Analysis
-
max time kernel
20s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 15:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe
-
Size
136KB
-
MD5
9240bf867655b762145a6678511f3de3
-
SHA1
b4e1974b6ab0d21825adbfe5375f43c8d9d3b6f3
-
SHA256
f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7
-
SHA512
aef9a827b21d226a459a8f31f8ac59f75abfce0f8714d3760d7649973cf9f232db574f08e398eeebfb5ab54889b4d1f56488aed7d0b8ed61b760e75b13b00089
-
SSDEEP
1536:KG5TVSyqWTqJHwoy6FHru2c8+KAssJXcqOxL8ZTzbcJ+7zNjSKOhYXYnTmujz0cT:NPcJQZ2c8+KYsEXNjShiKIi/mjRrz3OJ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgkhdddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejbqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aijbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnaoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbigpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkmlmbcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpkompgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhjopbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akabgebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khoebi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fogibnha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caaggpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbfook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmicfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmdacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlhnifmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalhqohl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaimopli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfioia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmbcen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdlggg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcmap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaglmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eihgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phcilf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obdojcef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mlkjne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajpepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmipn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adcdbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qndkpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdojgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdncmgbj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2072 Hllmcc32.exe 1320 Hbfepmmn.exe 2352 Heealhla.exe 2816 Hlafnbal.exe 2828 Hjfcpo32.exe 2864 Hfmddp32.exe 2812 Ipehmebh.exe 2720 Ifoqjo32.exe 2380 Iphecepe.exe 1924 Ijmipn32.exe 3020 Idfnicfl.exe 1380 Iegjqk32.exe 1184 Iiecgjba.exe 2504 Ioakoq32.exe 2112 Jlelhe32.exe 2640 Jenpajfb.exe 1596 Jkkija32.exe 692 Jaeafklf.exe 1720 Jgaiobjn.exe 892 Jpjngh32.exe 1756 Jaijak32.exe 2452 Jckgicnp.exe 1868 Jkbojpna.exe 2412 Jnpkflne.exe 2340 Kfkpknkq.exe 2368 Klehgh32.exe 2768 Kfnmpn32.exe 2428 Khlili32.exe 2184 Kofaicon.exe 2964 Khoebi32.exe 2984 Kkmand32.exe 3056 Kfbfkmeh.exe 2848 Kllnhg32.exe 2980 Kbigpn32.exe 3004 Kgfoie32.exe 3064 Lghlndfa.exe 3040 Lnbdko32.exe 708 Lgkhdddo.exe 1900 Lqcmmjko.exe 1304 Ljkaeo32.exe 540 Lgoboc32.exe 2584 Lqhfhigj.exe 2652 Mjpkqonj.exe 1648 Mmogmjmn.exe 744 Mchoid32.exe 1244 Mfglep32.exe 2200 Mejlalji.exe 868 Mkddnf32.exe 1288 Mpopnejo.exe 2008 Mfihkoal.exe 2328 Mihdgkpp.exe 2400 Mlfacfpc.exe 2880 Macilmnk.exe 2820 Mijamjnm.exe 2988 Mlhnifmq.exe 2284 Mbbfep32.exe 2744 Maefamlh.exe 1728 Mhonngce.exe 332 Mlkjne32.exe 1248 Nmlgfnal.exe 2272 Nagbgl32.exe 2012 Ncfoch32.exe 2252 Nfdkoc32.exe 828 Nnkcpq32.exe -
Loads dropped DLL 64 IoCs
pid Process 1500 f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe 1500 f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe 2072 Hllmcc32.exe 2072 Hllmcc32.exe 1320 Hbfepmmn.exe 1320 Hbfepmmn.exe 2352 Heealhla.exe 2352 Heealhla.exe 2816 Hlafnbal.exe 2816 Hlafnbal.exe 2828 Hjfcpo32.exe 2828 Hjfcpo32.exe 2864 Hfmddp32.exe 2864 Hfmddp32.exe 2812 Ipehmebh.exe 2812 Ipehmebh.exe 2720 Ifoqjo32.exe 2720 Ifoqjo32.exe 2380 Iphecepe.exe 2380 Iphecepe.exe 1924 Ijmipn32.exe 1924 Ijmipn32.exe 3020 Idfnicfl.exe 3020 Idfnicfl.exe 1380 Iegjqk32.exe 1380 Iegjqk32.exe 1184 Iiecgjba.exe 1184 Iiecgjba.exe 2504 Ioakoq32.exe 2504 Ioakoq32.exe 2112 Jlelhe32.exe 2112 Jlelhe32.exe 2640 Jenpajfb.exe 2640 Jenpajfb.exe 1596 Jkkija32.exe 1596 Jkkija32.exe 692 Jaeafklf.exe 692 Jaeafklf.exe 1720 Jgaiobjn.exe 1720 Jgaiobjn.exe 