Analysis
-
max time kernel
104s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 22:19
Behavioral task
behavioral1
Sample
55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe
-
Size
400KB
-
MD5
b3235dcc9a6f867307c1e4b75ddf85e0
-
SHA1
929cded6227d775e9faf7739e14de359147bc60f
-
SHA256
55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44
-
SHA512
c0700f776452661440a3c7d0ad46134e719426b9d6c3085332bc54b58b0b689981e98f226ed401f34a1eca49271b40d12afc073a6f280bbb8759dc034060385d
-
SSDEEP
12288:p4NdckU/+zrWAI5KFum/+zrWAIAqWim/k:ObUm0BmmvFimc
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ldokhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kikpgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhpigk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcekgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpgieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hefibg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gngdadoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meojkide.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclbkjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qjnoacdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kniaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfhlbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hhbfpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qpmgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbbckh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hamgno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eibgbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Liekddkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbmnfajm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccdnipal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijdcdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbcahgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hikpnkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laogfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adohpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlcbafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cihqbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccoplcii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmbiojc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajapoqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcdbcloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jajbfeop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpeajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgkqeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Deiipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhibakmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laeidfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djghpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dplbpaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Algida32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jakjlpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfkjnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmegbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lamjph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkjfcik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okmceiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idemkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfhaoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caqfiloi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbfpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bbhgbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfnlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcnaaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkqnghfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjgiad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnacbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcgebhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdfqomom.