Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 03:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe
-
Size
88KB
-
MD5
5b0965ccbbf9b08893837304772b6d60
-
SHA1
8b580e0859102385cde870d671dd7bc6c576920a
-
SHA256
eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550
-
SHA512
61caafd099b0ba7657a523c940bab486364e7b3b13e7d45bc35a70136550e825c4ffffcbc702d7b9028b8673ae889953a883e9f9bc33a3d35eebe33977bff697
-
SSDEEP
1536:htzXmFt94Fg99LJBG1NwIfmFgAqTWfZmY23wFkMnouy8B:hNXmX94FgtoWIuF9qTWC3wFnoutB
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mklcadfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neiaeiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjcip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oioggmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agpcihcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aojabdlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohagbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbncjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cacclpae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obgkpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obhdcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijnln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndmecgba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgqkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbagipfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonocmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gepafc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imahkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Befmfpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkompgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekiphge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlgimqhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqqnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emagacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bejfao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmnnkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmnbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkibcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbiiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngealejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eobchk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpgffe32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2356 Nhakcfab.exe 2080 Nnkcpq32.exe 2480 Nfghdcfj.exe 2876 Njbdea32.exe 2096 Npolmh32.exe 2156 Nigafnck.exe 2608 Ndmecgba.exe 2908 Nijnln32.exe 1596 Nlhjhi32.exe 264 Neqnqofm.exe 1488 Olkfmi32.exe 1200 Obdojcef.exe 1080 Oioggmmc.exe 2436 Ohagbj32.exe 2360 Obgkpb32.exe 2708 Ohcdhi32.exe 2584 Olophhjd.exe 2596 Oalhqohl.exe 1556 Odjdmjgo.exe 1068 Ogiaif32.exe 280 Oopijc32.exe 1784 Opaebkmc.exe 1660 Odmabj32.exe 2560 Oijjka32.exe 2292 Oaqbln32.exe 3064 Pdonhj32.exe 2384 Pkifdd32.exe 2864 Pcdkif32.exe 2868 Pecgea32.exe 2648 Pphkbj32.exe 2748 Pcghof32.exe 2684 Piqpkpml.exe 2780 Pciddedl.exe 2184 Phfmllbd.exe 604 Pckajebj.exe 2852 Qkffng32.exe 2828 Qobbofgn.exe 1988 Qaqnkafa.exe 2976 Qkibcg32.exe 2172 Qhmcmk32.exe 2404 Agpcihcf.exe 1788 Ajnpecbj.exe 1144 Abegfa32.exe 2344 Aqjdgmgd.exe 2580 Adfqgl32.exe 1628 Agdmdg32.exe 2552 Aqmamm32.exe 2576 Ackmih32.exe 1580 Afjjed32.exe 2800 Ajeeeblb.exe 2880 Aihfap32.exe 3000 Aobnniji.exe 2724 Abpjjeim.exe 2644 Ajgbkbjp.exe 1484 Amfognic.exe 2788 Akiobk32.exe 532 Bcpgdhpp.exe 2016 Bfncpcoc.exe 1720 Bimoloog.exe 2028 Bmhkmm32.exe 840 Bofgii32.exe 1244 Bnihdemo.exe 1372 Bbeded32.exe 1100 Biolanld.exe -
Loads dropped DLL 64 IoCs
pid Process 1908 eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe 1908 eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe 2356 Nhakcfab.exe 2356 Nhakcfab.exe 2080 Nnkcpq32.exe 2080 Nnkcpq32.exe 2480 Nfghdcfj.exe 2480 Nfghdcfj.exe 2876 Njbdea32.exe 2876 Njbdea32.exe 2096 Npolmh32.exe 2096 Npolmh32.exe 2156 Nigafnck.exe 2156 Nigafnck.exe 2608 Ndmecgba.exe 2608 Ndmecgba.exe 2908 Nijnln32.exe 2908 Nijnln32.exe 1596 Nlhjhi32.exe 1596 Nlhjhi32.exe 264 Neqnqofm.exe 264 Neqnqofm.exe 1488 Olkfmi32.exe 1488 Olkfmi32.exe 1200 Obdojcef.exe 1200 Obdojcef.exe 1080 Oioggmmc.exe 1080 Oioggmmc.exe 2436 Ohagbj32.exe 2436 Ohagbj32.exe 2360 Obgkpb32.exe 2360 Obgkpb32.exe 2708 Ohcdhi32.exe 2708 Ohcdhi32.exe 2584 Olophhjd.exe 2584 Olophhjd.exe 2596 Oalhqohl.exe 2596 Oalhqohl.exe 1556 Odjdmjgo.exe 1556 Odjdmjgo.exe 1068 Ogiaif32.exe 1068 Ogiaif32.exe 280 Oopijc32.exe 280 Oopijc32.exe 1784 Opaebkmc.exe 1784 Opaebkmc.exe 1660 Odmabj32.exe 1660 Odmabj32.exe 2560 Oijjka32.exe 2560 Oijjka32.exe 2292 Oaqbln32.exe 2292 Oaqbln32.exe 3064 Pdonhj32.exe 3064 Pdonhj32.exe 2384 Pkifdd32.exe 2384 Pkifdd32.exe 2864 Pcdkif32.exe 2864 Pcdkif32.exe 2868 Pecgea32.exe 2868 Pecgea32.exe 2648 Pphkbj32.exe 2648 Pphkbj32.exe 2748 Pcghof32.exe 2748 Pcghof32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aohdmdoh.exe Apedah32.exe File created C:\Windows\SysWOW64\Lcdgejhm.dll Ackmih32.exe File opened for modification C:\Windows\SysWOW64\Eelkeeah.exe Egikjh32.exe File created C:\Windows\SysWOW64\Fplheofl.dll Ehkhaqpk.exe File created C:\Windows\SysWOW64\Qjklenpa.exe Qeppdo32.exe File opened for modification C:\Windows\SysWOW64\Phlclgfc.exe Oemgplgo.exe File created C:\Windows\SysWOW64\Cenljmgq.exe Cbppnbhm.exe File created C:\Windows\SysWOW64\Dajjmhne.dll Bejfao32.exe File opened for modification C:\Windows\SysWOW64\Gkpfmnlb.exe Ghajacmo.exe File created C:\Windows\SysWOW64\Iimfld32.exe Ibcnojnp.exe File created C:\Windows\SysWOW64\Ebmjlg32.dll Idgglb32.exe File opened for modification C:\Windows\SysWOW64\Nlhjhi32.exe Nijnln32.