Analysis
-
max time kernel
34s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:03
Behavioral task
behavioral1
Sample
4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe
-
Size
464KB
-
MD5
d6c8539a886d087168866b938136ea43
-
SHA1
3416cf11292bf674e30bdcc312a562e970187e92
-
SHA256
4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4
-
SHA512
2e2e7eb5bf9b2d1c739be4b60d466048b11b1eecdb8664748113a56ddd9b21085c8a20f0cc3fa1ffa231cf7d263173e86792e69ec04029f63a126efe9f692537
-
SSDEEP
6144:hscrJnxMEOIIIPCn4EOIuIPJEOOcHTETKEOIIIPCX:5OEVI2C4EVu2JEVcBEVI2CX
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhaibnim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fgcgebhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fkapkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjgclcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cgmndokg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmlmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Leaallcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bnicddki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndiaem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdnmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Acdfki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degobhjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iagchmjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alfdcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hancef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpmkdpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceoagcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obamebfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbghgdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaegbmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpcbhlki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nglmifca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pinnfonh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bfpkfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ieqbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kkigfdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kgjgepqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcbmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emailhfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggbljogc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Adcobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkolblkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Glhhgahg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilhnjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Mjpmkdpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pedokpcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Didgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cejhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cnbfkccn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjdjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdahnmck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copljmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oheieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egdjfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieelnkpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkkpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qajfmbna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Galfpgpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppbkoabf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fljfdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmejmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lhbjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oaiglnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hngppgae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpieggc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plheil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgane32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bcdbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ppogok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbhpddbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Denglpkc.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1080 Nfeqli32.exe 2420 Nmpiicdm.exe 2892 Ndiaem32.exe 2648 Obcgaill.exe 2128 Oebdndlp.exe 2688 Omoehf32.exe 2760 Oheieo32.exe 2424 Ppbkoabf.exe 2340 Pglclk32.exe 1064 Qjbehfbo.exe 2876 Qlpadaac.exe 1172 Qdkfic32.exe 2004 Qkeofnfk.exe 2092 Aaogbh32.exe 2608 Agloko32.exe 2248 Anfggicl.exe 2508 Ahllda32.exe 376 Ajmhljip.exe 1228 Aqgqid32.exe 1896 Aklefm32.exe 1008 Aqimoc32.exe 1892 Agcekn32.exe 1104 Ampncd32.exe 2392 Agebam32.exe 1488 Bjdnmi32.exe 3056 Bmbkid32.exe 2304 Biikne32.exe 2836 Bocckoom.exe 2768 Beplcfmd.exe 2788 Boeppomj.exe 2932 Bineidcj.exe 2812 Bnkmakbb.exe 2644 Bipaodah.exe 1044 Bbhfgj32.exe 1480 Ccjbobnf.exe 2504 Cjdkllec.exe 2984 Cmbghgdg.exe 3008 Cghkepdm.exe 2000 Cmdcngbd.exe 1308 Cfmhfm32.exe 2820 Cmgpcg32.exe 2596 Ccaipaho.exe 576 Cjkamk32.exe 1052 Cpgieb32.exe 1932 Cedbmi32.exe 1232 Dpjfjalp.exe 1768 Degobhjg.exe 1216 Dlqgob32.exe 2160 Dbkolmia.exe 2436 Didgig32.exe 2664 Dkfcqo32.exe 2584 Daplmimi.exe 1320 Dhjdjc32.exe 2284 Dodlfmlb.exe 908 Ddqeodjj.exe 2072 Dofilm32.exe 2624 Ddcadd32.exe 2080 Ekmjanpd.exe 548 Eagbnh32.exe 2220 Edenjc32.exe 2172 Egdjfo32.exe 1912 Eibgbj32.exe 2544 Elqcnfdp.exe 2572 Edhkpcdb.exe -