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2904 Famcbf32.exe 2780 Gminbfoh.exe 2688 Gefolhja.exe 2672 Gekhgh32.exe 2712 Hdpehd32.exe 3000 Hkmjjn32.exe 2168 Hclhjpjc.exe 2364 Ibillk32.exe 2964 Jghqia32.exe 3040 Jqeomfgc.exe 2288 Kolhdbjh.exe 264 Klhbdclg.exe 2564 Lbkaoalg.exe 1956 Lpckce32.exe 1420 Mhcicf32.exe 704 Mpcgbhig.exe 2272 Ncdpdcfh.exe 2256 Nlanhh32.exe 1668 Ndlbmk32.exe 860 Oabplobe.exe 1204 Okkddd32.exe 2576 Ogaeieoj.exe 360 Oqlfhjch.exe 1776 Pigklmqc.exe 1092 Pkhdnh32.exe 2792 Pgodcich.exe 2940 Pgaahh32.exe 2144 Qgfkchmp.exe 1492 Qanolm32.exe 2840 Abdeoe32.exe 2836 Ainmlomf.exe 1056 Aeenapck.exe 2184 Abkkpd32.exe 1412 Baqhapdj.exe 2176 Bpfebmia.exe 3036 Blaobmkq.exe 2452 Clfhml32.exe 2356 Chmibmlo.exe 2468 Cgbfcjag.exe 2164 Dajgfboj.exe 2456 Djeljd32.exe 1228 Djghpd32.exe 1944 Dlhaaogd.exe 1528 Dbejjfek.exe 1744 Dkmncl32.exe 2268 Edeclabl.exe 2220 Efeoedjo.exe 1908 Ekbhnkhf.exe 3052 Ejgeogmn.exe 1600 Eqamla32.exe 2668 Ekfaij32.exe 2684 Egmbnkie.exe 1508 Fcdbcloi.exe 2856 Fmlglb32.exe 1980 Ffiepg32.exe 2276 Facfpddd.exe 2372 Gahpkd32.exe 2748 Gnlpeh32.exe 2448 Gdihmo32.exe 464 Gmamfddp.exe 2236 Gihnkejd.exe 2244 Glfjgaih.exe 1072 Hpdbmooo.exe 1652 Hpfoboml.exe -
Loads dropped DLL 64 IoCs
pid Process 2476 55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe 2476 55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe 2904 Famcbf32.exe 2904 Famcbf32.exe 2780 Gminbfoh.exe 2780 Gminbfoh.exe 2688 Gefolhja.exe 2688 Gefolhja.exe 2672 Gekhgh32.exe 2672 Gekhgh32.exe 2712 Hdpehd32.exe 2712 Hdpehd32.exe 3000 Hkmjjn32.exe 3000 Hkmjjn32.exe 2168 Hclhjpjc.exe 2168 Hclhjpjc.exe 2364 Ibillk32.exe 2364 Ibillk32.exe 2964 Jghqia32.exe 2964 Jghqia32.exe 3040 Jqeomfgc.exe 3040 Jqeomfgc.exe 2288 Kolhdbjh.exe 2288 Kolhdbjh.exe 264 Klhbdclg.exe 264 Klhbdclg.exe 2564 Lbkaoalg.exe 2564 Lbkaoalg.exe 1956 Lpckce32.exe 1956 Lpckce32.exe 1420 Mhcicf32.exe 1420 Mhcicf32.exe 704 Mpcgbhig.exe 704 Mpcgbhig.exe 2272 Ncdpdcfh.exe 2272 Ncdpdcfh.exe 2256 Nlanhh32.exe 2256 Nlanhh32.exe 1668 Ndlbmk32.exe 1668 Ndlbmk32.exe 860 Oabplobe.exe 860 Oabplobe.exe 1204 Okkddd32.exe 1204 Okkddd32.exe 2576 Ogaeieoj.exe 2576 Ogaeieoj.exe 360 Oqlfhjch.exe 360 Oqlfhjch.exe 1776 Pigklmqc.exe 1776 Pigklmqc.exe 1092 Pkhdnh32.exe 1092 Pkhdnh32.exe 2792 Pgodcich.exe 2792 Pgodcich.exe 2940 Pgaahh32.exe 2940 Pgaahh32.exe 2144 Qgfkchmp.exe 2144 Qgfkchmp.exe 1492 Qanolm32.exe 1492 Qanolm32.exe 2840 Abdeoe32.exe 2840 Abdeoe32.exe 2836 Ainmlomf.exe 2836 Ainmlomf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Eibbqmhd.exe Emieflec.exe File created C:\Windows\SysWOW64\Cedhac32.dll Ckamihfm.exe File created C:\Windows\SysWOW64\Gegbpe32.exe Ghcbga32.exe File created C:\Windows\SysWOW64\Ihjcko32.exe Hpoofm32.exe File created C:\Windows\SysWOW64\Kngaig32.exe Knddcg32.exe File created C:\Windows\SysWOW64\Nlocka32.exe Nokcbm32.exe File opened for modification C:\Windows\SysWOW64\Dglkba32.exe Dpofpg32.exe File created C:\Windows\SysWOW64\Dlcceboa.exe Dplbpaim.exe File created C:\Windows\SysWOW64\Omddmkhl.exe Opqdcgib.exe File created C:\Windows\SysWOW64\Abbknb32.exe Alfflhpa.exe File created C:\Windows\SysWOW64\Ghliap32.dll Jigmeagl.exe File created C:\Windows\SysWOW64\Aapeim32.dll Nefncd32.exe File opened for modification C:\Windows\SysWOW64\Gminbfoh.exe Famcbf32.exe File created C:\Windows\SysWOW64\Nfppfcmj.exe Nilpmo32.exe File created C:\Windows\SysWOW64\Gplknnnh.dll Folhio32.exe File created C:\Windows\SysWOW64\Jfnfjblc.dll Cefpmiji.exe File opened for modification C:\Windows\SysWOW64\Fikgda32.exe Fqpbpo32.exe File created C:\Windows\SysWOW64\Qcmnaaji.exe Qnpeijla.exe File opened for modification C:\Windows\SysWOW64\Lhhmle32.exe Legcjjjm.exe File created C:\Windows\SysWOW64\Ncbfcq32.exe Njjbjk32.exe File opened for modification C:\Windows\SysWOW64\Pffgonbb.exe Pmmcfi32.exe File created C:\Windows\SysWOW64\Anfeop32.exe Aglmbfdk.exe File opened for modification C:\Windows\SysWOW64\Cpgglifo.exe Cgobcd32.exe File created C:\Windows\SysWOW64\Oaeghhnb.dll Ebabicfn.exe File opened for modification C:\Windows\SysWOW64\Gmobin32.exe Gednek32.exe File created C:\Windows\SysWOW64\Jpfcohfk.exe Jgmofbpk.exe File created C:\Windows\SysWOW64\Kfnmnojj.exe Khhpmbeb.exe File created C:\Windows\SysWOW64\Mhmfgdch.exe Meojkide.exe File opened for modification C:\Windows\SysWOW64\Fkipiodd.exe Fbqkqj32.exe File created C:\Windows\SysWOW64\Ndfbia32.exe Nahemf32.exe File opened for modification C:\Windows\SysWOW64\Bhglpqeo.exe Bbhgbj32.exe File created C:\Windows\SysWOW64\Cefpmiji.exe Colgpo32.exe File opened for modification C:\Windows\SysWOW64\Kqkalenn.exe Jcgqbq32.exe File created C:\Windows\SysWOW64\Nobpmb32.exe Ncloha32.exe File opened for modification C:\Windows\SysWOW64\Nlocka32.exe Nokcbm32.exe