892 Jpjngh32.exe 892 Jpjngh32.exe 1756 Jaijak32.exe 1756 Jaijak32.exe 2452 Jckgicnp.exe 2452 Jckgicnp.exe 1868 Jkbojpna.exe 1868 Jkbojpna.exe 2412 Jnpkflne.exe 2412 Jnpkflne.exe 2340 Kfkpknkq.exe 2340 Kfkpknkq.exe 2368 Klehgh32.exe 2368 Klehgh32.exe 2768 Kfnmpn32.exe 2768 Kfnmpn32.exe 2428 Khlili32.exe 2428 Khlili32.exe 2184 Kofaicon.exe 2184 Kofaicon.exe 2964 Khoebi32.exe 2964 Khoebi32.exe 2984 Kkmand32.exe 2984 Kkmand32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ijehdl32.exe Ihglhp32.exe File opened for modification C:\Windows\SysWOW64\Khlili32.exe Kfnmpn32.exe File created C:\Windows\SysWOW64\Nbflno32.exe Mpgobc32.exe File opened for modification C:\Windows\SysWOW64\Odedge32.exe Oaghki32.exe File created C:\Windows\SysWOW64\Cfhakqek.dll Gifclb32.exe File opened for modification C:\Windows\SysWOW64\Gkglnm32.exe Gdmdacnn.exe File created C:\Windows\SysWOW64\Kpkpadnl.exe Klpdaf32.exe File created C:\Windows\SysWOW64\Njhfcp32.exe Nhjjgd32.exe File created C:\Windows\SysWOW64\Ccjoli32.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Kmkejc32.dll Hfmddp32.exe File created C:\Windows\SysWOW64\Aciqcifh.exe Adfqgl32.exe File opened for modification C:\Windows\SysWOW64\Eklqcl32.exe Eijdkcgn.exe File created C:\Windows\SysWOW64\Dhfcho32.dll Clpabm32.exe File opened for modification C:\Windows\SysWOW64\Eihgfd32.exe Eiekpd32.exe File created C:\Windows\SysWOW64\Hcopgk32.dll Apedah32.exe File created C:\Windows\SysWOW64\Gbnbjo32.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Cplpppdf.dll Mjpkqonj.exe File created C:\Windows\SysWOW64\Piqpkpml.exe Pphkbj32.exe File opened for modification C:\Windows\SysWOW64\Qhjfgl32.exe Qdojgmfe.exe File created C:\Windows\SysWOW64\Hnoefj32.dll Napbjjom.exe File created C:\Windows\SysWOW64\Offmipej.exe Olpilg32.exe File created C:\Windows\SysWOW64\Jjndlebb.dll Jkkija32.exe File created C:\Windows\SysWOW64\Nhndalhm.dll Agpcihcf.exe File created C:\Windows\SysWOW64\Lbafdlod.exe Locjhqpa.exe File created C:\Windows\SysWOW64\Jondnnbk.exe Jlphbbbg.exe File created C:\Windows\SysWOW64\Kcacjhob.dll Lpnmgdli.exe File opened for modification C:\Windows\SysWOW64\Qlgkki32.exe Qndkpmkm.exe File created C:\Windows\SysWOW64\Egfokakc.dll Achjibcl.exe File created C:\Windows\SysWOW64\Hbfepmmn.exe Hllmcc32.exe File created C:\Windows\SysWOW64\Nlhjhi32.exe Nenakoho.exe File opened for modification C:\Windows\SysWOW64\Goplilpf.exe Gifclb32.exe File created C:\Windows\SysWOW64\Fagina32.dll Jolghndm.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe Nibqqh32.exe File created C:\Windows\SysWOW64\Hdaehcom.dll Aaimopli.exe File opened for modification C:\Windows\SysWOW64\Aoagccfn.exe Agjobffl.exe File opened for modification C:\Windows\SysWOW64\Idfnicfl.exe Ijmipn32.exe File created C:\Windows\SysWOW64\Adfqgl32.exe Aqjdgmgd.exe File opened for modification C:\Windows\SysWOW64\Eclbcj32.exe Dicnkdnf.exe File created C:\Windows\SysWOW64\Nmcmgm32.exe Ndkhngdd.exe File opened for modification C:\Windows\SysWOW64\Cjgoje32.exe Bgibnj32.exe File created C:\Windows\SysWOW64\Njpeip32.dll Khkbbc32.exe File created C:\Windows\SysWOW64\Binbknik.dll Ahebaiac.exe File created C:\Windows\SysWOW64\Lgoboc32.exe Ljkaeo32.exe File created C:\Windows\SysWOW64\Gqdefddb.exe Gneijien.exe File opened for modification C:\Windows\SysWOW64\Nnoiio32.exe Ngealejo.exe File opened for modification C:\Windows\SysWOW64\Dhiomn32.exe Dejbqb32.exe File opened for modification C:\Windows\SysWOW64\Mjaddn32.exe Mkndhabp.exe File opened for modification C:\Windows\SysWOW64\Ckmnbg32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Pleofj32.exe Pifbjn32.exe File opened for modification C:\Windows\SysWOW64\Ndhlhg32.exe Najpll32.exe File created C:\Windows\SysWOW64\Hdhlfoln.dll Bgibnj32.exe File created C:\Windows\SysWOW64\Aplpbjee.dll Ieajkfmd.exe File created C:\Windows\SysWOW64\Jbqmhnbo.exe Jaoqqflp.exe File created C:\Windows\SysWOW64\Jpbbmeon.dll Knkgpi32.exe File opened for modification C:\Windows\SysWOW64\Piqpkpml.exe Pphkbj32.exe File created C:\Windows\SysWOW64\Kikpibof.dll Bgdibkam.exe File created C:\Windows\SysWOW64\Ohncbdbd.exe Oadkej32.exe File created C:\Windows\SysWOW64\Dobcok32.dll Dacpkc32.exe File created C:\Windows\SysWOW64\Kheoph32.dll Nedhjj32.exe File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe Ooabmbbe.exe File created C:\Windows\SysWOW64\Qobbofgn.exe Qkffng32.exe File opened for modification C:\Windows\SysWOW64\Fnacpffh.exe Fggkcl32.exe File opened for modification C:\Windows\SysWOW64\Fcbecl32.exe Fogibnha.exe File opened for modification C:\Windows\SysWOW64\Jedcpi32.exe Jgabdlfb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5716 5684 WerFault.exe 473 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcmmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookpodkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcnqama.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adifpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdkoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famope32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accqnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbpde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmhnjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnnaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmddp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgaiobjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclicpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeladm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgehno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofadnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghlndfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbnhmjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiehm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khghgchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgjaeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dacpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpadnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibqqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlafnbal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdaglmcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgibnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjjma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfbngfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbdmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngkfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkija32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcmap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdhad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabopjmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlgfnal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bammlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemgplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qododfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicalakk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpceaipi.dll" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnofjfhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmgbao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmibbi32.dll" Bkpeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epbpbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giackg32.dll" Koaqcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paodbg32.dll" Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofcqcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplpppdf.dll" Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bnldjekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkeeecj.dll" Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclcfm32.dll" Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkdbhahq.dll" Klpdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdqjn32.dll" Ccjoli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleeaj32.dll" Bcpgdhpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnldjekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djgkii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Femijbfb.dll" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahapj32.dll" Pmmeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmgbao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdojgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdaglmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gifclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiapeffl.dll" Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmogmjmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacnfacn.dll" Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Koaqcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbamjbm.dll" Bgaebe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jkbojpna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eeaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iennnogo.dll" Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkifdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goplilpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhdjgoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnfobob.dll" Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafqii32.dll" Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhmmndi.dll" Akabgebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapecq32.dll" Okdmjdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgkocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gqdefddb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doempm32.dll" Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nibqqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ijmipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfbfkmeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdmdacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhfnge32.dll" Gkglnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bqijljfd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 2072 1500 f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe 30 PID 1500 wrote to memory of 2072 1500 f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe 30 PID 1500 wrote to memory of 2072 1500 f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe 30 PID 1500 wrote to memory of 2072 1500 f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe 30 PID 2072 wrote to memory of 1320 2072 Hllmcc32.exe 31 PID 2072 wrote to memory of 1320 2072 Hllmcc32.exe 31 PID 2072 wrote to memory of 1320 2072 Hllmcc32.exe 31 PID 2072 wrote to memory of 1320 2072 Hllmcc32.exe 31 PID 1320 wrote to memory of 2352 1320 Hbfepmmn.exe 32 PID 1320 wrote to memory of 2352 1320 Hbfepmmn.exe 32 PID 1320 wrote to memory of 2352 1320 Hbfepmmn.exe 32 PID 1320 wrote to memory of 2352 1320 Hbfepmmn.exe 32 PID 2352 wrote to memory of 2816 2352 Heealhla.exe 33 PID 2352 wrote to memory of 2816 2352 Heealhla.exe 33 PID 2352 wrote to memory of 2816 2352 Heealhla.exe 33 PID 2352 wrote to memory of 2816 2352 Heealhla.exe 33 PID 2816 wrote to memory of 2828 2816 Hlafnbal.exe 34 PID 2816 wrote to memory of 2828 2816 Hlafnbal.exe 34 PID 2816 wrote to memory of 2828 2816 Hlafnbal.exe 34 PID 2816 wrote to memory of 2828 2816 Hlafnbal.exe 34 PID 2828 wrote to memory of 2864 2828 Hjfcpo32.exe 35 PID 2828 wrote to memory of 2864 2828 Hjfcpo32.exe 35 PID 2828 wrote to memory of 2864 2828 Hjfcpo32.exe 35 PID 2828 wrote to memory of 2864 2828 Hjfcpo32.exe 35 PID 2864 wrote to memory of 2812 2864 Hfmddp32.exe 36 PID 2864 wrote to memory of 2812 2864 Hfmddp32.exe 36 PID 2864 wrote to memory of 2812 2864 Hfmddp32.exe 36 PID 2864 wrote to memory of 2812 2864 Hfmddp32.exe 36 PID 2812 wrote to memory of 2720 2812 Ipehmebh.exe 37 PID 2812 wrote to memory of 2720 2812 Ipehmebh.exe 37 PID 2812 wrote to memory of 2720 2812 Ipehmebh.exe 37 PID 2812 wrote to memory of 2720 2812 Ipehmebh.exe 37 PID 2720 wrote to memory of 2380 2720 Ifoqjo32.exe 38 PID 2720 wrote to memory of 2380 2720 Ifoqjo32.exe 38 PID 2720 wrote to memory of 2380 2720 Ifoqjo32.exe 38 PID 2720 wrote to memory of 2380 2720 Ifoqjo32.exe 38 PID 2380 wrote to memory of 1924 2380 Iphecepe.exe 39 PID 2380 wrote to memory of 1924 2380 Iphecepe.exe 39 PID 2380 wrote to memory of 1924 2380 Iphecepe.exe 39 PID 2380 wrote to memory of 1924 2380 Iphecepe.exe 39 PID 1924 wrote to memory of 3020 1924 Ijmipn32.exe 40 PID 1924 wrote to memory of 3020 1924 Ijmipn32.exe 40 PID 1924 wrote to memory of 3020 1924 Ijmipn32.exe 40 PID 1924 wrote to memory of 3020 1924 Ijmipn32.exe 40 PID 3020 wrote to memory of 1380 3020 Idfnicfl.exe 41 PID 3020 wrote to memory of 1380 3020 Idfnicfl.exe 41 PID 3020 wrote to memory of 1380 3020 Idfnicfl.exe 41 PID 3020 wrote to memory of 1380 3020 Idfnicfl.exe 41 PID 1380 wrote to memory of 1184 1380 Iegjqk32.exe 42 PID 1380 wrote to memory of 1184 1380 Iegjqk32.exe 42 PID 1380 wrote to memory of 1184 1380 Iegjqk32.exe 42 PID 1380 wrote to memory of 1184 1380 Iegjqk32.exe 42 PID 1184 wrote to memory of 2504 1184 Iiecgjba.exe 43 PID 1184 wrote to memory of 2504 1184 Iiecgjba.exe 43 PID 1184 wrote to memory of 2504 1184 Iiecgjba.exe 43 PID 1184 wrote to memory of 2504 1184 Iiecgjba.exe 43 PID 2504 wrote to memory of 2112 2504 Ioakoq32.exe 44 PID 2504 wrote to memory of 2112 2504 Ioakoq32.exe 44 PID 2504 wrote to memory of 2112 2504 Ioakoq32.exe 44 PID 2504 wrote to memory of 2112 2504 Ioakoq32.exe 44 PID 2112 wrote to memory of 2640 2112 Jlelhe32.exe 45 PID 2112 wrote to memory of 2640 2112 Jlelhe32.exe 45 PID 2112 wrote to memory of 2640 2112 Jlelhe32.exe 45 PID 2112 