Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 23:00
Static task
static1
Behavioral task
behavioral1
Sample
8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe
Resource
win10v2004-20241007-en
General
-
Target
8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe
-
Size
96KB
-
MD5
461a3d0a3a7652f0bdbc26a9a0918ebe
-
SHA1
bfab57f4e2c4947facb372eb46db5ec91f64e4ec
-
SHA256
8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7
-
SHA512
e1dd7fbcafb26a04e5ab0258b99b45a2a2168e21056ee063e876f776f3201bb80a9b7863537305e0fc2eb6d8598dd830874753b49db379030eab7c6b0b241823
-
SSDEEP
1536:RMNv6GPyfBXSJsldQgrroYP7tX4T1lXAt7duV9jojTIvjr:qcGPypXSJsf3o/Pe7d69jc0v
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iacjjacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lnqjnhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nmabjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejaphpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjcaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdeaelok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibipmiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lldmleam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpgobc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdgmlhha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kbpbmkan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdjglfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbfbnddq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mimpkcdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgjgomc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhdgdmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jokqnhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danpemej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdlng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflpgnld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alddjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giolnomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqgmfkhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfkmie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iieepbje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmaeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldgnklmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkahgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgbaml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpklkgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emaijk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibacbcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgjkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkaehb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgqlafap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Khjgel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiclkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqnapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhjbqo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2132 Hgpjhn32.exe 2548 Hnjbeh32.exe 1208 Hahnac32.exe 2712 Hidcef32.exe 2768 Hcigco32.exe 484 Hifpke32.exe 2628 Hpphhp32.exe 3032 Hfjpdjjo.exe 1672 Hmdhad32.exe 1484 Ieomef32.exe 780 Iliebpfc.exe 1924 Ipeaco32.exe 1772 Ieajkfmd.exe 2668 Ibejdjln.exe 2496 Iedfqeka.exe 908 Ijqoilii.exe 1148 Idicbbpi.exe 940 Ihdpbq32.exe 1588 Ijclol32.exe 1552 Imahkg32.exe 1564 Ihglhp32.exe 2184 Jaoqqflp.exe 3000 Jdnmma32.exe 2980 Jbqmhnbo.exe 1908 Jkhejkcq.exe 2744 Jbcjnnpl.exe 1716 Jojkco32.exe 2888 Jedcpi32.exe 2860 Jbhcim32.exe 2604 Jajcdjca.exe 2672 Jefpeh32.exe 1096 Jkchmo32.exe 684 Jbjpom32.exe 2120 Kaompi32.exe 1764 Kekiphge.exe 1760 Khielcfh.exe 1816 Kkgahoel.exe 2856 Kocmim32.exe 2468 Kkjnnn32.exe 2488 Kjmnjkjd.exe 448 Kadfkhkf.exe 1600 Kklkcn32.exe 2280 Kjokokha.exe 1560 Klngkfge.exe 2244 Kddomchg.exe 2988 Kcgphp32.exe 1508 Kffldlne.exe 548 Knmdeioh.exe 2084 Kpkpadnl.exe 2836 Lonpma32.exe 2944 Lgehno32.exe 2624 Lfhhjklc.exe 2776 Lhfefgkg.exe 2356 Llbqfe32.exe 2780 Lpnmgdli.exe 1396 Lclicpkm.exe 468 Lfkeokjp.exe 2596 Ljfapjbi.exe 2708 Lldmleam.exe 2920 Lkgngb32.exe 2964 Lcofio32.exe 1312 Lbafdlod.exe 1568 Lhknaf32.exe 1704 Llgjaeoj.exe -
Loads dropped DLL 64 IoCs