File created C:\Windows\SysWOW64\Eoqeekme.exe Eamdlf32.exe File created C:\Windows\SysWOW64\Oeoglnab.dll Dpmeij32.exe File created C:\Windows\SysWOW64\Jchhhjjg.exe Jibcja32.exe File created C:\Windows\SysWOW64\Ilolol32.exe Hnjonpgg.exe File opened for modification C:\Windows\SysWOW64\Kicednho.exe Knnagehi.exe File created C:\Windows\SysWOW64\Kkmnmd32.dll Hlgodgnk.exe File opened for modification C:\Windows\SysWOW64\Gflcplhh.exe Gckknqkg.exe File opened for modification C:\Windows\SysWOW64\Iphhgb32.exe Iilceh32.exe File created C:\Windows\SysWOW64\Nilpmo32.exe Nqakim32.exe File created C:\Windows\SysWOW64\Ajipmocp.exe Adohpe32.exe File opened for modification C:\Windows\SysWOW64\Galhhp32.exe Giaddm32.exe File created C:\Windows\SysWOW64\Abkqle32.exe Qcfdji32.exe File opened for modification C:\Windows\SysWOW64\Benbbcmf.exe Bpajjmon.exe File opened for modification C:\Windows\SysWOW64\Chmibmlo.exe Clfhml32.exe File created C:\Windows\SysWOW64\Cobcakeo.dll Laogfg32.exe File created C:\Windows\SysWOW64\Aledmn32.dll Feiaknmg.exe File opened for modification C:\Windows\SysWOW64\Idemkp32.exe Iencdc32.exe File opened for modification C:\Windows\SysWOW64\Ibmmkaik.exe Hfflfp32.exe File opened for modification C:\Windows\SysWOW64\Cofohkgi.exe Cjifpdib.exe File created C:\Windows\SysWOW64\Fmdicgof.dll Hojbbiae.exe File created C:\Windows\SysWOW64\Bnekcm32.exe Bghfacem.exe File opened for modification C:\Windows\SysWOW64\Cmjdcm32.exe Caccnllf.exe File created C:\Windows\SysWOW64\Fhfgokap.exe Fqkbkicd.exe File created C:\Windows\SysWOW64\Ccileljk.exe Cjqglf32.exe File opened for modification C:\Windows\SysWOW64\Njaoeq32.exe Njobpa32.exe File created C:\Windows\SysWOW64\Gmnmce32.dll Nchiao32.exe File created C:\Windows\SysWOW64\Ciekbj32.dll Ikhlaaif.exe File created C:\Windows\SysWOW64\Mffdmfjd.exe Mcekkkmc.exe File created C:\Windows\SysWOW64\Mbmebgpi.exe Mffdmfjd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2856 1956 WerFault.exe 951 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakjlpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpajjmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Benbbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlgfqldf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdlbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimhfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilolol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpngd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adqbml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcpgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfbia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfgokap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikibkhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhgbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okmceiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndaao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imepgbnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojoalda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opohil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baqhapdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieeqpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpofpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olobcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpegdik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcahgjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjonpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opoocb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainmlomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmmcgha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdlbckee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pelpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojbbiae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjqbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pconjjql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oipcnieb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cejfckie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpaidpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njobpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hopgikop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfflhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcneklck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnaihhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddlloi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqqpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idemkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Effidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecdhonoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mckpba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjknab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdooongp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eloimcca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggppdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqkqbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iofiimkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajkokgia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pglacbbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnakege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahomlb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heobhfnp.dll" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odlnkmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdihqpio.dll" Oebdndlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Legcjjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andgadch.dll" Flnnfllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eqejjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjbelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hclhjpjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nianjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoccdhpn.dll" Cnfnlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maplcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knddcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfggbcdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqggmb32.dll" Hiblmldn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eoqeekme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohcpqfg.dll" Jlegic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ommfibdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmlhih32.dll" Pifcdbhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibillk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndgdpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfeofa32.dll" Qakppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmpnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bopclafg.dll" Nodnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pncllifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmpmg32.dll" Qohkdkdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdadbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jghqia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqendf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Panpgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iolohhpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlcnaaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bdgcaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcahmfc.dll" Ddcadd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pifakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiqaed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Angafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkgdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmehidpd.dll" Pqplqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeghhnb.dll" Ebabicfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqilppic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mffdmfjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iecohl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epgoio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ibjikk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkkoho.dll" Johlpoij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njjbjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajapoqmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekhjlioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oacdmpan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplpfj32.dll" Gmbagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fofhdidp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fangfcki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