Hdlkcdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmclka32.dll" Ifoqjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkakicam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Liqoflfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Loqmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oifdbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bibpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oldpnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhplhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdgpmfa.dll" Jblnaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heglio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnpmfqap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akeijlfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjplgd32.dll" Hmglajcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghqnjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpekon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjlgfaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhqpd32.dll" Lgbeoibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jopijcli.dll" Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndnlnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plijimee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bffpki32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2800 2704 4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe 30 PID 2704 wrote to memory of 2800 2704 4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe 30 PID 2704 wrote to memory of 2800 2704 4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe 30 PID 2704 wrote to memory of 2800 2704 4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe 30 PID 2800 wrote to memory of 2808 2800 Bmkmdk32.exe 31 PID 2800 wrote to memory of 2808 2800 Bmkmdk32.exe 31 PID 2800 wrote to memory of 2808 2800 Bmkmdk32.exe 31 PID 2800 wrote to memory of 2808 2800 Bmkmdk32.exe 31 PID 2808 wrote to memory of 2724 2808 Bdgafdfp.exe 32 PID 2808 wrote to memory of 2724 2808 Bdgafdfp.exe 32 PID 2808 wrote to memory of 2724 2808 Bdgafdfp.exe 32 PID 2808 wrote to memory of 2724 2808 Bdgafdfp.exe 32 PID 2724 wrote to memory of 2608 2724 Bmpfojmp.exe 33 PID 2724 wrote to memory of 2608 2724 Bmpfojmp.exe 33 PID 2724 wrote to memory of 2608 2724 Bmpfojmp.exe 33 PID 2724 wrote to memory of 2608 2724 Bmpfojmp.exe 33 PID 2608 wrote to memory of 3052 2608 Bhkdeggl.exe 34 PID 2608 wrote to memory of 3052 2608 Bhkdeggl.exe 34 PID 2608 wrote to memory of 3052 2608 Bhkdeggl.exe 34 PID 2608 wrote to memory of 3052 2608 Bhkdeggl.exe 34 PID 3052 wrote to memory of 276 3052 Ccahbp32.exe 35 PID 3052 wrote to memory of 276 3052 Ccahbp32.exe 35 PID 3052 wrote to memory of 276 3052 Ccahbp32.exe 35 PID 3052 wrote to memory of 276 3052 Ccahbp32.exe 35 PID 276 wrote to memory of 2520 276 Ckoilb32.exe 36 PID 276 wrote to memory of 2520 276 Ckoilb32.exe 36 PID 276 wrote to memory of 2520 276 Ckoilb32.exe 36 PID 276 wrote to memory of 2520 276 Ckoilb32.exe 36 PID 2520 wrote to memory of 2616 2520 Caknol32.exe 37 PID 2520 wrote to memory of 2616 2520 Caknol32.exe 37 PID 2520 wrote to memory of 2616 2520 Caknol32.exe 37 PID 2520 wrote to memory of 2616 2520 Caknol32.exe 37 PID 2616 wrote to memory of 2920 2616 Ccngld32.exe 38 PID 2616 wrote to memory of 2920 2616 Ccngld32.exe 38 PID 2616 wrote to memory of 2920 2616 Ccngld32.exe 38 PID 2616 wrote to memory of 2920 2616 Ccngld32.exe 38 PID 2920 wrote to memory of 592 2920 Dliijipn.exe 39 PID 2920 wrote to memory of 592 2920 Dliijipn.exe 39 PID 2920 wrote to memory of 592 2920 Dliijipn.exe 39 PID 2920 wrote to memory of 592 2920 Dliijipn.exe 39 PID 592 wrote to memory of 1868 592 Dojald32.exe 40 PID 592 wrote to memory of 1868 592 Dojald32.exe 40 PID 592 wrote to memory of 1868 592 Dojald32.exe 40 PID 592 wrote to memory of 1868 592 Dojald32.exe 40 PID 1868 wrote to memory of 1588 1868 Dhbfdjdp.exe 41 PID 1868 wrote to memory of 1588 1868 Dhbfdjdp.exe 41 PID 1868 wrote to memory of 1588 1868 Dhbfdjdp.exe 41 PID 1868 wrote to memory of 1588 1868 Dhbfdjdp.exe 41 PID 1588 wrote to memory of 2148 1588 Egjpkffe.exe 42 PID 1588 wrote to memory of 2148 1588 Egjpkffe.exe 42 PID 1588 wrote to memory of 2148 1588 Egjpkffe.exe 42 PID 1588 wrote to memory of 2148 1588 Egjpkffe.exe 42 PID 2148 wrote to memory of 2132 2148 Eqbddk32.exe 43 PID 2148 wrote to memory of 2132 2148 Eqbddk32.exe 43 PID 2148 wrote to memory of 2132 2148 Eqbddk32.exe 43 PID 2148 wrote to memory of 2132 2148 Eqbddk32.exe 43 PID 2132 wrote to memory of 1956 2132 Efcfga32.exe 44 PID 2132 wrote to memory of 1956 2132 Efcfga32.exe 44 PID 2132 wrote to memory of 1956 2132 Efcfga32.exe 44 PID 2132 wrote to memory of 1956 2132 Efcfga32.exe 44 PID 1956 wrote to memory of 108 1956 Eqijej32.exe 45 PID 1956 wrote to memory of 108 1956 Eqijej32.exe 45 PID 1956 wrote to memory of 108 1956 Eqijej32.exe 45 PID 1956 wrote to memory of 108 1956 Eqijej32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe"C:\Users\Admin\AppData\Local\Temp\4a1655ade0db6f72b132040b8fa99141734c16f97e800249da6cafb2f3b301e1.