pid Process 2232 8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe 2232 8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe 2132 Hgpjhn32.exe 2132 Hgpjhn32.exe 2548 Hnjbeh32.exe 2548 Hnjbeh32.exe 1208 Hahnac32.exe 1208 Hahnac32.exe 2712 Hidcef32.exe 2712 Hidcef32.exe 2768 Hcigco32.exe 2768 Hcigco32.exe 484 Hifpke32.exe 484 Hifpke32.exe 2628 Hpphhp32.exe 2628 Hpphhp32.exe 3032 Hfjpdjjo.exe 3032 Hfjpdjjo.exe 1672 Hmdhad32.exe 1672 Hmdhad32.exe 1484 Ieomef32.exe 1484 Ieomef32.exe 780 Iliebpfc.exe 780 Iliebpfc.exe 1924 Ipeaco32.exe 1924 Ipeaco32.exe 1772 Ieajkfmd.exe 1772 Ieajkfmd.exe 2668 Ibejdjln.exe 2668 Ibejdjln.exe 2496 Iedfqeka.exe 2496 Iedfqeka.exe 908 Ijqoilii.exe 908 Ijqoilii.exe 1148 Idicbbpi.exe 1148 Idicbbpi.exe 940 Ihdpbq32.exe 940 Ihdpbq32.exe 1588 Ijclol32.exe 1588 Ijclol32.exe 1552 Imahkg32.exe 1552 Imahkg32.exe 1564 Ihglhp32.exe 1564 Ihglhp32.exe 2184 Jaoqqflp.exe 2184 Jaoqqflp.exe 3000 Jdnmma32.exe 3000 Jdnmma32.exe 2980 Jbqmhnbo.exe 2980 Jbqmhnbo.exe 1908 Jkhejkcq.exe 1908 Jkhejkcq.exe 2744 Jbcjnnpl.exe 2744 Jbcjnnpl.exe 1716 Jojkco32.exe 1716 Jojkco32.exe 2888 Jedcpi32.exe 2888 Jedcpi32.exe 2860 Jbhcim32.exe 2860 Jbhcim32.exe 2604 Jajcdjca.exe 2604 Jajcdjca.exe 2672 Jefpeh32.exe 2672 Jefpeh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jaadfcpf.dll Indnnfdn.exe File opened for modification C:\Windows\SysWOW64\Nfgjml32.exe Ncinap32.exe File created C:\Windows\SysWOW64\Aeoijidl.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Ajhddk32.exe Afliclij.exe File created C:\Windows\SysWOW64\Bkknac32.exe Bhmaeg32.exe File created C:\Windows\SysWOW64\Kccllg32.dll Ljfapjbi.exe File opened for modification C:\Windows\SysWOW64\Opqoge32.exe Ohiffh32.exe File created C:\Windows\SysWOW64\Oapldp32.dll Dcllbhdn.exe File opened for modification C:\Windows\SysWOW64\Fimoiopk.exe Fgocmc32.exe File created C:\Windows\SysWOW64\Hnkdnqhm.exe Hjohmbpd.exe File created C:\Windows\SysWOW64\Qhilkege.exe Qejpoi32.exe File created C:\Windows\SysWOW64\Gbejnl32.dll Fimoiopk.exe File created C:\Windows\SysWOW64\Mcjhmcok.exe Mqklqhpg.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Cgcnghpl.exe File created C:\Windows\SysWOW64\Hbfchh32.dll Ohdfqbio.exe File created C:\Windows\SysWOW64\Mgmdapml.exe Mdogedmh.exe File created C:\Windows\SysWOW64\Gdecfn32.dll Acicla32.exe File opened for modification C:\Windows\SysWOW64\Hdbpekam.exe Hadcipbi.exe File created C:\Windows\SysWOW64\Pigckoki.dll Kkojbf32.exe File created C:\Windows\SysWOW64\Mfmndn32.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Ohiffh32.exe Oiffkkbk.exe File created C:\Windows\SysWOW64\Ihaiqn32.dll Oabkom32.exe File opened for modification C:\Windows\SysWOW64\Godaakic.exe Gmeeepjp.exe File created C:\Windows\SysWOW64\Jndjmifj.exe Jlfnangf.exe File created C:\Windows\SysWOW64\Jmclfnqb.dll Aoagccfn.exe File created C:\Windows\SysWOW64\Emgioakg.exe Ekhmcelc.exe File created C:\Windows\SysWOW64\Ihkknn32.dll Foahmh32.exe File opened for modification C:\Windows\SysWOW64\Hgkfal32.exe Heliepmn.exe File created C:\Windows\SysWOW64\Pbemboof.exe Pdbmfb32.exe File created C:\Windows\SysWOW64\Faibdo32.dll Hnkdnqhm.exe File opened for modification C:\Windows\SysWOW64\Jdnmma32.exe Jaoqqflp.exe File created C:\Windows\SysWOW64\Pkcbnanl.exe Pghfnc32.exe File opened for modification C:\Windows\SysWOW64\Hnpdcf32.exe Hkahgk32.exe File opened for modification C:\Windows\SysWOW64\Ehnfpifm.exe Eikfdl32.exe File created C:\Windows\SysWOW64\Gecpnp32.exe Gcedad32.exe File created C:\Windows\SysWOW64\Jibnop32.exe Jefbnacn.exe File created C:\Windows\SysWOW64\Ncekdcqn.dll Dfmeccao.exe File created C:\Windows\SysWOW64\Mokilo32.exe Mphiqbon.exe File created C:\Windows\SysWOW64\Ildhhm32.dll Ckeqga32.exe File created C:\Windows\SysWOW64\Jbbccgmp.exe Jjkkbjln.exe File opened for modification C:\Windows\SysWOW64\Bbhccm32.exe Boifga32.exe File created C:\Windows\SysWOW64\Jqgaapqd.dll Ajckilei.exe File opened for modification C:\Windows\SysWOW64\Goldfelp.exe Gpidki32.exe File created C:\Windows\SysWOW64\Ohpboqdk.dll Mqjefamk.exe File opened for modification C:\Windows\SysWOW64\Napbjjom.exe Nnafnopi.exe File opened for modification C:\Windows\SysWOW64\Dfpaic32.exe Ddaemh32.exe File created C:\Windows\SysWOW64\Dkolai32.dll Flapkmlj.exe File created C:\Windows\SysWOW64\Biklma32.dll Jibnop32.exe File created C:\Windows\SysWOW64\Gfnjne32.exe Ggkibhjf.exe File opened for modification C:\Windows\SysWOW64\Lcblan32.exe Lkggmldl.exe File opened for modification C:\Windows\SysWOW64\Dboeco32.exe Dppigchi.exe File opened for modification C:\Windows\SysWOW64\Bqgmfkhg.exe Bniajoic.exe File created C:\Windows\SysWOW64\Jhmofo32.exe Jijokbfp.exe File created C:\Windows\SysWOW64\Mqklqhpg.exe Mnmpdlac.exe File opened for modification C:\Windows\SysWOW64\Pofkha32.exe Pkjphcff.exe File created C:\Windows\SysWOW64\Cpqmndme.dll Alihaioe.exe File created C:\Windows\SysWOW64\Iofjqboi.dll Jbqmhnbo.exe File created C:\Windows\SysWOW64\Opqoge32.exe Ohiffh32.exe File opened for modification C:\Windows\SysWOW64\Paaddgkj.exe Pmehdh32.exe File created C:\Windows\SysWOW64\Dhbdleol.exe Dpklkgoj.exe File created C:\Windows\SysWOW64\Ajflifmi.dll Folhgbid.exe File opened for modification C:\Windows\SysWOW64\Jfjolf32.exe Jggoqimd.exe