wrote to memory of 2640 2112 Jlelhe32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe"C:\Users\Admin\AppData\Local\Temp\f3324179793e35084592d781d0bea5f04e950b8a71d22a8d3a3eb5452c6e7ab7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe34⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe38⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe42⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe43⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe46⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe47⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe48⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe49⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe50⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe51⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe52⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe53⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe55⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe57⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe58⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe59⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe62⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe63⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe65⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe66⤵PID:604
-
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe67⤵
- Drops file in System32 directory
PID:304 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe68⤵PID:1112
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe70⤵PID:2080
-
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe71⤵PID:1952
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe72⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe73⤵PID:2152
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe74⤵PID:2840
-
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe75⤵PID:2688
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe76⤵PID:2336
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe77⤵
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe78⤵PID:3016
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe79⤵PID:3036
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe80⤵PID:2716
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe81⤵PID:768
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe82⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe84⤵PID:2444
-
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe85⤵PID:1636
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe86⤵
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe87⤵PID:1932
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe88⤵PID:2408
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3052 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe92⤵PID:2748
-
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe93⤵PID:2664
-
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe94⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe95⤵PID:2636
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe96⤵PID:2116
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe97⤵PID:1536
-
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe98⤵PID:1936
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe99⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe100⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1940 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe102⤵PID:1428
-
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe103⤵PID:2808
-
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe104⤵PID:2752
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe105⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe106⤵PID:356
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe107⤵PID:980
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe108⤵
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe110⤵PID:2892
-
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe111⤵PID:2616
-
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe112⤵PID:288
-
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe113⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe114⤵PID:2824
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe116⤵PID:1476
-
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe117⤵
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe118⤵PID:2928
-
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe120⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe121⤵PID:1776
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-