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Bmkmdk32.exeC:\Windows\system32\Bmkmdk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Bdgafdfp.exeC:\Windows\system32\Bdgafdfp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Bmpfojmp.exeC:\Windows\system32\Bmpfojmp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Bhkdeggl.exeC:\Windows\system32\Bhkdeggl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ccahbp32.exeC:\Windows\system32\Ccahbp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ckoilb32.exeC:\Windows\system32\Ckoilb32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Caknol32.exeC:\Windows\system32\Caknol32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Ccngld32.exeC:\Windows\system32\Ccngld32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Dliijipn.exeC:\Windows\system32\Dliijipn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Dojald32.exeC:\Windows\system32\Dojald32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Dhbfdjdp.exeC:\Windows\system32\Dhbfdjdp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Egjpkffe.exeC:\Windows\system32\Egjpkffe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Eqbddk32.exeC:\Windows\system32\Eqbddk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Eqijej32.exeC:\Windows\system32\Eqijej32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Fncdgcqm.exeC:\Windows\system32\Fncdgcqm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Fnfamcoj.exeC:\Windows\system32\Fnfamcoj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Fljafg32.exeC:\Windows\system32\Fljafg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Fnhnbb32.exeC:\Windows\system32\Fnhnbb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Fllnlg32.exeC:\Windows\system32\Fllnlg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Gdgcpi32.exeC:\Windows\system32\Gdgcpi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Gffoldhp.exeC:\Windows\system32\Gffoldhp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:576 -
C:\Windows\SysWOW64\Ghelfg32.exeC:\Windows\system32\Ghelfg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Gjdhbc32.exeC:\Windows\system32\Gjdhbc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Gjfdhbld.exeC:\Windows\system32\Gjfdhbld.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Giieco32.exeC:\Windows\system32\Giieco32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Gikaio32.exeC:\Windows\system32\Gikaio32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Gljnej32.exeC:\Windows\system32\Gljnej32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Ghqnjk32.exeC:\Windows\system32\Ghqnjk32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe33⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Hbhomd32.exeC:\Windows\system32\Hbhomd32.exe34⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Heglio32.exeC:\Windows\system32\Heglio32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe36⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Hoamgd32.exeC:\Windows\system32\Hoamgd32.exe37⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Hkhnle32.exeC:\Windows\system32\Hkhnle32.exe39⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe40⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe42⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Iompkh32.exeC:\Windows\system32\Iompkh32.exe43⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe44⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Iefhhbef.exeC:\Windows\system32\Iefhhbef.exe45⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe46⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Ioolqh32.exeC:\Windows\system32\Ioolqh32.exe47⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Iamimc32.exeC:\Windows\system32\Iamimc32.exe48⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe49⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ilcmjl32.exeC:\Windows\system32\Ilcmjl32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Icmegf32.exeC:\Windows\system32\Icmegf32.exe51⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe52⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Jnffgd32.exeC:\Windows\system32\Jnffgd32.exe53⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Jfnnha32.exeC:\Windows\system32