File created C:\Windows\SysWOW64\Kmimcbja.exe Kkjpggkn.exe File opened for modification C:\Windows\SysWOW64\Lgkkmm32.exe Ldmopa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7452 8116 WerFault.exe 827 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbpekam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkkbjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcafa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foahmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdhaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmeon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjoqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagpdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdogedmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbfnjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqfbjhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadbdkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncfcgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbmlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabmbbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bniajoic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakooqih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkibhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipomlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacfidem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejlnmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcogbdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdjglfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbogqoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifcib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcckcbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdlng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefjdgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkipdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmipdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpqlemaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqjfeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbidne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boemlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncmcm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaadfcpf.dll" Indnnfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoeheonb.dll" Ljldnhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkolai32.dll" Flapkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clffbc32.dll" Hgnokgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocndipc.dll" Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jndape32.dll" Hcigco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oapldp32.dll" Dcllbhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpjbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmeon.dll" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahildbb.dll" Qejpoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgnokgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icncgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elcpbigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aeoijidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhdhefpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icifjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohiffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Debadpeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneoni32.dll" Djjjga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jbjpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpihdl32.dll" Lcofio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lbafdlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohbikbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iclnjd32.dll" Eakooqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imienpig.dll" Gjgiidkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnokgjk.dll" Egonhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgfdie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcgiiek.dll" Qkghgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boemlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bbjpil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikldqile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmccqbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoobkci.dll" Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fbegbacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pfbfhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hloncd32.dll" Apppkekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcomncc.dll" Bhonjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahlae32.dll" Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgllgedi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpjofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mflgih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llepen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpbcokk.dll" Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaehcom.dll" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gajqbakc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2232 