Analysis
-
max time kernel
111s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 01:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe
-
Size
512KB
-
MD5
d6ad998775b02db10a15a4f12c61d035
-
SHA1
e0193e146c318d6ebe59816e6b625d60de293a30
-
SHA256
9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599
-
SHA512
8e517198cb1d243aeb46f9a720d9ef1bd09e760da192532450e20b01b21c14fd071c90d24cf5097574b228e13da016f3d4984005ede2f855eebdffe84d447102
-
SSDEEP
6144:YpxY+EC2+UZP8VU5tTO/ENURQPTlyl48pArv8kEVS1aHr:YpxYnDUG5t1sI5yl48pArv8o4L
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmqmgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idofmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Milcphgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgeanne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnlphjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgnbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Macnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gickgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lafgdfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfckko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difcpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phfaknce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgljced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flnpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omnpgqdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaheqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajipmocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpliac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgoolln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdcom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekpknlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjdlkeln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abieajgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnqhddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfbcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldajoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfalpab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fojnhlch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Likbpceb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdbepon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gickgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggjhfpqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmfblk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oicbma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkbimbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinlck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lodbhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeffdmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnbpgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lifqbjpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcbpemp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doflofbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faapbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcaehhnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldkem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfgikgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbmdmfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofoemm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfhjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhnpplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbgbaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beqogc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpdeghgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenjoi32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2892 Mifmoa32.exe 2852 Memncbmj.exe 3040 Nnfbmgcj.exe 2752 Oepghe32.exe 2796 Okolfkjg.exe 868 Pcagkmaj.exe 2024 Pjpicfdb.exe 2092 Aocgll32.exe 2184 Adbmjbif.exe 3024 Bfkobj32.exe 2516 Beplcfmd.exe 324 Cgeopqfp.exe 2252 Cpemob32.exe 2280 Cpgieb32.exe 908 Dabicikf.exe 320 Ehjqif32.exe 1724 Febjmj32.exe 1572 Fkdlaplh.exe 1812 Fcoaebjc.exe 936 Gmjbchnq.exe 1544 Gmloigln.exe 2600 Gmnlog32.exe 2684 Hgjieedg.exe 2492 Hccfoehi.exe 1928 Hmlkhk32.exe 664 Ilceog32.exe 2324 Iigehk32.exe 2944 Ifkfap32.exe 2168 Iilocklc.exe 2588 Ilmgef32.exe 2780 Jpomnilc.exe 2180 Jpajdi32.exe 1692 Jeblgodb.exe 2348 Jlmddi32.exe 2496 Kegebn32.exe 2188 Khhndi32.exe 1444 Kkigfdjo.exe 836 Lphlck32.exe 2292 Lfgaaa32.exe 1760 Lckbkfbb.exe 1844 Ldokhn32.exe 560 Mdahnmck.exe 1052 Moflkfca.exe 1680 Mflgkd32.exe 860 Nqakim32.exe 2400 Npfhjifm.exe 1152 Nmjicn32.exe 1664 Neemgp32.exe 2828 Nehjmppo.exe 1612 Oaaghp32.exe 2904 Oacdmpan.exe 2996 Oiniaboi.exe 2612 Oiqegb32.exe 1936 Oicbma32.exe 2716 Pfgcff32.exe 2136 Pelpgb32.exe 3028 Pbppqf32.exe 2696 Plheil32.exe 2260 Phoeomjc.exe 2484 Ppjjcogn.exe 2568 Qicoleno.exe 1556 Qkbkfh32.exe 1840 Agilkijf.exe 2388 Aodqok32.exe -