Loads dropped DLL 64 IoCs
pid Process 1200 4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe 1200 4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe 1080 Nfeqli32.exe 1080 Nfeqli32.exe 2420 Nmpiicdm.exe 2420 Nmpiicdm.exe 2892 Ndiaem32.exe 2892 Ndiaem32.exe 2648 Obcgaill.exe 2648 Obcgaill.exe 2128 Oebdndlp.exe 2128 Oebdndlp.exe 2688 Omoehf32.exe 2688 Omoehf32.exe 2760 Oheieo32.exe 2760 Oheieo32.exe 2424 Ppbkoabf.exe 2424 Ppbkoabf.exe 2340 Pglclk32.exe 2340 Pglclk32.exe 1064 Qjbehfbo.exe 1064 Qjbehfbo.exe 2876 Qlpadaac.exe 2876 Qlpadaac.exe 1172 Qdkfic32.exe 1172 Qdkfic32.exe 2004 Qkeofnfk.exe 2004 Qkeofnfk.exe 2092 Aaogbh32.exe 2092 Aaogbh32.exe 2608 Agloko32.exe 2608 Agloko32.exe 2248 Anfggicl.exe 2248 Anfggicl.exe 2508 Ahllda32.exe 2508 Ahllda32.exe 376 Ajmhljip.exe 376 Ajmhljip.exe 1228 Aqgqid32.exe 1228 Aqgqid32.exe 1896 Aklefm32.exe 1896 Aklefm32.exe 1008 Aqimoc32.exe 1008 Aqimoc32.exe 1892 Agcekn32.exe 1892 Agcekn32.exe 1104 Ampncd32.exe 1104 Ampncd32.exe 2392 Agebam32.exe 2392 Agebam32.exe 1488 Bjdnmi32.exe 1488 Bjdnmi32.exe 1592 Bbocak32.exe 1592 Bbocak32.exe 2304 Biikne32.exe 2304 Biikne32.exe 2836 Bocckoom.exe 2836 Bocckoom.exe 2768 Beplcfmd.exe 2768 Beplcfmd.exe 2788 Boeppomj.exe 2788 Boeppomj.exe 2932 Bineidcj.exe 2932 Bineidcj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pcojjn32.dll Fljfdd32.exe File created C:\Windows\SysWOW64\Nccmng32.exe Nqdaal32.exe File opened for modification C:\Windows\SysWOW64\Ampncd32.exe Agcekn32.exe File opened for modification C:\Windows\SysWOW64\Ggncop32.exe Gdpfbd32.exe File created C:\Windows\SysWOW64\Bohoogbk.exe Bgagnjbi.exe File opened for modification C:\Windows\SysWOW64\Hjmolp32.exe Heqfdh32.exe File created C:\Windows\SysWOW64\Kcdljghj.exe Kkigfdjo.exe File created C:\Windows\SysWOW64\Dfnjqifb.exe Dmffhd32.exe File created C:\Windows\SysWOW64\Pmfala32.dll Kghkppbp.exe File opened for modification C:\Windows\SysWOW64\Bnhjae32.exe Bgnaekil.exe File created C:\Windows\SysWOW64\Dqnkig32.dll Icnbic32.exe File created C:\Windows\SysWOW64\Pfkfdg32.dll Agloko32.exe File opened for modification C:\Windows\SysWOW64\Bjdnmi32.exe Agebam32.exe File created C:\Windows\SysWOW64\Lhbjmg32.exe Lahaqm32.exe File created C:\Windows\SysWOW64\Limhol32.dll Mffgfo32.exe File created C:\Windows\SysWOW64\Hdapggln.exe Hoegoqng.exe File opened for modification C:\Windows\SysWOW64\Ekmjanpd.exe Ddcadd32.exe File created C:\Windows\SysWOW64\Acplpjpj.exe Alfdcp32.exe File created C:\Windows\SysWOW64\Bofednkl.dll Bpnibl32.exe File created C:\Windows\SysWOW64\Ehopnk32.exe Eaegaaah.exe File created C:\Windows\SysWOW64\Clllno32.dll Ijmdql32.exe File created C:\Windows\SysWOW64\Pgihlk32.dll Jnafop32.exe File created C:\Windows\SysWOW64\Jgglia32.dll Qpocno32.exe File created C:\Windows\SysWOW64\Mhonbchg.dll Dimfmeef.exe File created C:\Windows\SysWOW64\Lkhcdhmk.exe Ldokhn32.exe File opened for modification C:\Windows\SysWOW64\Jhndcd32.exe Jdbhcfjd.exe File created C:\Windows\SysWOW64\Geplpfnh.exe Gdophn32.exe File created C:\Windows\SysWOW64\Kdoiblpd.dll Cnjbfhqa.exe File opened for modification C:\Windows\SysWOW64\Oenmkngi.exe Ofklpa32.exe File opened for modification C:\Windows\SysWOW64\Elcbmn32.exe Emqaaabg.exe File opened for modification C:\Windows\SysWOW64\Qjbehfbo.exe Pglclk32.exe File created C:\Windows\SysWOW64\Fgdfgd32.dll Gfgpgmql.exe File opened for modification C:\Windows\SysWOW64\Gjiibm32.exe Fcoaebjc.exe File opened for modification C:\Windows\SysWOW64\Pbnckg32.exe Ppogok32.exe File created C:\Windows\SysWOW64\Fanhpabf.dll Djffihmp.exe File created C:\Windows\SysWOW64\Nnbdij32.dll Fkapkq32.exe File created C:\Windows\SysWOW64\Jnenmnck.dll Bqilfp32.exe File created C:\Windows\SysWOW64\Ajmhljip.exe Ahllda32.exe File created C:\Windows\SysWOW64\Gfpphd32.dll Lkkckdhm.exe File created C:\Windows\SysWOW64\Fdekigip.exe Fagnmkjm.exe File created C:\Windows\SysWOW64\Bcpiombe.exe Bncpffdn.exe File created C:\Windows\SysWOW64\Ibmldh32.dll Dfgdpj32.exe File created C:\Windows\SysWOW64\Npldppbn.dll Aklefm32.exe File created C:\Windows\SysWOW64\Eddkbl32.dll Mdahnmck.exe File created C:\Windows\SysWOW64\Omldapkm.dll Popkeh32.exe File opened for modification C:\Windows\SysWOW64\Anngkg32.exe