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe Cnfqccna.exe File opened for modification C:\Windows\SysWOW64\Nnmlcp32.exe Nlnpgd32.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe Nefdpjkl.exe File created C:\Windows\SysWOW64\Neknki32.exe Napbjjom.exe File created C:\Windows\SysWOW64\Cmlcld32.dll Elkmmodo.exe File created C:\Windows\SysWOW64\Bgcegq32.dll Gonocmbi.exe File created C:\Windows\SysWOW64\Ijclol32.exe Ihdpbq32.exe File created C:\Windows\SysWOW64\Kcbaab32.dll Jliaac32.exe File created C:\Windows\SysWOW64\Klqahn32.dll Aqjdgmgd.exe File opened for modification C:\Windows\SysWOW64\Gonocmbi.exe Gmpcgace.exe File created C:\Windows\SysWOW64\Bkdbhahq.dll Knmdeioh.exe File created C:\Windows\SysWOW64\Bifbbocj.dll Bdqlajbb.exe File opened for modification C:\Windows\SysWOW64\Lclicpkm.exe Lpnmgdli.exe File created C:\Windows\SysWOW64\Lhiakf32.exe Lfkeokjp.exe File created C:\Windows\SysWOW64\Mfakaoam.dll Bqlfaj32.exe File created C:\Windows\SysWOW64\Ckhdggom.exe Ciihklpj.exe File created C:\Windows\SysWOW64\Pciddedl.exe Piqpkpml.exe File created C:\Windows\SysWOW64\Bhfnge32.dll Ggkqmoma.exe File opened for modification C:\Windows\SysWOW64\Napbjjom.exe Nnafnopi.exe File created C:\Windows\SysWOW64\Qpbglhjq.exe Qlgkki32.exe File created C:\Windows\SysWOW64\Eejopecj.exe Epmfgo32.exe File created C:\Windows\SysWOW64\Bnljlm32.dll Jpigma32.exe File created C:\Windows\SysWOW64\Knbbpakg.dll Klngkfge.exe File created C:\Windows\SysWOW64\Odldga32.dll Napbjjom.exe File created C:\Windows\SysWOW64\Jgabdlfb.exe Jojkco32.exe File opened for modification C:\Windows\SysWOW64\Jondnnbk.exe Jkchmo32.exe File created C:\Windows\SysWOW64\Opnbbe32.exe Olbfagca.exe File created C:\Windows\SysWOW64\Goknhdma.dll Cbiiog32.exe File opened for modification C:\Windows\SysWOW64\Epmfgo32.exe Dmojkc32.exe File opened for modification C:\Windows\SysWOW64\Eacljf32.exe Eoepnk32.exe File opened for modification C:\Windows\SysWOW64\Iahkpg32.exe Injndk32.exe File created C:\Windows\SysWOW64\Kaompi32.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Oopijc32.exe Ogiaif32.exe File created C:\Windows\SysWOW64\Afjjed32.exe Ackmih32.exe File created C:\Windows\SysWOW64\Hoilnidl.dll Fnofjfhk.exe File opened for modification C:\Windows\SysWOW64\Khghgchk.exe Kdklfe32.exe File created C:\Windows\SysWOW64\Jhbcjo32.dll Qppkfhlc.exe File created C:\Windows\SysWOW64\Idkhmgco.dll Pphkbj32.exe File created C:\Windows\SysWOW64\Dacpkc32.exe Dmhdkdlg.exe File created C:\Windows\SysWOW64\Kccllg32.dll Lhiakf32.exe File created C:\Windows\SysWOW64\Cacldi32.dll Mfmndn32.exe File created C:\Windows\SysWOW64\Ogdjhp32.dll Bmbgfkje.exe File created C:\Windows\SysWOW64\Ckcdknaf.dll Enlidg32.exe File created C:\Windows\SysWOW64\Gkpfmnlb.exe Ghajacmo.exe File created C:\Windows\SysWOW64\Mdhpmg32.dll Paiaplin.exe File created C:\Windows\SysWOW64\Adifpk32.exe Aakjdo32.exe File created C:\Windows\SysWOW64\Mhiaka32.dll Gepafc32.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Iihiphln.exe File created C:\Windows\SysWOW64\Bjpaop32.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Ankojf32.dll Oioggmmc.exe File created C:\Windows\SysWOW64\Amfognic.exe Ajgbkbjp.exe File created C:\Windows\SysWOW64\Eobchk32.exe Emagacdm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5712 5664 WerFault.exe 487 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbagipfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmecgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcnbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcjnnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfncpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjjma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difnaqih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imahkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfddp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biolanld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opihgfop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkffng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkephn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfjhcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbadjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeppdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piqpkpml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhmcmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnmgdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjeinje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpphhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihlqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jampjian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpadnