Analysis
-
max time kernel
120s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 23:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe
-
Size
192KB
-
MD5
41201e341eacedc3a1a8d34179f0e460
-
SHA1
d3640ceeaf3317183b3c41d9afdb0fc96d8b8ae5
-
SHA256
7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482a
-
SHA512
7ff3f11602fd7dc7e2bdbccc958c210f7ea4e54cd50fc87e1c50e532bced86ba91823a9b47e11f4bc8818149230cfffd8f9b850b297978825b88e176cb6805fa
-
SSDEEP
3072:vOc1nGoGfpyAu2ODyq3FQo7fnEBctcp/+wreVism:vOc1GogAOq3FF7fPtcsw6U1
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaihob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohipla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peefcjlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfohgepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neiaeiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peefcjlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkfocaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnpnkgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Debadpeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdppqbkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhljkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbaci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqdfehii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hghillnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjoqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Inmmbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phlclgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lopfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogjaamh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlclgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibcoalf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifbjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcblan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckeqga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfnkqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eakhdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmkhjncg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kidjdpie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kenhopmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggggoda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dncibp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lpabpcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jabponba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mloiec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohdfqbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgcbhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkpqlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laqojfli.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1872 Nbflno32.exe 2836 Nedhjj32.exe 2680 Nmkplgnq.exe 2640 Nlqmmd32.exe 2564 Nnoiio32.exe 2580 Neiaeiii.exe 2656 Napbjjom.exe 1676 Nenkqi32.exe 1032 Onfoin32.exe 1440 Odchbe32.exe 2636 Oippjl32.exe 1816 Obhdcanc.exe 1924 Omnipjni.exe 1860 Objaha32.exe 652 Oidiekdn.exe 2516 Oekjjl32.exe 3016 Opqoge32.exe 1792 Oabkom32.exe 1312 Oemgplgo.exe 1748 Phlclgfc.exe 1000 Pkjphcff.exe 1384 Pepcelel.exe 1804 Phnpagdp.exe 2768 Pmkhjncg.exe 2292 Pebpkk32.exe 2616 Phqmgg32.exe 2744 Pmmeon32.exe 2668 Pgfjhcge.exe 2884 Pidfdofi.exe 536 Pdjjag32.exe 2568 Pkcbnanl.exe 2996 Pifbjn32.exe 2288 Pnbojmmp.exe 1512 Qdlggg32.exe 2524 Qcogbdkg.exe 2776 Qkfocaki.exe 2872 Qndkpmkm.exe 3036 Qlgkki32.exe 2124 Accqnc32.exe 1940 Aebmjo32.exe 1632 Aojabdlf.exe 1364 Afdiondb.exe 2228 Ahbekjcf.exe 888 Aakjdo32.exe 2152 Adifpk32.exe 2144 Aoojnc32.exe 2280 Anbkipok.exe 1052 Aoagccfn.exe 2832 Andgop32.exe 1360 Adnpkjde.exe 2888 Bhjlli32.exe 2824 Bjkhdacm.exe 2548 Bnfddp32.exe 2192 Bqeqqk32.exe 1712 Bdqlajbb.exe 1784 Bccmmf32.exe 2024 Bkjdndjo.exe 2364 Bniajoic.exe 2948 Bqgmfkhg.exe 2520 Bceibfgj.exe 316 Bfdenafn.exe 2224 Bjpaop32.exe 2248 Bmnnkl32.exe 1688 Bqijljfd.exe -
Loads dropped DLL 64 IoCs
pid Process 2512 7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe 2512 7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe 1872 Nbflno32.exe 1872 Nbflno32.exe 2836 Nedhjj32.exe 2836 Nedhjj32.exe 2680 Nmkplgnq.exe 2680 Nmkplgnq.exe 2640 Nlqmmd32.exe 2640 Nlqmmd32.exe 2564 Nnoiio32.exe 2564 Nnoiio32.exe 2580 Neiaeiii.exe 2580 Neiaeiii.exe 2656 Napbjjom.exe 2656 Napbjjom.exe 1676 Nenkqi32.exe 1676 Nenkqi32.exe 1032 Onfoin32.exe 1032 Onfoin32.exe 1440 Odchbe32.exe 1440 Odchbe32.exe 2636 Oippjl32.exe 2636 Oippjl32.exe 1816 Obhdcanc.exe 1816 Obhdcanc.exe 1924 Omnipjni.exe 1924 Omnipjni.exe 1860 Objaha32.exe 1860 Objaha32.exe 652 Oidiekdn.exe 652 Oidiekdn.exe 2516 Oekjjl32.exe 2516 Oekjjl32.exe 3016 Opqoge32.exe 3016 Opqoge32.exe 1792 Oabkom32.exe 1792 Oabkom32.exe 1312 Oemgplgo.exe 1312 Oemgplgo.exe 1748 Phlclgfc.exe 1748 Phlclgfc.exe 1000 Pkjphcff.exe 1000 Pkjphcff.exe 1384 Pepcelel.exe 1384 Pepcelel.exe 1804 Phnpagdp.exe 1804 Phnpagdp.exe 2768 Pmkhjncg.exe 2768 Pmkhjncg.exe 2292 Pebpkk32.exe 2292 Pebpkk32.exe 2616 Phqmgg32.exe 2616 Phqmgg32.exe 2744 Pmmeon32.exe 2744 Pmmeon32.exe 2668 Pgfjhcge.exe 2668 Pgfjhcge.exe 2884 Pidfdofi.exe 2884 Pidfdofi.exe 536 Pdjjag32.exe 536 Pdjjag32.exe 2568 Pkcbnanl.exe 2568 Pkcbnanl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Khoqme32.dll Aebmjo32.exe File opened for modification C:\Windows\SysWOW64\Joidhh32.exe Jlkglm32.exe File created C:\Windows\SysWOW64\Gqdgom32.