Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 00:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe
-
Size
93KB
-
MD5
ee4a0e422d8b5da224f35d6c9358ca7b
-
SHA1
e513d8d0afb9e950ed923ef4457b07ffc88e1c69
-
SHA256
8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5
-
SHA512
feb4504c9f06446c1970498fc4e6c8fcaba877bfc12124698e22cb867f339dc8cfba3e7e1dd80e643536dddc0042813e46c181f0e09d7b2d5b70a0a3130a05ae
-
SSDEEP
1536:172Yuog36ZnTt6nMnTKDJeu6tRFlFisRQYqRkRLJzeLD9N0iQGRNQR8RyV+32rR:92YuoPZ0nemVevd9eZSJdEN0s4WE+3K
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmdnfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hejmpqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Npdhaq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jioopgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnnbni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pckajebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgnkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bqeqqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfgjml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dmmpolof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmcnqama.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doecog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cmkfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfbcidmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lopfhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jhdegn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kilgoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqdiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Addfkeid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ijclol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfddp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqfbjhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Anadojlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccdmnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcldhnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bgllgedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onqkclni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnkhmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jdhifooi.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2556 Oopijc32.exe 2580 Opaebkmc.exe 2128 Ohhmcinf.exe 2832 Ogknoe32.exe 2848 Oijjka32.exe 2632 Pdonhj32.exe 2600 Pgnjde32.exe 2464 Ppfomk32.exe 1872 Pcdkif32.exe 1716 Pnjofo32.exe 2844 Plmpblnb.exe 1052 Piqpkpml.exe 3004 Plolgk32.exe 2064 Palepb32.exe 2028 Plaimk32.exe 816 Pckajebj.exe 1968 Panaeb32.exe 764 Phhjblpa.exe 1340 Qkffng32.exe 332 Qfljkp32.exe 2440 Qdojgmfe.exe 2280 Qngopb32.exe 1844 Qqfkln32.exe 2500 Ajnpecbj.exe 1924 Anjlebjc.exe 2756 Aqhhanig.exe 2720 Aknlofim.exe 2944 Afgmodel.exe 2604 Ajcipc32.exe 1292 Afjjed32.exe 1808 Ajeeeblb.exe 1828 Abpjjeim.exe 1388 Ajgbkbjp.exe 2968 Aijbfo32.exe 1748 Amfognic.exe 1332 Aodkci32.exe 2988 Bcpgdhpp.exe 2232 Bimoloog.exe 1540 Bmhkmm32.exe 1144 Bofgii32.exe 2572 Bnihdemo.exe 2268 Bfqpecma.exe 2136 Becpap32.exe 1816 Bgblmk32.exe 1736 Bkmhnjlh.exe 1672 Boidnh32.exe 1668 Bnldjekl.exe 1592 Bajqfq32.exe 2712 Befmfpbi.exe 2736 Biaign32.exe 2628 Bkpeci32.exe 2792 Bjbeofpp.exe 1272 Bbjmpcab.exe 2932 Bammlq32.exe 2976 Bckjhl32.exe 2912 Bgffhkoj.exe 3016 Bkbaii32.exe 1840 Bnqned32.exe 2180 Bmcnqama.exe 1088 Bejfao32.exe 3068 Bgibnj32.exe 1860 Bflbigdb.exe 1516 Cjgoje32.exe 1856 Cmfkfa32.exe -
Loads dropped DLL 64 IoCs
pid Process 2120 8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe 2120 8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe 2556 Oopijc32.exe 2556 Oopijc32.exe 2580 Opaebkmc.exe 2580 Opaebkmc.exe 2128 Ohhmcinf.exe 2128 Ohhmcinf.exe 2832 Ogknoe32.exe 2832 Ogknoe32.exe 2848 Oijjka32.exe 2848 Oijjka32.exe 2632 Pdonhj32.exe 2632 Pdonhj32.exe 2600 Pgnjde32.exe 2600 Pgnjde32.exe 2464 Ppfomk32.exe 2464 Ppfomk32.exe 1872 Pcdkif32.exe 1872 Pcdkif32.exe 1716 Pnjofo32.exe 1716 Pnjofo32.exe 2844 Plmpblnb.exe 2844 Plmpblnb.exe 1052 Piqpkpml.exe 1052 Piqpkpml.exe 3004 Plolgk32.exe 3004 Plolgk32.exe 2064 Palepb32.exe 2064 Palepb32.exe 2028 Plaimk32.exe 2028 Plaimk32.exe 816 Pckajebj.exe 816 Pckajebj.exe 1968 Panaeb32.exe 1968 Panaeb32.exe 764 Phhjblpa.exe 764 Phhjblpa.exe 1340 Qkffng32.exe 1340 Qkffng32.exe 332 Qfljkp32.exe 332 Qfljkp32.exe 2440 Qdojgmfe.exe 2440 Qdojgmfe.exe 2280 Qngopb32.exe 2280 Qngopb32.exe 1844 Qqfkln32.exe 1844 Qqfkln32.exe 2500 Ajnpecbj.exe 2500 Ajnpecbj.exe 1924 Anjlebjc.exe 1924 