Loads dropped DLL 64 IoCs
pid Process 2448 9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe 2448 9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe 2892 Mifmoa32.exe 2892 Mifmoa32.exe 2852 Memncbmj.exe 2852 Memncbmj.exe 3040 Nnfbmgcj.exe 3040 Nnfbmgcj.exe 2752 Oepghe32.exe 2752 Oepghe32.exe 2796 Okolfkjg.exe 2796 Okolfkjg.exe 868 Pcagkmaj.exe 868 Pcagkmaj.exe 2024 Pjpicfdb.exe 2024 Pjpicfdb.exe 2092 Aocgll32.exe 2092 Aocgll32.exe 2184 Adbmjbif.exe 2184 Adbmjbif.exe 3024 Bfkobj32.exe 3024 Bfkobj32.exe 2516 Beplcfmd.exe 2516 Beplcfmd.exe 324 Cgeopqfp.exe 324 Cgeopqfp.exe 2252 Cpemob32.exe 2252 Cpemob32.exe 2280 Cpgieb32.exe 2280 Cpgieb32.exe 908 Dabicikf.exe 908 Dabicikf.exe 320 Ehjqif32.exe 320 Ehjqif32.exe 1724 Febjmj32.exe 1724 Febjmj32.exe 1572 Fkdlaplh.exe 1572 Fkdlaplh.exe 1812 Fcoaebjc.exe 1812 Fcoaebjc.exe 936 Gmjbchnq.exe 936 Gmjbchnq.exe 1544 Gmloigln.exe 1544 Gmloigln.exe 2600 Gmnlog32.exe 2600 Gmnlog32.exe 2684 Hgjieedg.exe 2684 Hgjieedg.exe 2492 Hccfoehi.exe 2492 Hccfoehi.exe 1928 Hmlkhk32.exe 1928 Hmlkhk32.exe 664 Ilceog32.exe 664 Ilceog32.exe 2324 Iigehk32.exe 2324 Iigehk32.exe 2944 Ifkfap32.exe 2944 Ifkfap32.exe 2168 Iilocklc.exe 2168 Iilocklc.exe 2588 Ilmgef32.exe 2588 Ilmgef32.exe 2780 Jpomnilc.exe 2780 Jpomnilc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Elpldp32.exe Eiocbd32.exe File created C:\Windows\SysWOW64\Edkahbmo.exe Elpldp32.exe File opened for modification C:\Windows\SysWOW64\Lojeda32.exe Leaallcb.exe File created C:\Windows\SysWOW64\Nnfeep32.exe Niilmi32.exe File created C:\Windows\SysWOW64\Flnpoe32.exe Fcckjb32.exe File created C:\Windows\SysWOW64\Bfgikgjq.exe Bmndbb32.exe File created C:\Windows\SysWOW64\Ofbgjk32.dll Ndadld32.exe File created C:\Windows\SysWOW64\Hccfoehi.exe Hgjieedg.exe File opened for modification C:\Windows\SysWOW64\Hidekn32.exe Hkpdbj32.exe File opened for modification C:\Windows\SysWOW64\Ejoagm32.exe Ejleamon.exe File opened for modification C:\Windows\SysWOW64\Dmcidqlf.exe Dlblmh32.exe File opened for modification C:\Windows\SysWOW64\Emnelbdi.exe Ebhani32.exe File opened for modification C:\Windows\SysWOW64\Kkglim32.exe Klapha32.exe File opened for modification C:\Windows\SysWOW64\Ecfcle32.exe Egmeadbk.exe File opened for modification C:\Windows\SysWOW64\Poplqm32.exe Pdkgcd32.exe File created C:\Windows\SysWOW64\Nkpbjn32.dll Mnbpgb32.exe File created C:\Windows\SysWOW64\Epdafl32.exe Dejqenmh.exe File opened for modification C:\Windows\SysWOW64\Hjlhcegl.exe Hadckp32.exe File created C:\Windows\SysWOW64\Njaoeq32.exe Nplkhh32.exe File created C:\Windows\SysWOW64\Aaiodh32.exe Qnkgnj32.exe File created C:\Windows\SysWOW64\Dhnoocab.exe Coejfn32.exe File opened for modification C:\Windows\SysWOW64\Mnllppfh.exe Medggj32.exe File created C:\Windows\SysWOW64\Kpliac32.exe Kdehmb32.exe File created C:\Windows\SysWOW64\Febmfcjj.exe Foidii32.exe File created C:\Windows\SysWOW64\Bmpjiqdi.dll Blabef32.exe File created C:\Windows\SysWOW64\Npempg32.dll Gjmpfp32.exe File opened for modification C:\Windows\SysWOW64\Nifhop32.exe Nfglcd32.exe File created C:\Windows\SysWOW64\Fhifmcfa.exe Epdncb32.exe File created C:\Windows\SysWOW64\Jemkai32.exe Jifkmh32.exe File created C:\Windows\SysWOW64\Njkjihdl.dll Okbgkk32.exe File created C:\Windows\SysWOW64\Hmdohj32.exe Hfhjfp32.exe File opened for modification C:\Windows\SysWOW64\Knapen32.exe Kkpgdc32.exe File created C:\Windows\SysWOW64\Andaoqjp.dll Nlgfbh32.exe File created C:\Windows\SysWOW64\Mdjnge32.exe Ldhaaefi.exe File opened for modification C:\Windows\SysWOW64\Lfhgng32.exe Ljoidf32.exe File created C:\Windows\SysWOW64\Lfgaaa32.exe Lphlck32.exe File created C:\Windows\SysWOW64\Hjiijqhk.dll Ppafopqq.exe File created C:\Windows\SysWOW64\Nihedodm.exe Nifhop32.exe File created C:\Windows\SysWOW64\Ijhkembk.exe Ijenpn32.exe File opened for modification C:\Windows\SysWOW64\Cemfnh32.exe Cdnicemo.exe File created C:\Windows\SysWOW64\Pqcncnpe.exe Pnbeacbd.exe File created C:\Windows\SysWOW64\Ekglac32.dll Mkjibnbn.exe File created C:\Windows\SysWOW64\Oiqegb32.exe Oiniaboi.exe File opened for modification C:\Windows\SysWOW64\Lajgnb32.exe Ldfgdn32.exe File opened for modification C:\Windows\SysWOW64\Najbbepc.exe Nceeaikk.exe File created C:\Windows\SysWOW64\Qajiek32.exe Qjqqianh.exe File opened for modification C:\Windows\SysWOW64\Lgjcdc32.exe Ljfckodo.exe File created C:\Windows\SysWOW64\Piaebfcm.dll Nkmkgc32.exe File opened for modification C:\Windows\SysWOW64\Apglgfde.exe Apdobg32.exe File created C:\Windows\SysWOW64\Japjgqec.dll Jfdgnf32.exe File opened for modification C:\Windows\SysWOW64\Boiagp32.exe Bcbabodk.exe File created C:\Windows\SysWOW64\Defbjb32.dll