Akpkok32.exe File created C:\Windows\SysWOW64\Incgfl32.exe Icnbic32.exe File created C:\Windows\SysWOW64\Gebiefle.exe Gpfpmonn.exe File opened for modification C:\Windows\SysWOW64\Qeglqpaj.exe Qbhpddbf.exe File created C:\Windows\SysWOW64\Anaeppkc.dll Bcdbjl32.exe File created C:\Windows\SysWOW64\Cpmbla32.dll Dpmlcpdm.exe File created C:\Windows\SysWOW64\Cbekip32.dll Lkepdbkb.exe File opened for modification C:\Windows\SysWOW64\Edhmhl32.exe Emnelbdi.exe File created C:\Windows\SysWOW64\Hfohfk32.dll Fagnmkjm.exe File created C:\Windows\SysWOW64\Lnlmmo32.exe Lcfhpf32.exe File opened for modification C:\Windows\SysWOW64\Mnilfc32.exe Mkkpjg32.exe File created C:\Windows\SysWOW64\Dplalb32.dll Dpjfjalp.exe File created C:\Windows\SysWOW64\Ajbdpblo.exe Achlch32.exe File created C:\Windows\SysWOW64\Qeglqpaj.exe Qbhpddbf.exe File created C:\Windows\SysWOW64\Akpkok32.exe Ahancp32.exe File created C:\Windows\SysWOW64\Egfglocf.exe Edhkpcdb.exe File opened for modification C:\Windows\SysWOW64\Hchpjddc.exe Hiblmldn.exe File opened for modification C:\Windows\SysWOW64\Emnelbdi.exe Eibikc32.exe File created C:\Windows\SysWOW64\Noddcolo.dll Bbocak32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5324 6112 WerFault.exe 593 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqimoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcadd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbcnajn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfknjfbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janihlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlmnfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmlcpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggbdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqpjndio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhhgahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedbmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjfjalp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmighemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinnfonh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mglpjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbghgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbhmlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkchpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieelnkpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpaidpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplkhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febmfcjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnilfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhcokmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbppqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johlpoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkfap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdobjgqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poinkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgepqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniglajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppogok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijjgkmqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhljlnma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebghkjjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dieiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boolhikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klamohhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onbkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olokighn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papmlmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anfjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbpoeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpeojha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geplpfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdggofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkckdhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihmae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgpgjoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggkdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnbic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnibl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbanlfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklefm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnafop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffgfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdcngbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgaoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmnjenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihcakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedokpcm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bmbkid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bineidcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkopgd32.dll" Cofohkgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbdkdffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hqjfgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dbneekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlmhggb.dll" Ghmohcbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pojgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqdaeh32.dll" Qeglqpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popoobmg.dll" Lcfhpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oclpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hmighemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epinic32.dll" Lklmoccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obamebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcoaebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bomink32.dll" Iokdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Faimkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iokdaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npldppbn.dll" Aklefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bipaodah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhbc32.dll" Johlpoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Blejgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Acplpjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ddqeodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfohfk32.dll" Fagnmkjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hchpjddc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ldokhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Johlpoij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ojdlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcajlbce.dll" Bncpffdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agloko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Idepdhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmfihln.dll" Khhndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Phklcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgnfpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dkolblkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcheobh.dll" Gegbpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hkkaik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Geplpfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Kpcbhlki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Phklcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bgihjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdldjnpc.dll" Lamkllea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mdkcgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjgehii.dll" Nccmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boolhikf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Bfpkfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lobbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjcendg.dll" Kgjgepqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdlgpke.dll" Obamebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajabpehm.dll" Apllml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agebam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jfkbqcam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ondnfndp.dll" Ldokhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epbamc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imooak32.dll" Ojilqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Bcdbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fhfihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jnafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mcendc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcecef32.dll" Aimkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfaghha.dll" Bnicddki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cklpml32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1200 wrote to memory of 1080 1200 4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe 29 PID 1200 wrote to memory of 1080 1200 4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe 29 PID 1200 wrote to memory of 1080 1200 4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe 29 PID 1200 wrote to memory of 1080 1200 4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe 29 PID 1080 wrote to memory of 2420 1080 Nfeqli32.exe 30 PID 1080 wrote to memory of 2420 1080 Nfeqli32.exe 30 PID 1080 wrote to memory of 2420 1080 Nfeqli32.exe 30 PID 1080 wrote to memory of 2420 1080 Nfeqli32.exe 30 PID 2420 wrote to memory of 2892 2420 Nmpiicdm.exe 31 PID 2420 wrote to memory of 2892 2420 Nmpiicdm.exe 31 PID 2420 wrote to