\Jfnnha32.exe54⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe55⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Jofbag32.exeC:\Windows\system32\Jofbag32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Jhngjmlo.exeC:\Windows\system32\Jhngjmlo.exe57⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe58⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Jgcdki32.exeC:\Windows\system32\Jgcdki32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Jjbpgd32.exeC:\Windows\system32\Jjbpgd32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe61⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe62⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe64⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe65⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe66⤵PID:916
-
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe67⤵PID:1500
-
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe68⤵PID:2952
-
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe69⤵PID:2764
-
C:\Windows\SysWOW64\Kmjojo32.exeC:\Windows\system32\Kmjojo32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe72⤵PID:1980
-
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe73⤵PID:792
-
C:\Windows\SysWOW64\Kbidgeci.exeC:\Windows\system32\Kbidgeci.exe74⤵PID:2352
-
C:\Windows\SysWOW64\Kaldcb32.exeC:\Windows\system32\Kaldcb32.exe75⤵PID:2796
-
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe76⤵PID:1932
-
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe77⤵
- Drops file in System32 directory
PID:1856 -
C:\Windows\SysWOW64\Lclnemgd.exeC:\Windows\system32\Lclnemgd.exe78⤵PID:2244
-
C:\Windows\SysWOW64\Lmebnb32.exeC:\Windows\system32\Lmebnb32.exe79⤵PID:1776
-
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe80⤵PID:2136
-
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe81⤵PID:1632
-
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe82⤵PID:2068
-
C:\Windows\SysWOW64\Lpekon32.exeC:\Windows\system32\Lpekon32.exe83⤵
- Modifies registry class
PID:268 -
C:\Windows\SysWOW64\Lcagpl32.exeC:\Windows\system32\Lcagpl32.exe84⤵PID:864
-
C:\Windows\SysWOW64\Lmikibio.exeC:\Windows\system32\Lmikibio.exe85⤵PID:2484
-
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe86⤵PID:2752
-
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe87⤵PID:2700
-
C:\Windows\SysWOW64\Llohjo32.exeC:\Windows\system32\Llohjo32.exe88⤵PID:2552
-
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe89⤵PID:2600
-
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe90⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe91⤵PID:1724
-
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe92⤵
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1860 -
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe94⤵PID:1420
-
C:\Windows\SysWOW64\Mapjmehi.exeC:\Windows\system32\Mapjmehi.exe95⤵PID:1116
-
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe96⤵
- Drops file in System32 directory
PID:1480 -
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe97⤵PID:1920
-
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe98⤵PID:2488
-
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe99⤵PID:2504
-
C:\Windows\SysWOW64\Mofglh32.exeC:\Windows\system32\Mofglh32.exe100⤵PID:2832
-
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe101⤵PID:1708
-
C:\Windows\SysWOW64\Mgalqkbk.exeC:\Windows\system32\Mgalqkbk.exe102⤵PID:1996
-
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe103⤵PID:280
-
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe104⤵PID:2076
-
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe105⤵PID:2928
-
C:\Windows\SysWOW64\Nmnace32.exeC:\Windows\system32\Nmnace32.exe106⤵PID:784
-
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe107⤵PID:2296
-
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe108⤵PID:1952
-
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe109⤵PID:1308
-
C:\Windows\SysWOW64\Npojdpef.exeC:\Windows\system32\Npojdpef.exe110⤵PID:2836
-
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe111⤵PID:1728
-
C:\Windows\SysWOW64\Nigome32.exeC:\Windows\system32\Nigome32.exe112⤵PID:2032
-
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe113⤵PID:2672
-
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe114⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe115⤵PID:1432
-
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe116⤵PID:320
-
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe117⤵PID:2452
-
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe119⤵
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe120⤵PID:1596
-
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe121⤵PID:1228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-