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Kibemb32.dll Fodebh32.exe File created C:\Windows\SysWOW64\Cgaaah32.exe Cebeem32.exe File created C:\Windows\SysWOW64\Mlbblc32.dll Iahceq32.exe File created C:\Windows\SysWOW64\Dmlqdp32.dll Mqehjecl.exe File opened for modification C:\Windows\SysWOW64\Eakhdj32.exe Emoldlmc.exe File opened for modification C:\Windows\SysWOW64\Eihjolae.exe Efjmbaba.exe File created C:\Windows\SysWOW64\Egmabg32.exe Edoefl32.exe File created C:\Windows\SysWOW64\Jmhjff32.dll Eaebeoan.exe File created C:\Windows\SysWOW64\Hbkqdepm.exe Hkahgk32.exe File created C:\Windows\SysWOW64\Mjqmig32.exe Mgbaml32.exe File created C:\Windows\SysWOW64\Bgefgpha.dll Qoeamo32.exe File created C:\Windows\SysWOW64\Lgjdnbkd.dll Jggoqimd.exe File created C:\Windows\SysWOW64\Deondj32.exe Dnefhpma.exe File created C:\Windows\SysWOW64\Mfjgiobf.dll Lgpdglhn.exe File created C:\Windows\SysWOW64\Oecfeg32.dll Acnlgajg.exe File created C:\Windows\SysWOW64\Leghmkmk.dll Dfhdnn32.exe File created C:\Windows\SysWOW64\Dfefmpeo.dll Bchfhfeh.exe File created C:\Windows\SysWOW64\Flapkmlj.exe Fmnopp32.exe File created C:\Windows\SysWOW64\Qobdgo32.exe Qldhkc32.exe File created C:\Windows\SysWOW64\Lqahpi32.dll Demaoj32.exe File created C:\Windows\SysWOW64\Hgajdjlj.dll Jpjifjdg.exe File created C:\Windows\SysWOW64\Djfdob32.exe Dfkhndca.exe File opened for modification C:\Windows\SysWOW64\Libjncnc.exe Kgcnahoo.exe File opened for modification C:\Windows\SysWOW64\Flnlkgjq.exe Fdgdji32.exe File opened for modification C:\Windows\SysWOW64\Jjkkbjln.exe Jlhkgm32.exe File created C:\Windows\SysWOW64\Obeacl32.exe Oniebmda.exe File created C:\Windows\SysWOW64\Iamfdo32.exe Inojhc32.exe File opened for modification C:\Windows\SysWOW64\Dmgmpnhl.exe Djiqdb32.exe File created C:\Windows\SysWOW64\Kenoifpb.exe Kbpbmkan.exe File created C:\Windows\SysWOW64\Bdgoqijf.dll Gkcekfad.exe File created C:\Windows\SysWOW64\Bgcmiq32.dll Iaimipjl.exe File created C:\Windows\SysWOW64\Jlnfak32.dll Ldmopa32.exe File opened for modification C:\Windows\SysWOW64\Mjcjog32.exe Mfgnnhkc.exe File opened for modification C:\Windows\SysWOW64\Hdbpekam.exe Hqgddm32.exe File opened for modification C:\Windows\SysWOW64\Plbkfdba.exe Phfoee32.exe File created C:\Windows\SysWOW64\Bhcgiiek.dll Qldhkc32.exe File created C:\Windows\SysWOW64\Emoldlmc.exe Ejaphpnp.exe File created C:\Windows\SysWOW64\Hbofmcij.exe Hoqjqhjf.exe File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe Kdeaelok.exe File created C:\Windows\SysWOW64\Dgnenf32.dll Bmnnkl32.exe File created C:\Windows\SysWOW64\Hmpaom32.exe Hjaeba32.exe File created C:\Windows\SysWOW64\Kmimcbja.exe Koflgf32.exe File created C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Laqojfli.exe Ljigih32.exe File opened for modification C:\Windows\SysWOW64\Mgmdapml.exe Mdogedmh.exe File created C:\Windows\SysWOW64\Odchbe32.exe Onfoin32.exe File opened for modification C:\Windows\SysWOW64\Pioeoi32.exe Pfpibn32.exe File opened for modification C:\Windows\SysWOW64\Peefcjlg.exe Pbgjgomc.exe File created C:\Windows\SysWOW64\Ejcmmp32.exe Eblelb32.exe File opened for modification C:\Windows\SysWOW64\Gkcekfad.exe Ghdiokbq.exe File created C:\Windows\SysWOW64\Jibnop32.exe Jbhebfck.exe File created C:\Windows\SysWOW64\Jfeflj32.dll Ibkmchbh.exe File created C:\Windows\SysWOW64\Aojabdlf.exe Aebmjo32.exe File opened for modification C:\Windows\SysWOW64\Djiqdb32.exe Dbaice32.exe File opened for modification C:\Windows\SysWOW64\Kpdcfoph.exe Kmegjdad.exe File opened for modification C:\Windows\SysWOW64\Nqjaeeog.exe Nnleiipc.exe File opened for modification C:\Windows\SysWOW64\Cjhabndo.exe Ckeqga32.exe File created C:\Windows\SysWOW64\Dhckfkbh.exe Dbfbnddq.exe File created C:\Windows\SysWOW64\Jokqnhpa.exe Jjpdmi32.exe File created C:\Windows\SysWOW64\Cfoaho32.exe Cglalbbi.exe File opened for modification C:\Windows\SysWOW64\Edoefl32.exe Eaphjp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6900 6876 WerFault.exe 601 