Anjlebjc.exe 2756 Aqhhanig.exe 2756 Aqhhanig.exe 2720 Aknlofim.exe 2720 Aknlofim.exe 2944 Afgmodel.exe 2944 Afgmodel.exe 2604 Ajcipc32.exe 2604 Ajcipc32.exe 1292 Afjjed32.exe 1292 Afjjed32.exe 1808 Ajeeeblb.exe 1808 Ajeeeblb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jnqjhh32.dll Edlhqlfi.exe File created C:\Windows\SysWOW64\Hcopgk32.dll Aohdmdoh.exe File opened for modification C:\Windows\SysWOW64\Hjofdi32.exe Hgpjhn32.exe File opened for modification C:\Windows\SysWOW64\Loefnpnn.exe Lkjjma32.exe File created C:\Windows\SysWOW64\Hnpdcf32.exe Hkahgk32.exe File created C:\Windows\SysWOW64\Mkhngh32.dll Paaddgkj.exe File created C:\Windows\SysWOW64\Ldaomc32.dll Edlafebn.exe File opened for modification C:\Windows\SysWOW64\Jimdcqom.exe Process not Found File created C:\Windows\SysWOW64\Golnjpio.dll Bofgii32.exe File created C:\Windows\SysWOW64\Baefnmml.exe Bcbfbp32.exe File created C:\Windows\SysWOW64\Oiahkhpo.dll Process not Found File created C:\Windows\SysWOW64\Lgingm32.exe Ldjbkb32.exe File created C:\Windows\SysWOW64\Fnlmcm32.dll Jjkkbjln.exe File opened for modification C:\Windows\SysWOW64\Kapohbfp.exe Process not Found File created C:\Windows\SysWOW64\Lpnopm32.exe Process not Found File created C:\Windows\SysWOW64\Jliaac32.exe Jikeeh32.exe File created C:\Windows\SysWOW64\Ginaep32.dll Bhmaeg32.exe File created C:\Windows\SysWOW64\Ddaglffo.dll Dlgjldnm.exe File opened for modification C:\Windows\SysWOW64\Hoqjqhjf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kenhopmf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ggicgopd.exe Gifclb32.exe File created C:\Windows\SysWOW64\Leblqb32.dll Pdjjag32.exe File opened for modification C:\Windows\SysWOW64\Efeckm32.dll Clojhf32.exe File created C:\Windows\SysWOW64\Demaoj32.exe Daaenlng.exe File created C:\Windows\SysWOW64\Dekhchoj.dll Giipab32.exe File opened for modification C:\Windows\SysWOW64\Lopfhk32.exe Lgingm32.exe File opened for modification C:\Windows\SysWOW64\Lohccp32.exe Lklgbadb.exe File created C:\Windows\SysWOW64\Mifnodlj.dll Eabepp32.exe File opened for modification C:\Windows\SysWOW64\Iaegpaao.exe Imjkpb32.exe File created C:\Windows\SysWOW64\Phklaacg.exe Ppddpd32.exe File created C:\Windows\SysWOW64\Plmbkd32.exe Pioeoi32.exe File created C:\Windows\SysWOW64\Hfjbmb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bmcnqama.exe Bnqned32.exe File created C:\Windows\SysWOW64\Dicdjqhf.dll Qnghel32.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Pdbdqh32.exe File created C:\Windows\SysWOW64\Nhndalhm.dll Qqfkln32.exe File opened for modification C:\Windows\SysWOW64\Bceibfgj.exe Bqgmfkhg.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Cbdiia32.exe File opened for modification C:\Windows\SysWOW64\Hdecea32.exe Hfbcidmk.exe File opened for modification C:\Windows\SysWOW64\Cjogcm32.exe Cbgobp32.exe File opened for modification C:\Windows\SysWOW64\Emdeok32.exe Eemnnn32.exe File opened for modification C:\Windows\SysWOW64\Pcdkif32.exe Ppfomk32.exe File created C:\Windows\SysWOW64\Obecdjcn.dll Piicpk32.exe File created C:\Windows\SysWOW64\Bkegah32.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Giipab32.exe Gdmdacnn.exe File opened for modification C:\Windows\SysWOW64\Ghdgfbkl.exe Gcgnnlle.exe File created C:\Windows\SysWOW64\Fffjig32.dll Kekiphge.exe File created C:\Windows\SysWOW64\Gcmamj32.exe Glchpp32.exe File opened for modification C:\Windows\SysWOW64\Ifdlng32.exe Icfpbl32.exe File created C:\Windows\SysWOW64\Jmegnj32.dll Process not Found File created C:\Windows\SysWOW64\Pgnjde32.exe Pdonhj32.exe File opened for modification C:\Windows\SysWOW64\Eheglk32.exe Eegkpo32.exe File created C:\Windows\SysWOW64\Ahemgiea.dll Eikfdl32.exe File created C:\Windows\SysWOW64\Phlclgfc.exe Piicpk32.exe File opened for modification C:\Windows\SysWOW64\Anjlebjc.exe Ajnpecbj.exe File opened for modification C:\Windows\SysWOW64\Kadica32.exe Process not Found File created C:\Windows\SysWOW64\Khghgchk.exe Kdklfe32.exe File opened for modification C:\Windows\SysWOW64\Kncaojfb.exe Koaqcn32.exe File opened for modification C:\Windows\SysWOW64\Plolgk32.exe Piqpkpml.exe File created C:\Windows\SysWOW64\Pplqiiqb.dll Fdekgjno.exe File created C:\Windows\SysWOW64\Jjfkgcdc.dll Dadbdkld.exe File opened for modification C:\Windows\SysWOW64\Fmkilb32.exe Fhomkcoa.exe File created C:\Windows\SysWOW64\Dicnkdnf.exe Dgeaoinb.exe File created C:\Windows\SysWOW64\Njfaognh.