himanf32.dll" Ocoobngl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ikhlaaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaegeac.dll" Lpcppgff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqeomfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egljjmkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmjmmehk.dll" Qolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nibmdpam.dll" Cgpmbgai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Geckno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkqnghfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dajiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fniikj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2476 wrote to memory of 2904 2476 55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe 30 PID 2476 wrote to memory of 2904 2476 55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe 30 PID 2476 wrote to memory of 2904 2476 55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe 30 PID 2476 wrote to memory of 2904 2476 55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe 30 PID 2904 wrote to memory of 2780 2904 Famcbf32.exe 31 PID 2904 wrote to memory of 2780 2904 Famcbf32.exe 31 PID 2904 wrote to memory of 2780 2904 Famcbf32.exe 31 PID 2904 wrote to memory of 2780 2904 Famcbf32.exe 31 PID 2780 wrote to memory of 2688 2780 Gminbfoh.exe 32 PID 2780 wrote to memory of 2688 2780 Gminbfoh.exe 32 PID 2780 wrote to memory of 2688 2780 Gminbfoh.exe 32 PID 2780 wrote to memory of 2688 2780 Gminbfoh.exe 32 PID 2688 wrote to memory of 2672 2688 Gefolhja.exe 33 PID 2688 wrote to memory of 2672 2688 Gefolhja.exe 33 PID 2688 wrote to memory of 2672 2688 Gefolhja.exe 33 PID 2688 wrote to memory of 2672 2688 Gefolhja.exe 33 PID 2672 wrote to memory of 2712 2672 Gekhgh32.exe 34 PID 2672 wrote to memory of 2712 2672 Gekhgh32.exe 34 PID 2672 wrote to memory of 2712 2672 Gekhgh32.exe 34 PID 2672 wrote to memory of 2712 2672 Gekhgh32.exe 34 PID 2712 wrote to memory of 3000 2712 Hdpehd32.exe 35 PID 2712 wrote to memory of 3000 2712 Hdpehd32.exe 35 PID 2712 wrote to memory of 3000 2712 Hdpehd32.exe 35 PID 2712 wrote to memory of 3000 2712 Hdpehd32.exe 35 PID 3000 wrote to memory of 2168 3000 Hkmjjn32.exe 36 PID 3000 wrote to memory of 2168 3000 Hkmjjn32.exe 36 PID 3000 wrote to memory of 2168 3000 Hkmjjn32.exe 36 PID 3000 wrote to memory of 2168 3000 Hkmjjn32.exe 36 PID 2168 wrote to memory of 2364 2168 Hclhjpjc.exe 37 PID 2168 wrote to memory of 2364 2168 Hclhjpjc.exe 37 PID 2168 wrote to memory of 2364 2168 Hclhjpjc.exe 37 PID 2168 wrote to memory of 2364 2168 Hclhjpjc.exe 37 PID 2364 wrote to memory of 2964 2364 Ibillk32.exe 38 PID 2364 wrote to memory of 2964 2364 Ibillk32.exe 38 PID 2364 wrote to memory of 2964 2364 Ibillk32.exe 38 PID 2364 wrote to memory of 2964 2364 Ibillk32.exe 38 PID 2964 wrote to memory of 3040 2964 Jghqia32.exe 39 PID 2964 wrote to memory of 3040 2964 Jghqia32.exe 39 PID 2964 wrote to memory of 3040 2964 Jghqia32.exe 39 PID 2964 wrote to memory of 3040 2964 Jghqia32.exe 39 PID 3040 wrote to memory of 2288 3040 Jqeomfgc.exe 40 PID 3040 wrote to memory of 2288 3040 Jqeomfgc.exe 40 PID 3040 wrote to memory of 2288 3040 Jqeomfgc.exe 40 PID 3040 wrote to memory of 2288 3040 Jqeomfgc.exe 40 PID 2288 wrote to memory of 264 2288 Kolhdbjh.exe 41 PID 2288 wrote to memory of 264 2288 Kolhdbjh.exe 41 PID 2288 wrote to memory of 264 2288 Kolhdbjh.exe 41 PID 2288 wrote to memory of 264 2288 Kolhdbjh.exe 41 PID 264 wrote to memory of 2564 264 Klhbdclg.exe 42 PID 264 wrote to memory of 2564 264 Klhbdclg.exe 42 PID 264 wrote to memory of 2564 264 Klhbdclg.exe 42 PID 264 wrote to memory of 2564 264 Klhbdclg.exe 42 PID 2564 wrote to memory of 1956 2564 Lbkaoalg.exe 43 PID 2564 wrote to memory of 1956 2564 Lbkaoalg.exe 43 PID 2564 wrote to memory of 1956 2564 Lbkaoalg.exe 43 PID 2564 wrote to memory of 1956 2564 Lbkaoalg.exe 43 PID 1956 wrote to memory of 1420 1956 Lpckce32.exe 44 PID 1956 wrote to memory of 1420 1956 Lpckce32.exe 44 PID 1956 wrote to memory of 1420 1956 Lpckce32.exe 44 PID 1956 wrote to memory of 1420 1956 Lpckce32.exe 44 PID 1420 wrote to memory of 704 1420 Mhcicf32.exe 45 PID 1420 wrote to memory of 704 1420 Mhcicf32.exe 45 PID 1420 wrote to memory of 704 1420 Mhcicf32.exe 45 PID 1420 wrote to memory of 704 1420 Mhcicf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe"C:\Users\Admin\AppData\Local\Temp\55500b1b5c6c84b793b66141cffdcc63a12f7a91725e70cbe7ca155d4704cf44.