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbpekam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkeohhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oniebmda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bolcma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpqfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdfqbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfilffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldheebad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkkmgncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaihob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipomlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopfhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paocnkph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnofgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flapkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnhjjml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfdob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnqje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdmjamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaebeoan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjdldd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghillnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igceej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmjoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchbgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhckfkbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdenafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnnml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbdleol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaoclgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahceq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmmfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbdabog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhmcelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbidne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kindeddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkifaen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgjgomc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhfhbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjofl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcojam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbfbnddq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknimnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcekfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbhd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlfik32.dll" Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liefaj32.dll" Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fccglehn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iaegpaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmqejl32.dll" Iieepbje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jijokbfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jokqnhpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcdkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdjjm32.dll" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammhpd32.dll" Lljpjchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbclcja.dll" Fhdmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qobmnf32.dll" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll" Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ammbof32.dll" Ohdfqbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdompf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmene32.dll" Onnnml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoaqogml.dll" Dpeiligo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkdjglfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieponofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cqfbjhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbceme32.dll" Glklejoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bdqlajbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cchbgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfgnnhkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmfenoo.dll" Gojhafnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iocgfhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpiba32.dll" Gdcjpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakpkfka.dll" Hohkmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eblelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcbnpgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dcghkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olkifaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbhccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iglhhc32.dll" Kpojkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbnok32.dll" Dcbnpgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkekhpob.dll" Fpbnjjkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfpibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpkcb32.dll" Hqgddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqodqodl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbnjhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onaiomjo.dll" Cbffoabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cglalbbi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 