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhjhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnpecbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciaefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekiphge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnckjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaqcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcdgejhm.dll" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmmfimm.dll" Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iajfhi32.dll" Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdndgcj.dll" Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojmpooah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqbhp32.dll" Ohcdhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgffhkoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcbch32.dll" Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjcgnola.dll" Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfiocpon.dll" Omioekbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjlcglnk.dll" Fpoolael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnpincmg.dll" Ihdpbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaokcb32.dll" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnfqccna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdeje32.dll" Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imlmlm32.dll" Nijnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phfmllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkdffe.dll" Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkapd32.dll" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmeon.dll" Knkgpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhmhhmlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llechb32.dll" Lfkeokjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefdbdjo.dll" Ooabmbbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikidod32.dll" Hmkeke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhckf32.dll" Mkqqnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljamki32.dll" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golnjpio.dll" Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnhnji.dll" Bnnaoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajmijmnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gklodf32.dll" Emagacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oidiekdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciaefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liihgqil.dll" Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iimfld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lklgbadb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 2356 1908 eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe 30 PID 1908 wrote to memory of 2356 1908 eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe 30 PID 1908 wrote to memory of 2356 1908 eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe 30 PID 1908 wrote to memory of 2356 1908 eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe 30 PID 2356 wrote to memory of 2080 2356 Nhakcfab.exe 31 PID 2356 wrote to memory of 2080 2356 Nhakcfab.exe 31 PID 2356 wrote to memory of 2080 2356 Nhakcfab.exe 31 PID 2356 wrote to memory of 2080 2356 Nhakcfab.exe 31 PID 2080 wrote to memory of 2480 2080 Nnkcpq32.exe 32 PID 2080 wrote to memory of 2480 2080 Nnkcpq32.exe 32 PID 2080 wrote to memory of 2480 2080 Nnkcpq32.exe 32 PID 2080 wrote to memory of 2480 2080 Nnkcpq32.exe 32 PID 2480 wrote to memory of 2876 2480 Nfghdcfj.exe 33 PID 2480 wrote to memory of 2876 2480 Nfghdcfj.exe 33 PID 2480 wrote to memory of 2876 2480 Nfghdcfj.exe 33 PID 2480 wrote to memory of 2876 2480 Nfghdcfj.exe 33 PID 2876 wrote to memory of 2096 2876 Njbdea32.exe 34 PID 2876 wrote to memory of 2096 2876 Njbdea32.exe 34 PID 2876 wrote to memory of 2096 2876 Njbdea32.exe 34 PID 2876 wrote to memory of 2096 2876 Njbdea32.exe 34 PID 2096 wrote to memory of 2156 2096 Npolmh32.exe 35 PID 2096 wrote to memory of 2156 2096 Npolmh32.exe 35 PID 2096 wrote to memory of 2156 2096 Npolmh32.exe 35 PID 2096 wrote to memory of 2156 2096 Npolmh32.exe 35 PID 2156 wrote to memory of 2608 2156 Nigafnck.exe 36 PID 2156 wrote to memory of 2608 2156 Nigafnck.exe 36 PID 2156 wrote to memory of 2608 2156 Nigafnck.exe 36 PID 2156 wrote to memory of 2608 2156 Nigafnck.exe 36 PID 2608 wrote to memory of 2908 2608 Ndmecgba.exe 37 PID 2608 wrote to memory of 2908 2608 Ndmecgba.exe 37 PID 2608 wrote to memory of 2908 2608 Ndmecgba.exe 37 PID 2608 wrote to memory of 2908 2608 Ndmecgba.exe 37 PID 2908 wrote to memory of 1596 2908 Nijnln32.exe 38 PID 2908 wrote to memory of 1596 2908 Nijnln32.exe 38 PID 2908 wrote to memory of 1596 2908 Nijnln32.exe 38 PID 2908 wrote to memory of 1596 2908 Nijnln32.exe 38 PID 1596 wrote to memory of 264 1596 Nlhjhi32.exe 39 PID 1596 wrote to memory of 264 1596 Nlhjhi32.exe 39 PID 1596 wrote to memory of 264 1596 Nlhjhi32.exe 39 PID 1596 wrote to memory of 264 1596 Nlhjhi32.exe 39 PID 264 wrote to memory of 1488 264 Neqnqofm.exe 40 PID 264 wrote to memory of 1488 264 Neqnqofm.exe 40 PID 264 wrote to memory of 1488 264 Neqnqofm.exe 40 PID 264 wrote to memory of 1488 264 Neqnqofm.exe 