wrote to memory of 2132 2232 8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe 30 PID 2232 wrote to memory of 2132 2232 8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe 30 PID 2232 wrote to memory of 2132 2232 8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe 30 PID 2232 wrote to memory of 2132 2232 8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe 30 PID 2132 wrote to memory of 2548 2132 Hgpjhn32.exe 31 PID 2132 wrote to memory of 2548 2132 Hgpjhn32.exe 31 PID 2132 wrote to memory of 2548 2132 Hgpjhn32.exe 31 PID 2132 wrote to memory of 2548 2132 Hgpjhn32.exe 31 PID 2548 wrote to memory of 1208 2548 Hnjbeh32.exe 32 PID 2548 wrote to memory of 1208 2548 Hnjbeh32.exe 32 PID 2548 wrote to memory of 1208 2548 Hnjbeh32.exe 32 PID 2548 wrote to memory of 1208 2548 Hnjbeh32.exe 32 PID 1208 wrote to memory of 2712 1208 Hahnac32.exe 33 PID 1208 wrote to memory of 2712 1208 Hahnac32.exe 33 PID 1208 wrote to memory of 2712 1208 Hahnac32.exe 33 PID 1208 wrote to memory of 2712 1208 Hahnac32.exe 33 PID 2712 wrote to memory of 2768 2712 Hidcef32.exe 34 PID 2712 wrote to memory of 2768 2712 Hidcef32.exe 34 PID 2712 wrote to memory of 2768 2712 Hidcef32.exe 34 PID 2712 wrote to memory of 2768 2712 Hidcef32.exe 34 PID 2768 wrote to memory of 484 2768 Hcigco32.exe 35 PID 2768 wrote to memory of 484 2768 Hcigco32.exe 35 PID 2768 wrote to memory of 484 2768 Hcigco32.exe 35 PID 2768 wrote to memory of 484 2768 Hcigco32.exe 35 PID 484 wrote to memory of 2628 484 Hifpke32.exe 36 PID 484 wrote to memory of 2628 484 Hifpke32.exe 36 PID 484 wrote to memory of 2628 484 Hifpke32.exe 36 PID 484 wrote to memory of 2628 484 Hifpke32.exe 36 PID 2628 wrote to memory of 3032 2628 Hpphhp32.exe 37 PID 2628 wrote to memory of 3032 2628 Hpphhp32.exe 37 PID 2628 wrote to memory of 3032 2628 Hpphhp32.exe 37 PID 2628 wrote to memory of 3032 2628 Hpphhp32.exe 37 PID 3032 wrote to memory of 1672 3032 Hfjpdjjo.exe 38 PID 3032 wrote to memory of 1672 3032 Hfjpdjjo.exe 38 PID 3032 wrote to memory of 1672 3032 Hfjpdjjo.exe 38 PID 3032 wrote to memory of 1672 3032 Hfjpdjjo.exe 38 PID 1672 wrote to memory of 1484 1672 Hmdhad32.exe 39 PID 1672 wrote to memory of 1484 1672 Hmdhad32.exe 39 PID 1672 wrote to memory of 1484 1672 Hmdhad32.exe 39 PID 1672 wrote to memory of 1484 1672 Hmdhad32.exe 39 PID 1484 wrote to memory of 780 1484 Ieomef32.exe 40 PID 1484 wrote to memory of 780 1484 Ieomef32.exe 40 PID 1484 wrote to memory of 780 1484 Ieomef32.exe 40 PID 1484 wrote to memory of 780 1484 Ieomef32.exe 40 PID 780 wrote to memory of 1924 780 Iliebpfc.exe 41 PID 780 wrote to memory of 1924 780 Iliebpfc.exe 41 PID 780 wrote to memory of 1924 780 Iliebpfc.exe 41 PID 780 wrote to memory of 1924 780 Iliebpfc.exe 41 PID 1924 wrote to memory of 1772 1924 Ipeaco32.exe 42 PID 1924 wrote to memory of 1772 1924 Ipeaco32.exe 42 PID 1924 wrote to memory of 1772 1924 Ipeaco32.exe 42 PID 1924 wrote to memory of 1772 1924 Ipeaco32.exe 42 PID 1772 wrote to memory of 2668 1772 Ieajkfmd.exe 43 PID 1772 wrote to memory of 2668 1772 Ieajkfmd.exe 43 PID 1772 wrote to memory of 2668 1772 Ieajkfmd.exe 43 PID 1772 wrote to memory of 2668 1772 Ieajkfmd.exe 43 PID 2668 wrote to memory of 2496 2668 Ibejdjln.exe 44 PID 2668 wrote to memory of 2496 2668 Ibejdjln.exe 44 PID 2668 wrote to memory of 2496 2668 Ibejdjln.exe 44 PID 2668 wrote to memory of 2496 2668 Ibejdjln.exe 44 PID 2496 wrote to memory of 908 2496 Iedfqeka.exe 45 PID 2496 wrote to memory of 908 2496 Iedfqeka.exe 45 PID 2496 wrote to memory of 908 2496 Iedfqeka.exe 45 PID 2496 wrote to memory of 908 2496 Iedfqeka.