1872 2512 7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe 31 PID 2512 wrote to memory of 1872 2512 7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe 31 PID 2512 wrote to memory of 1872 2512 7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe 31 PID 2512 wrote to memory of 1872 2512 7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe 31 PID 1872 wrote to memory of 2836 1872 Nbflno32.exe 32 PID 1872 wrote to memory of 2836 1872 Nbflno32.exe 32 PID 1872 wrote to memory of 2836 1872 Nbflno32.exe 32 PID 1872 wrote to memory of 2836 1872 Nbflno32.exe 32 PID 2836 wrote to memory of 2680 2836 Nedhjj32.exe 33 PID 2836 wrote to memory of 2680 2836 Nedhjj32.exe 33 PID 2836 wrote to memory of 2680 2836 Nedhjj32.exe 33 PID 2836 wrote to memory of 2680 2836 Nedhjj32.exe 33 PID 2680 wrote to memory of 2640 2680 Nmkplgnq.exe 34 PID 2680 wrote to memory of 2640 2680 Nmkplgnq.exe 34 PID 2680 wrote to memory of 2640 2680 Nmkplgnq.exe 34 PID 2680 wrote to memory of 2640 2680 Nmkplgnq.exe 34 PID 2640 wrote to memory of 2564 2640 Nlqmmd32.exe 35 PID 2640 wrote to memory of 2564 2640 Nlqmmd32.exe 35 PID 2640 wrote to memory of 2564 2640 Nlqmmd32.exe 35 PID 2640 wrote to memory of 2564 2640 Nlqmmd32.exe 35 PID 2564 wrote to memory of 2580 2564 Nnoiio32.exe 36 PID 2564 wrote to memory of 2580 2564 Nnoiio32.exe 36 PID 2564 wrote to memory of 2580 2564 Nnoiio32.exe 36 PID 2564 wrote to memory of 2580 2564 Nnoiio32.exe 36 PID 2580 wrote to memory of 2656 2580 Neiaeiii.exe 37 PID 2580 wrote to memory of 2656 2580 Neiaeiii.exe 37 PID 2580 wrote to memory of 2656 2580 Neiaeiii.exe 37 PID 2580 wrote to memory of 2656 2580 Neiaeiii.exe 37 PID 2656 wrote to memory of 1676 2656 Napbjjom.exe 38 PID 2656 wrote to memory of 1676 2656 Napbjjom.exe 38 PID 2656 wrote to memory of 1676 2656 Napbjjom.exe 38 PID 2656 wrote to memory of 1676 2656 Napbjjom.exe 38 PID 1676 wrote to memory of 1032 1676 Nenkqi32.exe 39 PID 1676 wrote to memory of 1032 1676 Nenkqi32.exe 39 PID 1676 wrote to memory of 1032 1676 Nenkqi32.exe 39 PID 1676 wrote to memory of 1032 1676 Nenkqi32.exe 39 PID 1032 wrote to memory of 1440 1032 Onfoin32.exe 40 PID 1032 wrote to memory of 1440 1032 Onfoin32.exe 40 PID 1032 wrote to memory of 1440 1032 Onfoin32.exe 40 PID 1032 wrote to memory of 1440 1032 Onfoin32.exe 40 PID 1440 wrote to memory of 2636 1440 Odchbe32.exe 41 PID 1440 wrote to memory of 2636 1440 Odchbe32.exe 41 PID 1440 wrote to memory of 2636 1440 Odchbe32.exe 41 PID 1440 wrote to memory of 2636 1440 Odchbe32.exe 41 PID 2636 wrote to memory of 1816 2636 Oippjl32.exe 42 PID 2636 wrote to memory of 1816 2636 Oippjl32.exe 42 PID 2636 wrote to memory of 1816 2636 Oippjl32.exe 42 PID 2636 wrote to memory of 1816 2636 Oippjl32.exe 42 PID 1816 wrote to memory of 1924 1816 Obhdcanc.exe 43 PID 1816 wrote to memory of 1924 1816 Obhdcanc.exe 43 PID 1816 wrote to memory of 1924 1816 Obhdcanc.exe 43 PID 1816 wrote to memory of 1924 1816 Obhdcanc.exe 43 PID 1924 wrote to memory of 1860 1924 Omnipjni.exe 44 PID 1924 wrote to memory of 1860 1924 Omnipjni.exe 44 PID 1924 wrote to memory of 1860 1924 Omnipjni.exe 44 PID 1924 wrote to memory of 1860 1924 Omnipjni.exe 44 PID 1860 wrote to memory of 652 1860 Objaha32.exe 45 PID 1860 wrote to memory of 652 1860 Objaha32.exe 45 PID 1860 wrote to memory of 652 1860 Objaha32.exe 45 PID 1860 wrote to memory of 652 1860 Objaha32.exe 45 PID 652 wrote to memory of 2516 652 Oidiekdn.exe 46 PID 652 wrote to memory of 2516 652 Oidiekdn.exe 46 PID 652 wrote to memory of 2516 652 Oidiekdn.exe 46 PID 652 wrote to memory of 2516 652 Oidiekdn.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe"C:\Users\Admin\AppData\Local\Temp\7b875e2bbad121f39077b9f195e397623912349624a2b3903483a5eb5645482aN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Oippjl32.exeC:\Windows\system32\Oippjl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1384 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Pmkhjncg.exeC:\Windows\system32\Pmkhjncg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Phqmgg32.exeC:\Windows\system32\Phqmgg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Pidfdofi.exeC:\Windows\system32\Pidfdofi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe35⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe36⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Qndkpmkm.exeC:\Windows\system32\Qndkpmkm.