Dddodd32.exe File created C:\Windows\SysWOW64\Hfhjfp32.exe Hpnbjfjj.exe File created C:\Windows\SysWOW64\Appccjdl.dll Ppdbepon.exe File opened for modification C:\Windows\SysWOW64\Hfjfpkji.exe Gnmdfi32.exe File created C:\Windows\SysWOW64\Nlgqod32.dll Dopkai32.exe File opened for modification C:\Windows\SysWOW64\Iccqedfa.exe Iapghlbe.exe File opened for modification C:\Windows\SysWOW64\Mcoioi32.exe Mnbpgb32.exe File created C:\Windows\SysWOW64\Lddmdd32.dll Jgbboa32.exe File opened for modification C:\Windows\SysWOW64\Akadmnlg.exe Aaiodh32.exe File created C:\Windows\SysWOW64\Bimdkidd.dll Ahdkhp32.exe File created C:\Windows\SysWOW64\Lppikp32.dll Cmocha32.exe File created C:\Windows\SysWOW64\Igoagpja.exe Ikfdmogp.exe File created C:\Windows\SysWOW64\Fnkchahn.exe Fbebcp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3668 1836 WerFault.exe 971 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhpflblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miqmkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innfbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfqejoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldkem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofaaghom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memncbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkndibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebijfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkpaoape.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moloidjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoagm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcpqidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilohnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apglgfde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfgikgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Impdeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpadpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnpjnem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblidd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edgfpbcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilaieljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenjoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfmefdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belfldoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goohckob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bciohe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibmhlpge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpomnilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjbchnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhaep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncplfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlgfbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnkamhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apcfqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikaqppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpccgppq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpmljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edghighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napdpchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaecf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggppdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqninhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqpdgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbchbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imppciin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knckbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fniikj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjbof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdlaplh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjicn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olokighn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjcdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgabhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekpknlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfnchd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijipbchn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncpffdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npempg32.dll" Gjmpfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiflgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeobidll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhamllfc.dll" Cknikooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agnmaafg.dll" Gafelnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpmhgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkhpogmi.dll" Coknmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eklicjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Macnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajbdpblo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efbpihoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmoqfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpiqel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjlbcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jljkakol.dll" Jmmmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bebkdqbc.dll" Hkpaoape.