memory of 2892 2420 Nmpiicdm.exe 31 PID 2420 wrote to memory of 2892 2420 Nmpiicdm.exe 31 PID 2892 wrote to memory of 2648 2892 Ndiaem32.exe 32 PID 2892 wrote to memory of 2648 2892 Ndiaem32.exe 32 PID 2892 wrote to memory of 2648 2892 Ndiaem32.exe 32 PID 2892 wrote to memory of 2648 2892 Ndiaem32.exe 32 PID 2648 wrote to memory of 2128 2648 Obcgaill.exe 33 PID 2648 wrote to memory of 2128 2648 Obcgaill.exe 33 PID 2648 wrote to memory of 2128 2648 Obcgaill.exe 33 PID 2648 wrote to memory of 2128 2648 Obcgaill.exe 33 PID 2128 wrote to memory of 2688 2128 Oebdndlp.exe 34 PID 2128 wrote to memory of 2688 2128 Oebdndlp.exe 34 PID 2128 wrote to memory of 2688 2128 Oebdndlp.exe 34 PID 2128 wrote to memory of 2688 2128 Oebdndlp.exe 34 PID 2688 wrote to memory of 2760 2688 Omoehf32.exe 35 PID 2688 wrote to memory of 2760 2688 Omoehf32.exe 35 PID 2688 wrote to memory of 2760 2688 Omoehf32.exe 35 PID 2688 wrote to memory of 2760 2688 Omoehf32.exe 35 PID 2760 wrote to memory of 2424 2760 Oheieo32.exe 36 PID 2760 wrote to memory of 2424 2760 Oheieo32.exe 36 PID 2760 wrote to memory of 2424 2760 Oheieo32.exe 36 PID 2760 wrote to memory of 2424 2760 Oheieo32.exe 36 PID 2424 wrote to memory of 2340 2424 Ppbkoabf.exe 37 PID 2424 wrote to memory of 2340 2424 Ppbkoabf.exe 37 PID 2424 wrote to memory of 2340 2424 Ppbkoabf.exe 37 PID 2424 wrote to memory of 2340 2424 Ppbkoabf.exe 37 PID 2340 wrote to memory of 1064 2340 Pglclk32.exe 38 PID 2340 wrote to memory of 1064 2340 Pglclk32.exe 38 PID 2340 wrote to memory of 1064 2340 Pglclk32.exe 38 PID 2340 wrote to memory of 1064 2340 Pglclk32.exe 38 PID 1064 wrote to memory of 2876 1064 Qjbehfbo.exe 39 PID 1064 wrote to memory of 2876 1064 Qjbehfbo.exe 39 PID 1064 wrote to memory of 2876 1064 Qjbehfbo.exe 39 PID 1064 wrote to memory of 2876 1064 Qjbehfbo.exe 39 PID 2876 wrote to memory of 1172 2876 Qlpadaac.exe 40 PID 2876 wrote to memory of 1172 2876 Qlpadaac.exe 40 PID 2876 wrote to memory of 1172 2876 Qlpadaac.exe 40 PID 2876 wrote to memory of 1172 2876 Qlpadaac.exe 40 PID 1172 wrote to memory of 2004 1172 Qdkfic32.exe 41 PID 1172 wrote to memory of 2004 1172 Qdkfic32.exe 41 PID 1172 wrote to memory of 2004 1172 Qdkfic32.exe 41 PID 1172 wrote to memory of 2004 1172 Qdkfic32.exe 41 PID 2004 wrote to memory of 2092 2004 Qkeofnfk.exe 42 PID 2004 wrote to memory of 2092 2004 Qkeofnfk.exe 42 PID 2004 wrote to memory of 2092 2004 Qkeofnfk.exe 42 PID 2004 wrote to memory of 2092 2004 Qkeofnfk.exe 42 PID 2092 wrote to memory of 2608 2092 Aaogbh32.exe 43 PID 2092 wrote to memory of 2608 2092 Aaogbh32.exe 43 PID 2092 wrote to memory of 2608 2092 Aaogbh32.exe 43 PID 2092 wrote to memory of 2608 2092 Aaogbh32.exe 43 PID 2608 wrote to memory of 2248 2608 Agloko32.exe 44 PID 2608 wrote to memory of 2248 2608 Agloko32.exe 44 PID 2608 wrote to memory of 2248 2608 Agloko32.exe 44 PID 2608 wrote to memory of 2248 2608 Agloko32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe"C:\Users\Admin\AppData\Local\Temp\4dfcc50b0abd1b72c009c945c99307ddff362a97ca14ce864766db8d3f596de4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ppbkoabf.exeC:\Windows\system32\Ppbkoabf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Qkeofnfk.exeC:\Windows\system32\Qkeofnfk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228 -
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1892 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Bjdnmi32.exeC:\Windows\system32\Bjdnmi32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe28⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Boeppomj.exeC:\Windows\system32\Boeppomj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Bnkmakbb.exeC:\Windows\system32\Bnkmakbb.exe34⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Bipaodah.exeC:\Windows\system32\Bipaodah.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe36⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe37⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Cjdkllec.exeC:\Windows\system32\Cjdkllec.exe38⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Cmbghgdg.exeC:\Windows\system32\Cmbghgdg.