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe39⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Accqnc32.exeC:\Windows\system32\Accqnc32.exe40⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe42⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe43⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe44⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe45⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe46⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe48⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe49⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe50⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe51⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe52⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe53⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe54⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe55⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe57⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe58⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe60⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe65⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe66⤵
- Drops file in System32 directory
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Bgcbhd32.exeC:\Windows\system32\Bgcbhd32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe68⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe69⤵PID:2544
-
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe70⤵PID:2672
-
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe71⤵PID:2856
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe72⤵PID:1280
-
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe73⤵PID:1520
-
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe74⤵PID:2868
-
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe75⤵PID:2360
-
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2576 -
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe77⤵PID:1240
-
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe78⤵PID:2080
-
C:\Windows\SysWOW64\Cmedlk32.exeC:\Windows\system32\Cmedlk32.exe79⤵PID:1088
-
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe80⤵PID:3040
-
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe81⤵PID:1984
-
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe83⤵PID:2172
-
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe84⤵PID:2140
-
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe85⤵
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Cgaaah32.exeC:\Windows\system32\Cgaaah32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2864 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe87⤵PID:1640
-
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe88⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe89⤵PID:664
-
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe91⤵PID:3020
-
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe93⤵PID:2092
-
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe94⤵PID:696
-
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe95⤵PID:860
-
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe96⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe97⤵PID:2732
-
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe98⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe100⤵PID:2032
-
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe101⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe102⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe103⤵PID:2128
-
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe104⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe106⤵PID:1004
-
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe107⤵PID:2060
-
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe109⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe110⤵PID:2844
-
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe111⤵PID:1128
-
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe112⤵PID:1824
-
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe114⤵PID:2612
-
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe115⤵PID:2368
-
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe116⤵PID:1812
-
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe117⤵PID:2908
-
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe118⤵PID:2660
-
C:\Windows\SysWOW64\Emdmjamj.exeC:\Windows\system32\Emdmjamj.exe119⤵
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe120⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Edoefl32.exeC:\Windows\system32\Edoefl32.exe121⤵
- Drops file in System32 directory
PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-