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe"C:\Users\Admin\AppData\Local\Temp\8413382b3bc69c6706f845995e3f6cae3d0d0e2e07c9b184abf02d0f94821fa7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2184 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe35⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe36⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe37⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe38⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe39⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe40⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe41⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe42⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe43⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe45⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe46⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Kcgphp32.exeC:\Windows\system32\Kcgphp32.exe47⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe48⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe49⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe50⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe51⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe52⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe53⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe54⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe55⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe56⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe57⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe58⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe61⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe64⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe65⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Loefnpnn.exeC:\Windows\system32\Loefnpnn.exe66⤵PID:2448
-
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe67⤵PID:1516
-
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe68⤵PID:2812
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe69⤵PID:2732
-
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe70⤵PID:2632
-
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe71⤵PID:2196
-
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe72⤵PID:2408
-
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe73⤵
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe74⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe75⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe76⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe77⤵PID:1724
-
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe78⤵PID:1520
-
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe79⤵PID:1748
-
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe80⤵PID:1824
-
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe81⤵PID:1028
-
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe82⤵PID:2484
-
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe83⤵PID:2216
-
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe84⤵PID:2616
-
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe85⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe87⤵PID:1592
-
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe88⤵PID:856
-
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe89⤵PID:1144
-
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe90⤵PID:1840
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe91⤵PID:1984
-
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe93⤵
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe94⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe96⤵
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe97⤵PID:2872
-
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe98⤵PID:2908
-
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe99⤵PID:2044
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe100⤵PID:1696
-
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe101⤵PID:2128
-
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe102⤵PID:996
-
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe103⤵PID:2588
-
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe104⤵PID:816
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe105⤵
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1168 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe107⤵PID:2740
-
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe108⤵PID:2728
-
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe109⤵PID:784
-
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe110⤵PID:2660
-
C:\Windows\SysWOW64\Oaghki32.exeC:\Windows\system32\Oaghki32.exe111⤵PID:1752
-
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe112⤵
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe113⤵PID:2004
-
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe114⤵PID:1016
-
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe115⤵PID:3012
-
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe116⤵PID:1288
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe117⤵PID:2868
-
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe118⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe119⤵PID:1892
-
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe120⤵
- Drops file in System32 directory
PID:284 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe122⤵PID:1952
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-