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 12248 12224 Process not Found 1246 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdnhoac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkhndca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfbaabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hieiqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbphk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icafgmbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihmmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbadjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhejkcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocmim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebpkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnldjekl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpfadlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbikbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcachc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfanmogq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piqpkpml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfphcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbaaik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oplelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeamo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfnangf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimoloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihiphln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmefdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpigma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khghgchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coacbfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbppnbhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feddombd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kilgoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Klmqapci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneoni32.dll" Dnefhpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apoldh32.dll" Gdmdacnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hpkompgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Boemlbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkcje32.dll" Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeoggjip.dll" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqimphik.dll" Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jimbkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Opglafab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkbjj32.dll" Hcojam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bnlgbnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" Ooabmbbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dbfbnddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikaihg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jpajbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Laqojfli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lhknaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bqgmfkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kadfkhkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbnjhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpmhc32.dll" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmbnbgf.dll" Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Elipgofb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hcigco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qdompf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bifbbocj.dll" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alecllfh.dll" Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Eafkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgokeion.dll" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paocnkph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlamphei.dll" Cgkocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ioohokoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjfphd.dll" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmohi32.dll" Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgifkl32.dll" Oeaqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcijlpq.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamkdghb.dll" Kpojkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gneijien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Blkjkflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iampng32.dll" Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kajpmc32.dll" Jaecod32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2556 2120 8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe 30 PID 2120 wrote to memory of 2556 2120 8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe 30 PID 2120 wrote to memory of 2556 2120 8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe 30 PID 2120 wrote to memory of 2556 2120 8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe 30 PID 2556 wrote to memory of 2580 2556 Oopijc32.exe 31 PID 2556 wrote to memory of 2580 2556 Oopijc32.exe 31 PID 2556 wrote to memory of 2580 2556 Oopijc32.exe 31 PID 2556 wrote to memory of 2580 2556 Oopijc32.exe 31 PID 2580 wrote to memory of 2128 2580 Opaebkmc.exe 32 PID 2580 wrote to memory of 2128 2580 Opaebkmc.exe 32 PID 2580 wrote to memory of 2128 2580 Opaebkmc.exe 32 PID 2580 wrote to memory of 2128 2580 Opaebkmc.exe 32 PID 2128 wrote to memory of 2832 2128 Ohhmcinf.exe 33 PID 2128 wrote to memory of 2832 2128 Ohhmcinf.exe 33 PID 2128 wrote to memory of 2832 2128 Ohhmcinf.exe 33 PID 2128 wrote to memory of 2832 2128 Ohhmcinf.exe 33 PID 2832 wrote to memory of 2848 2832 Ogknoe32.exe 34 PID 2832 wrote to memory of 2848 2832 Ogknoe32.exe 34 PID 2832 wrote to memory of 2848 2832 Ogknoe32.exe 34 PID 2832 wrote to memory of 2848 2832 Ogknoe32.exe 34 PID 2848 wrote to memory of 2632 2848 Oijjka32.exe 35 PID 2848 wrote to memory of 2632 2848 Oijjka32.exe 35 PID 2848 wrote to memory of 2632 2848 Oijjka32.exe 35 PID 2848 wrote to memory of 2632 2848 Oijjka32.exe 35 PID 2632 wrote to memory of 2600 2632 Pdonhj32.exe 36 PID 2632 wrote to memory of 2600 2632 Pdonhj32.exe 36 PID 2632 wrote to memory of 2600 2632 Pdonhj32.exe 36 PID 2632 wrote to memory of 2600 2632 Pdonhj32.exe 36 PID 2600 wrote to memory of 2464 2600 Pgnjde32.exe 37 PID 2600 wrote to memory of 2464 2600 Pgnjde32.exe 37 PID 2600 wrote to memory of 2464 2600 Pgnjde32.exe 37 PID 2600 wrote to memory of 2464 2600 Pgnjde32.exe 37 PID 2464 wrote to memory of 1872 2464 Ppfomk32.exe 38 PID 2464 wrote to memory of 1872 2464 Ppfomk32.exe 38 PID 2464 wrote to memory of 1872 2464 Ppfomk32.exe 38 PID 2464 wrote to memory of 1872 2464 Ppfomk32.exe 38 PID 1872 wrote to memory of 1716 1872 Pcdkif32.exe 39 PID 1872 wrote to memory of 1716 1872 Pcdkif32.exe 39 PID 1872 wrote to memory of 1716 1872 Pcdkif32.exe 39 PID 1872 wrote to memory of 1716 1872 Pcdkif32.exe 39 PID 1716 wrote to memory of 2844 1716 Pnjofo32.exe 40 PID 1716 wrote to memory of 2844 1716 Pnjofo32.exe 40 PID 1716 wrote to memory of 2844 1716 Pnjofo32.exe 40 PID 1716 wrote to memory of 2844 1716 Pnjofo32.exe 40 PID 2844 wrote to memory of 1052 2844 Plmpblnb.exe 41 PID 2844 wrote to memory of 1052 2844 Plmpblnb.exe 41 PID 2844 wrote to memory of 1052 2844 Plmpblnb.exe 41 PID 2844 wrote to memory of 1052 2844 Plmpblnb.exe 41 PID 1052 wrote to memory of 3004 1052 Piqpkpml.exe 42 PID 1052 wrote to memory of 3004 1052 Piqpkpml.exe 42 PID 1052 wrote to memory of 3004 1052 Piqpkpml.exe 42 PID 1052 wrote to memory of 3004 1052 Piqpkpml.exe 42 PID 3004 wrote to memory of 2064 3004 Plolgk32.exe 43 PID 3004 wrote to memory of 2064 3004 Plolgk32.exe 43 PID 3004 wrote to memory of 2064 3004 Plolgk32.exe 43 PID 3004 wrote to memory of 2064 3004 Plolgk32.exe 43 PID 2064 wrote to memory of 2028 2064 Palepb32.exe 44 PID 2064 wrote to memory of 2028 2064 Palepb32.exe 44 PID 2064 wrote to memory of 2028 2064 Palepb32.exe 44 PID 2064 wrote to memory of 2028 2064 Palepb32.exe 44 PID 2028 wrote to memory of 816 2028 Plaimk32.exe 45 PID 2028 wrote to memory of 816 2028 Plaimk32.exe 45 PID 2028 wrote to memory of 816 2028 Plaimk32.exe 45 PID 2028 wrote to memory of 816 2028 Plaimk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe"C:\Users\Admin\AppData\Local\Temp\8ee498bf64dadff5cc84b8c4d500f52db02e8479aea90dfe1e3b7738951492c5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1292 