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Hkmjjn32.exeC:\Windows\system32\Hkmjjn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Lpckce32.exeC:\Windows\system32\Lpckce32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Mhcicf32.exeC:\Windows\system32\Mhcicf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Mpcgbhig.exeC:\Windows\system32\Mpcgbhig.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Nlanhh32.exeC:\Windows\system32\Nlanhh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Ndlbmk32.exeC:\Windows\system32\Ndlbmk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Okkddd32.exeC:\Windows\system32\Okkddd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Ogaeieoj.exeC:\Windows\system32\Ogaeieoj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:360 -
C:\Windows\SysWOW64\Pigklmqc.exeC:\Windows\system32\Pigklmqc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Pgodcich.exeC:\Windows\system32\Pgodcich.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Pgaahh32.exeC:\Windows\system32\Pgaahh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Qgfkchmp.exeC:\Windows\system32\Qgfkchmp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Qanolm32.exeC:\Windows\system32\Qanolm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Abdeoe32.exeC:\Windows\system32\Abdeoe32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Aeenapck.exeC:\Windows\system32\Aeenapck.exe33⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Abkkpd32.exeC:\Windows\system32\Abkkpd32.exe34⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Baqhapdj.exeC:\Windows\system32\Baqhapdj.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1412 -
C:\Windows\SysWOW64\Bpfebmia.exeC:\Windows\system32\Bpfebmia.exe36⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe37⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe39⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe40⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe41⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe42⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Djghpd32.exeC:\Windows\system32\Djghpd32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe44⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe45⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Dkmncl32.exeC:\Windows\system32\Dkmncl32.exe46⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Edeclabl.exeC:\Windows\system32\Edeclabl.exe47⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe48⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ekbhnkhf.exeC:\Windows\system32\Ekbhnkhf.exe49⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Ejgeogmn.exeC:\Windows\system32\Ejgeogmn.exe50⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Eqamla32.exeC:\Windows\system32\Eqamla32.exe51⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ekfaij32.exeC:\Windows\system32\Ekfaij32.exe52⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Egmbnkie.exeC:\Windows\system32\Egmbnkie.exe53⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Fcdbcloi.exeC:\Windows\system32\Fcdbcloi.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ffiepg32.exeC:\Windows\system32\Ffiepg32.exe56⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Facfpddd.exeC:\Windows\system32\Facfpddd.exe57⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Gahpkd32.exeC:\Windows\system32\Gahpkd32.exe58⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Gnlpeh32.exeC:\Windows\system32\Gnlpeh32.exe59⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe60⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Gmamfddp.exeC:\Windows\system32\Gmamfddp.exe61⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe62⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Glfjgaih.exeC:\Windows\system32\Glfjgaih.exe63⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Hpdbmooo.exeC:\Windows\system32\Hpdbmooo.exe64⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Hpfoboml.exeC:\Windows\system32\Hpfoboml.exe65⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Hkppcmjk.exeC:\Windows\system32\Hkppcmjk.exe66⤵PID:2336
-
C:\Windows\SysWOW64\Hajhpgag.exeC:\Windows\system32\Hajhpgag.exe67⤵PID:1720
-