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe40⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe42⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe43⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ccaipaho.exeC:\Windows\system32\Ccaipaho.exe44⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe45⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe46⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe50⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe51⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Dkfcqo32.exeC:\Windows\system32\Dkfcqo32.exe53⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe54⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe56⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Dofilm32.exeC:\Windows\system32\Dofilm32.exe58⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Ddcadd32.exeC:\Windows\system32\Ddcadd32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Ekmjanpd.exeC:\Windows\system32\Ekmjanpd.exe60⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Eagbnh32.exeC:\Windows\system32\Eagbnh32.exe61⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Edenjc32.exeC:\Windows\system32\Edenjc32.exe62⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Egdjfo32.exeC:\Windows\system32\Egdjfo32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe64⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe65⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Edhkpcdb.exeC:\Windows\system32\Edhkpcdb.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe67⤵PID:2152
-
C:\Windows\SysWOW64\Eidchjbi.exeC:\Windows\system32\Eidchjbi.exe68⤵PID:3040
-
C:\Windows\SysWOW64\Elcpdeam.exeC:\Windows\system32\Elcpdeam.exe69⤵PID:964
-
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe70⤵PID:3000
-
C:\Windows\SysWOW64\Eekdmk32.exeC:\Windows\system32\Eekdmk32.exe71⤵PID:2888
-
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe72⤵PID:2360
-
C:\Windows\SysWOW64\Epqhjdhc.exeC:\Windows\system32\Epqhjdhc.exe73⤵PID:1156
-
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe74⤵PID:2500
-
C:\Windows\SysWOW64\Eiimci32.exeC:\Windows\system32\Eiimci32.exe75⤵PID:1508
-
C:\Windows\SysWOW64\Ehlmnfeo.exeC:\Windows\system32\Ehlmnfeo.exe76⤵
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe77⤵PID:1668
-
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe78⤵PID:1836
-
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe79⤵PID:2276
-
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe82⤵PID:1780
-
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Fokofpif.exeC:\Windows\system32\Fokofpif.exe84⤵PID:940
-
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe85⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe87⤵PID:2380
-
C:\Windows\SysWOW64\Fghppa32.exeC:\Windows\system32\Fghppa32.exe88⤵PID:996
-
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe89⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Fcoaebjc.exeC:\Windows\system32\Fcoaebjc.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Gjiibm32.exeC:\Windows\system32\Gjiibm32.exe91⤵PID:832
-
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe92⤵PID:400
-
C:\Windows\SysWOW64\Ghnfci32.exeC:\Windows\system32\Ghnfci32.exe93⤵PID:2860
-
C:\Windows\SysWOW64\Gccjpb32.exeC:\Windows\system32\Gccjpb32.exe94⤵PID:352
-
C:\Windows\SysWOW64\Gbigao32.exeC:\Windows\system32\Gbigao32.exe95⤵PID:2368
-
C:\Windows\SysWOW64\Gicpnhbb.exeC:\Windows\system32\Gicpnhbb.exe96⤵PID:2408
-
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe97⤵PID:1796
-
C:\Windows\SysWOW64\Gfgpgmql.exeC:\Windows\system32\Gfgpgmql.exe98⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe99⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe100⤵PID:2736
-
C:\Windows\SysWOW64\Higiih32.exeC:\Windows\system32\Higiih32.exe101⤵PID:1784
-
C:\Windows\SysWOW64\Hbpmbndm.exeC:\Windows\system32\Hbpmbndm.exe102⤵PID:2940
-
C:\Windows\SysWOW64\Hcajjf32.exeC:\Windows\system32\Hcajjf32.exe103⤵PID:2256
-
C:\Windows\SysWOW64\Hngngo32.exeC:\Windows\system32\Hngngo32.exe104⤵PID:2404
-
C:\Windows\SysWOW64\Heqfdh32.exeC:\Windows\system32\Heqfdh32.exe105⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Hjmolp32.exeC:\Windows\system32\Hjmolp32.exe106⤵PID:1576
-
C:\Windows\SysWOW64\Haggijgb.exeC:\Windows\system32\Haggijgb.exe107⤵PID:1740
-
C:\Windows\SysWOW64\Hgaoec32.exeC:\Windows\system32\Hgaoec32.exe108⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Hiblmldn.exeC:\Windows\system32\Hiblmldn.exe109⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe110⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Hfflfp32.exeC:\Windows\system32\Hfflfp32.exe111⤵PID:2908
-
C:\Windows\SysWOW64\Ilceog32.exeC:\Windows\system32\Ilceog32.exe112⤵PID:2472
-
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe113⤵PID:2108
-
C:\Windows\SysWOW64\Iigehk32.exeC:\Windows\system32\Iigehk32.exe114⤵PID:2708
-
C:\Windows\SysWOW64\Ipameehe.exeC:\Windows\system32\Ipameehe.exe115⤵PID:2652
-
C:\Windows\SysWOW64\Ifkfap32.exeC:\Windows\system32\Ifkfap32.exe116⤵
- System Location Discovery: System Language Discovery
PID:448 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe117⤵PID:2464
-
C:\Windows\SysWOW64\Ilhnjfmi.exeC:\Windows\system32\Ilhnjfmi.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1292 -
C:\Windows\SysWOW64\Infjfblm.exeC:\Windows\system32\Infjfblm.exe119⤵PID:2164
-
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:672 -
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-