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nihedodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djeoml32.dll" Eqninhmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmlkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekfdc32.dll" Ljfckodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngllhqkp.dll" Ebhani32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcknqicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acnqen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceqlff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mikjmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkcam32.dll" Cpemob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjqcoe32.dll" Cmlpjhlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkbll32.dll" Leqjcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iocekd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekglac32.dll" Mkjibnbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbpbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Badbapio.dll" Qcgmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmhejjl.dll" Pmoqfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkmkgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adkbgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obpbhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcgocdok.dll" Ncplfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enpoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqjcli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgpcgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfgaaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqokoeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmgmelp.dll" Dpmeij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odkkdqmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcofqphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbjlppja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhcejjal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbcgmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbgmglin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdahnmck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggjhfpqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dedhaq32.dll" Ajipmocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndadld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dopkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moidkk32.dll" Hmehlibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipgngg32.dll" Mheqie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleeofog.dll" Opghmjfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gggkqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpmlcpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmbldke.dll" Lojeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mefiog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmkeqo32.dll" Dhnoocab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2892 2448 9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe 29 PID 2448 wrote to memory of 2892 2448 9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe 29 PID 2448 wrote to memory of 2892 2448 9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe 29 PID 2448 wrote to memory of 2892 2448 9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe 29 PID 2892 wrote to memory of 2852 2892 Mifmoa32.exe 30 PID 2892 wrote to memory of 2852 2892 Mifmoa32.exe 30 PID 2892 wrote to memory of 2852 2892 Mifmoa32.exe 30 PID 2892 wrote to memory of 2852 2892 Mifmoa32.exe 30 PID 2852 wrote to memory of 3040 2852 Memncbmj.exe 31 PID 2852 wrote to memory of 3040 2852 Memncbmj.exe 31 PID 2852 wrote to memory of 3040 2852 Memncbmj.exe 31 PID 2852 wrote to memory of 3040 2852 Memncbmj.exe 31 PID 3040 wrote to memory of 2752 3040 Nnfbmgcj.exe 32 PID 3040 wrote to memory of 2752 3040 Nnfbmgcj.exe 32 PID 3040 wrote to memory of 2752 3040 Nnfbmgcj.exe 32 PID 3040 wrote to memory of 2752 3040 Nnfbmgcj.exe 32 PID 2752 wrote to memory of 2796 2752 Oepghe32.exe 33 PID 2752 wrote to memory of 2796 2752 Oepghe32.exe 33 PID 2752 wrote to memory of 2796 2752 Oepghe32.exe 33 PID 2752 wrote to memory of 2796 2752 Oepghe32.exe 33 PID 2796 wrote to memory of 