40 PID 1488 wrote to memory of 1200 1488 Olkfmi32.exe 41 PID 1488 wrote to memory of 1200 1488 Olkfmi32.exe 41 PID 1488 wrote to memory of 1200 1488 Olkfmi32.exe 41 PID 1488 wrote to memory of 1200 1488 Olkfmi32.exe 41 PID 1200 wrote to memory of 1080 1200 Obdojcef.exe 42 PID 1200 wrote to memory of 1080 1200 Obdojcef.exe 42 PID 1200 wrote to memory of 1080 1200 Obdojcef.exe 42 PID 1200 wrote to memory of 1080 1200 Obdojcef.exe 42 PID 1080 wrote to memory of 2436 1080 Oioggmmc.exe 43 PID 1080 wrote to memory of 2436 1080 Oioggmmc.exe 43 PID 1080 wrote to memory of 2436 1080 Oioggmmc.exe 43 PID 1080 wrote to memory of 2436 1080 Oioggmmc.exe 43 PID 2436 wrote to memory of 2360 2436 Ohagbj32.exe 44 PID 2436 wrote to memory of 2360 2436 Ohagbj32.exe 44 PID 2436 wrote to memory of 2360 2436 Ohagbj32.exe 44 PID 2436 wrote to memory of 2360 2436 Ohagbj32.exe 44 PID 2360 wrote to memory of 2708 2360 Obgkpb32.exe 45 PID 2360 wrote to memory of 2708 2360 Obgkpb32.exe 45 PID 2360 wrote to memory of 2708 2360 Obgkpb32.exe 45 PID 2360 wrote to memory of 2708 2360 Obgkpb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe"C:\Users\Admin\AppData\Local\Temp\eef6407958affb4485c58e5d3e65e897cf0e9b68f7efe76dec1058f310b91550N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe34⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe36⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe39⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe44⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe47⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe48⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe50⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe51⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe52⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe54⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe56⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe57⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe58⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe60⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe61⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe63⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe64⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe66⤵PID:2372
-
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe67⤵PID:2212
-
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe68⤵PID:2768
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2720 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe70⤵PID:2924
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe71⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe72⤵PID:2784
-
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe73⤵PID:492
-
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe74⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe75⤵PID:1620
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe76⤵PID:296
-
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe77⤵PID:2980
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe79⤵PID:1392
-
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe81⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe82⤵PID:2460
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe83⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe85⤵PID:1612
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2752 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe87⤵PID:2632
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe88⤵PID:2188
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe89⤵
- Modifies registry class
PID:1112 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe90⤵PID:2040
-
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe92⤵PID:1360
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe94⤵PID:276
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe96⤵PID:1536
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe97⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe98⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe99⤵PID:2964
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe100⤵
- Modifies registry class
PID:524 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe103⤵PID:2972
-
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe105⤵
- Drops file in System32 directory
PID:796 -
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe106⤵PID:1060
-
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe107⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe108⤵
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe110⤵PID:2428
-
C:\Windows\SysWOW64\Dphmloih.exeC:\Windows\system32\Dphmloih.exe111⤵PID:560
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe112⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe113⤵PID:692
-
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe114⤵PID:2068
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe115⤵PID:2956
-
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe116⤵PID:628
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe117⤵
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe118⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe119⤵PID:2776
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-