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe33⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe34⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe35⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe37⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe38⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe40⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe42⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe44⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe45⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe46⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe47⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe49⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe50⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe51⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe52⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe53⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe54⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe55⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe56⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe57⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe58⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe61⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe62⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe63⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe64⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe65⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe66⤵PID:2552
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe67⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe68⤵PID:2104
-
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe69⤵PID:2256
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe70⤵PID:2732
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe71⤵PID:2840
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe72⤵
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe73⤵PID:2148
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe74⤵PID:1328
-
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe75⤵PID:2920
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe76⤵PID:1896
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe77⤵PID:2900
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe79⤵PID:2700
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe80⤵PID:1600
-
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe81⤵PID:1764
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe82⤵PID:612
-
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe83⤵PID:776
-
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe84⤵PID:984
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe85⤵PID:2536
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe86⤵PID:2800
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe87⤵PID:2744
-
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe88⤵PID:2740
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe89⤵PID:2680
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe90⤵PID:2352
-
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe91⤵PID:3008
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe92⤵PID:2952
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe93⤵PID:2356
-
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe94⤵PID:568
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe95⤵PID:1972
-
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe96⤵PID:1364
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe97⤵PID:2032
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe98⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1324 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe100⤵PID:2020
-
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe101⤵PID:1892
-
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe102⤵PID:2728
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Dklddhka.exeC:\Windows\system32\Dklddhka.exe104⤵PID:2648
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1308 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe106⤵PID:2964
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe108⤵PID:2288
-
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe109⤵PID:2888
-
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe110⤵PID:916
-
C:\Windows\SysWOW64\Dmmmfc32.exeC:\Windows\system32\Dmmmfc32.exe111⤵PID:352
-
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe112⤵PID:2264
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe113⤵PID:2156
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe114⤵PID:2864
-
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe115⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe116⤵PID:2140
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe117⤵PID:2692
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe118⤵PID:2060
-
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe119⤵PID:2516
-
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe120⤵PID:1880
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe121⤵PID:2644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-