868 2796 Okolfkjg.exe 34 PID 2796 wrote to memory of 868 2796 Okolfkjg.exe 34 PID 2796 wrote to memory of 868 2796 Okolfkjg.exe 34 PID 2796 wrote to memory of 868 2796 Okolfkjg.exe 34 PID 868 wrote to memory of 2024 868 Pcagkmaj.exe 35 PID 868 wrote to memory of 2024 868 Pcagkmaj.exe 35 PID 868 wrote to memory of 2024 868 Pcagkmaj.exe 35 PID 868 wrote to memory of 2024 868 Pcagkmaj.exe 35 PID 2024 wrote to memory of 2092 2024 Pjpicfdb.exe 36 PID 2024 wrote to memory of 2092 2024 Pjpicfdb.exe 36 PID 2024 wrote to memory of 2092 2024 Pjpicfdb.exe 36 PID 2024 wrote to memory of 2092 2024 Pjpicfdb.exe 36 PID 2092 wrote to memory of 2184 2092 Aocgll32.exe 37 PID 2092 wrote to memory of 2184 2092 Aocgll32.exe 37 PID 2092 wrote to memory of 2184 2092 Aocgll32.exe 37 PID 2092 wrote to memory of 2184 2092 Aocgll32.exe 37 PID 2184 wrote to memory of 3024 2184 Adbmjbif.exe 38 PID 2184 wrote to memory of 3024 2184 Adbmjbif.exe 38 PID 2184 wrote to memory of 3024 2184 Adbmjbif.exe 38 PID 2184 wrote to memory of 3024 2184 Adbmjbif.exe 38 PID 3024 wrote to memory of 2516 3024 Bfkobj32.exe 39 PID 3024 wrote to memory of 2516 3024 Bfkobj32.exe 39 PID 3024 wrote to memory of 2516 3024 Bfkobj32.exe 39 PID 3024 wrote to memory of 2516 3024 Bfkobj32.exe 39 PID 2516 wrote to memory of 324 2516 Beplcfmd.exe 40 PID 2516 wrote to memory of 324 2516 Beplcfmd.exe 40 PID 2516 wrote to memory of 324 2516 Beplcfmd.exe 40 PID 2516 wrote to memory of 324 2516 Beplcfmd.exe 40 PID 324 wrote to memory of 2252 324 Cgeopqfp.exe 41 PID 324 wrote to memory of 2252 324 Cgeopqfp.exe 41 PID 324 wrote to memory of 2252 324 Cgeopqfp.exe 41 PID 324 wrote to memory of 2252 324 Cgeopqfp.exe 41 PID 2252 wrote to memory of 2280 2252 Cpemob32.exe 42 PID 2252 wrote to memory of 2280 2252 Cpemob32.exe 42 PID 2252 wrote to memory of 2280 2252 Cpemob32.exe 42 PID 2252 wrote to memory of 2280 2252 Cpemob32.exe 42 PID 2280 wrote to memory of 908 2280 Cpgieb32.exe 43 PID 2280 wrote to memory of 908 2280 Cpgieb32.exe 43 PID 2280 wrote to memory of 908 2280 Cpgieb32.exe 43 PID 2280 wrote to memory of 908 2280 Cpgieb32.exe 43 PID 908 wrote to memory of 320 908 Dabicikf.exe 44 PID 908 wrote to memory of 320 908 Dabicikf.exe 44 PID 908 wrote to memory of 320 908 Dabicikf.exe 44 PID 908 wrote to memory of 320 908 Dabicikf.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe"C:\Users\Admin\AppData\Local\Temp\9e91dc4c17f7186c3ba6428439f387d6bbbe379a34202bf7951218db3438b599.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Memncbmj.exeC:\Windows\system32\Memncbmj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Bfkobj32.exeC:\Windows\system32\Bfkobj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Fcoaebjc.exeC:\Windows\system32\Fcoaebjc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Gmnlog32.exeC:\Windows\system32\Gmnlog32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Hmlkhk32.exeC:\Windows\system32\Hmlkhk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:664 -
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Ifkfap32.exeC:\Windows\system32\Ifkfap32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe33⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Jeblgodb.exeC:\Windows\system32\Jeblgodb.exe34⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Jlmddi32.exeC:\Windows\system32\Jlmddi32.exe35⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe36⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe37⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe38⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Lphlck32.exeC:\Windows\system32\Lphlck32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Lfgaaa32.exeC:\Windows\system32\Lfgaaa32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe41⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe42⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Moflkfca.exeC:\Windows\system32\Moflkfca.exe44⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe45⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe46⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe49⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe50⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe51⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe52⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe54⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Oicbma32.exeC:\Windows\system32\Oicbma32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe57⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Pbppqf32.exeC:\Windows\system32\Pbppqf32.exe58⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe59⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe60⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe61⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe62⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe63⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe64⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Aodqok32.exeC:\Windows\system32\Aodqok32.exe65⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Ahmehqna.exeC:\Windows\system32\Ahmehqna.exe66⤵PID:1132