C:\Windows\SysWOW64\Hmqieh32.exeC:\Windows\system32\Hmqieh32.exe68⤵PID:1432
-
C:\Windows\SysWOW64\Hginnmml.exeC:\Windows\system32\Hginnmml.exe69⤵PID:3068
-
C:\Windows\SysWOW64\Idmnga32.exeC:\Windows\system32\Idmnga32.exe70⤵PID:2824
-
C:\Windows\SysWOW64\Iaaoqf32.exeC:\Windows\system32\Iaaoqf32.exe71⤵PID:2944
-
C:\Windows\SysWOW64\Iilceh32.exeC:\Windows\system32\Iilceh32.exe72⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Iphhgb32.exeC:\Windows\system32\Iphhgb32.exe73⤵PID:2412
-
C:\Windows\SysWOW64\Ieeqpi32.exeC:\Windows\system32\Ieeqpi32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Ipkema32.exeC:\Windows\system32\Ipkema32.exe75⤵PID:2960
-
C:\Windows\SysWOW64\Ialadj32.exeC:\Windows\system32\Ialadj32.exe76⤵PID:3020
-
C:\Windows\SysWOW64\Jopbnn32.exeC:\Windows\system32\Jopbnn32.exe77⤵PID:2440
-
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe78⤵PID:236
-
C:\Windows\SysWOW64\Jdogldmo.exeC:\Windows\system32\Jdogldmo.exe79⤵PID:2516
-
C:\Windows\SysWOW64\Jdadadkl.exeC:\Windows\system32\Jdadadkl.exe80⤵PID:2540
-
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe81⤵PID:2228
-
C:\Windows\SysWOW64\Jcgqbq32.exeC:\Windows\system32\Jcgqbq32.exe82⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe83⤵PID:2584
-
C:\Windows\SysWOW64\Knoaeimg.exeC:\Windows\system32\Knoaeimg.exe84⤵PID:2240
-
C:\Windows\SysWOW64\Kggfnoch.exeC:\Windows\system32\Kggfnoch.exe85⤵PID:2124
-
C:\Windows\SysWOW64\Kobkbaac.exeC:\Windows\system32\Kobkbaac.exe86⤵PID:764
-
C:\Windows\SysWOW64\Kbcddlnd.exeC:\Windows\system32\Kbcddlnd.exe87⤵PID:1456
-
C:\Windows\SysWOW64\Kkkhmadd.exeC:\Windows\system32\Kkkhmadd.exe88⤵PID:2884
-
C:\Windows\SysWOW64\Kfaljjdj.exeC:\Windows\system32\Kfaljjdj.exe89⤵PID:2716
-
C:\Windows\SysWOW64\Lpiacp32.exeC:\Windows\system32\Lpiacp32.exe90⤵PID:2108
-
C:\Windows\SysWOW64\Lamjph32.exeC:\Windows\system32\Lamjph32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Laogfg32.exeC:\Windows\system32\Laogfg32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Lmfgkh32.exeC:\Windows\system32\Lmfgkh32.exe93⤵PID:2760
-
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe94⤵PID:768
-
C:\Windows\SysWOW64\Mjlejl32.exeC:\Windows\system32\Mjlejl32.exe95⤵PID:2512
-
C:\Windows\SysWOW64\Mlpngd32.exeC:\Windows\system32\Mlpngd32.exe96⤵
- System Location Discovery: System Language Discovery
PID:112 -
C:\Windows\SysWOW64\Mlbkmdah.exeC:\Windows\system32\Mlbkmdah.exe97⤵PID:1964
-
C:\Windows\SysWOW64\Mhikae32.exeC:\Windows\system32\Mhikae32.exe98⤵PID:1632
-
C:\Windows\SysWOW64\Mlgdhcmb.exeC:\Windows\system32\Mlgdhcmb.exe99⤵PID:108
-
C:\Windows\SysWOW64\Nacmpj32.exeC:\Windows\system32\Nacmpj32.exe100⤵PID:2104
-
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe101⤵PID:1960
-
C:\Windows\SysWOW64\Nianjl32.exeC:\Windows\system32\Nianjl32.exe102⤵
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Ngencpel.exeC:\Windows\system32\Ngencpel.exe103⤵PID:1912
-
C:\Windows\SysWOW64\Ncloha32.exeC:\Windows\system32\Ncloha32.exe104⤵
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Nobpmb32.exeC:\Windows\system32\Nobpmb32.exe105⤵PID:2720
-
C:\Windows\SysWOW64\Olgpff32.exeC:\Windows\system32\Olgpff32.exe106⤵PID:3008
-
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe107⤵PID:428
-
C:\Windows\SysWOW64\Pqplqile.exeC:\Windows\system32\Pqplqile.exe108⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Pglacbbo.exeC:\Windows\system32\Pglacbbo.exe109⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Pogegeoj.exeC:\Windows\system32\Pogegeoj.exe110⤵PID:1392
-
C:\Windows\SysWOW64\Pmkfqind.exeC:\Windows\system32\Pmkfqind.exe111⤵PID:1560
-
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe112⤵
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Pffgonbb.exeC:\Windows\system32\Pffgonbb.exe113⤵PID:2400
-
C:\Windows\SysWOW64\Qnalcqpm.exeC:\Windows\system32\Qnalcqpm.exe114⤵PID:1868
-
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe115⤵PID:2160
-
C:\Windows\SysWOW64\Aglmbfdk.exeC:\Windows\system32\Aglmbfdk.exe116⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Anfeop32.exeC:\Windows\system32\Anfeop32.exe117⤵PID:884
-
C:\Windows\SysWOW64\Anhbdpje.exeC:\Windows\system32\Anhbdpje.exe118⤵PID:2956
-
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe119⤵PID:2444
-
C:\Windows\SysWOW64\Ammoel32.exeC:\Windows\system32\Ammoel32.exe120⤵PID:1804
-
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-