-
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe67⤵PID:2440
-
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe68⤵PID:2412
-
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe69⤵PID:1200
-
C:\Windows\SysWOW64\Ahdkhp32.exeC:\Windows\system32\Ahdkhp32.exe70⤵
- Drops file in System32 directory
PID:640 -
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe71⤵PID:2916
-
C:\Windows\SysWOW64\Bncpffdn.exeC:\Windows\system32\Bncpffdn.exe72⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe73⤵PID:2824
-
C:\Windows\SysWOW64\Bcbedm32.exeC:\Windows\system32\Bcbedm32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Bmjjmbgc.exeC:\Windows\system32\Bmjjmbgc.exe75⤵PID:1140
-
C:\Windows\SysWOW64\Bgpnjkgi.exeC:\Windows\system32\Bgpnjkgi.exe76⤵PID:2104
-
C:\Windows\SysWOW64\Bcgoolln.exeC:\Windows\system32\Bcgoolln.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2108 -
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe78⤵
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Cbllph32.exeC:\Windows\system32\Cbllph32.exe79⤵PID:2228
-
C:\Windows\SysWOW64\Cbnhfhoc.exeC:\Windows\system32\Cbnhfhoc.exe80⤵PID:2212
-
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe81⤵PID:2428
-
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe82⤵PID:1096
-
C:\Windows\SysWOW64\Ceanmc32.exeC:\Windows\system32\Ceanmc32.exe83⤵PID:1504
-
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe85⤵
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Djcpqidc.exeC:\Windows\system32\Djcpqidc.exe86⤵
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe87⤵PID:2236
-
C:\Windows\SysWOW64\Ddnaonia.exeC:\Windows\system32\Ddnaonia.exe88⤵PID:2616
-
C:\Windows\SysWOW64\Dlifcqfl.exeC:\Windows\system32\Dlifcqfl.exe89⤵PID:2624
-
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe90⤵PID:1744
-
C:\Windows\SysWOW64\Eiocbd32.exeC:\Windows\system32\Eiocbd32.exe91⤵
- Drops file in System32 directory
PID:2128 -
C:\Windows\SysWOW64\Elpldp32.exeC:\Windows\system32\Elpldp32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Edkahbmo.exeC:\Windows\system32\Edkahbmo.exe93⤵PID:1108
-
C:\Windows\SysWOW64\Eaoaafli.exeC:\Windows\system32\Eaoaafli.exe94⤵PID:2116
-
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe95⤵
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Fhifmcfa.exeC:\Windows\system32\Fhifmcfa.exe96⤵PID:2636
-
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe97⤵PID:1500
-
C:\Windows\SysWOW64\Goekpm32.exeC:\Windows\system32\Goekpm32.exe98⤵PID:932
-
C:\Windows\SysWOW64\Ggppdpif.exeC:\Windows\system32\Ggppdpif.exe99⤵
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Gnmdfi32.exeC:\Windows\system32\Gnmdfi32.exe100⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe101⤵PID:2976
-
C:\Windows\SysWOW64\Hobjia32.exeC:\Windows\system32\Hobjia32.exe102⤵PID:3068
-
C:\Windows\SysWOW64\Hikobfgj.exeC:\Windows\system32\Hikobfgj.exe103⤵PID:2256
-
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe104⤵PID:1708
-
C:\Windows\SysWOW64\Hnjdpm32.exeC:\Windows\system32\Hnjdpm32.exe105⤵PID:2692
-
C:\Windows\SysWOW64\Hbhmfk32.exeC:\Windows\system32\Hbhmfk32.exe106⤵PID:876
-
C:\Windows\SysWOW64\Hkpaoape.exeC:\Windows\system32\Hkpaoape.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Ijenpn32.exeC:\Windows\system32\Ijenpn32.exe108⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Ijhkembk.exeC:\Windows\system32\Ijhkembk.exe109⤵PID:1848
-
C:\Windows\SysWOW64\Icponb32.exeC:\Windows\system32\Icponb32.exe110⤵PID:2056
-
C:\Windows\SysWOW64\Icbldbgi.exeC:\Windows\system32\Icbldbgi.exe111⤵PID:1372
-
C:\Windows\SysWOW64\Ilnqhddd.exeC:\Windows\system32\Ilnqhddd.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2832 -
C:\Windows\SysWOW64\Jmmmbg32.exeC:\Windows\system32\Jmmmbg32.exe113⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Jhgnbehe.exeC:\Windows\system32\Jhgnbehe.exe114⤵PID:2140
-
C:\Windows\SysWOW64\Jifkmh32.exeC:\Windows\system32\Jifkmh32.exe115⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe116⤵PID:432
-
C:\Windows\SysWOW64\Jephgi32.exeC:\Windows\system32\Jephgi32.exe117⤵PID:3056
-
C:\Windows\SysWOW64\Jmkmlk32.exeC:\Windows\system32\Jmkmlk32.exe118⤵PID:2444
-
C:\Windows\SysWOW64\Kfcadq32.exeC:\Windows\system32\Kfcadq32.exe119⤵PID:2524
-
C:\Windows\SysWOW64\Kfenjq32.exeC:\Windows\system32\Kfenjq32.exe120⤵PID:1020
-
C:\Windows\SysWOW64\Kifgllbc.exeC:\Windows\system32\Kifgllbc.exe121⤵PID:2640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-