Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11/11/2024, 10:53
Static task
static1
Behavioral task
behavioral1
Sample
0a23f135f1523e186408b95ff37d0963d00be96e3e66571393b6c0f87085525bN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0a23f135f1523e186408b95ff37d0963d00be96e3e66571393b6c0f87085525bN.exe
Resource
win10v2004-20241007-en
General
-
Target
0a23f135f1523e186408b95ff37d0963d00be96e3e66571393b6c0f87085525bN.exe
-
Size
357KB
-
MD5
ea0d13ff329cddf5e28e535451b4a0b3
-
SHA1
a09f9564905a364f69c9d24c5cb5c85fb702db07
-
SHA256
7585d8999e1411041c1cb2bb9a127bf3c5dd8264ad3c51e261ef7ed3580756f1
-
SHA512
65b99c6e20b973e69a6f1a5a62892d5eddb964062b48b41ed49a81fd699545028297fa46134dae025cded18188b70a406090be396fa84142f1d01c8e35c76605
-
SSDEEP
6144:oDYCt59MMegm11n6xJmPMwZoXpKtCe8AUReheFlfSZR0SvsuFrGoyeg3kl+fiXFO:ofqZoXpKtCe1eehil6ZR5ZrQeg3kljFO
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ngjkfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeandma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgohf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelkaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mecjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekiqccc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Klfaapbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioolkncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbgcih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgenbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmfnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iddljmpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaehljpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojigdcll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nggnadib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efepbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpchib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qacameaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgifbhid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niakfbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pekbga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malpia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljceqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofmdio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Innfnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hidgai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpcjgnhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfbped32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llhikacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pcmeke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piijno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Albpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnhdgpii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjqmpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgogbgei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pibdmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neclenfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alkijdci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ikkpgafg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlmdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lljklo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfngdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfigpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgicgca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfkpp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hglaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lalnmiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahgjejhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfnqklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eiieicml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnifekmd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4984 Gdfoio32.exe 3208 Hnodaecc.exe 2036 Hjedffig.exe 2040 Hammhcij.exe 3960 Hncmmd32.exe 4444 Hglaej32.exe 5052 Hpdfnolo.exe 2780 Hkjjlhle.exe 2980 Hnhghcki.exe 4436 Iklgah32.exe 2312 Iddljmpc.exe 3772 Ikndgg32.exe 2496 Igedlh32.exe 4112 Iakiia32.exe 600 Ihdafkdg.exe 1220 Ikcmbfcj.exe 3372 Iqpfjnba.exe 3400 Igjngh32.exe 2928 Ikejgf32.exe 432 Ibobdqid.exe 3236 Jdnoplhh.exe 3032 Jbaojpgb.exe 1052 Jdpkflfe.exe 1336 Jgogbgei.exe 1708 Jkjcbe32.exe 2856 Jnhpoamf.exe 460 Jbdlop32.exe 4684 Jdbhkk32.exe 2676 Jgadgf32.exe 1084 Jjopcb32.exe 2860 Jnkldqkc.exe 4524 Jqiipljg.exe 3516 Jdedak32.exe 4820 Jgcamf32.exe 1716 Jkomneim.exe 2948 Jnmijq32.exe 3560 Jqlefl32.exe 3132 Jdgafjpn.exe 2804 Jgenbfoa.exe 5040 Jkaicd32.exe 3280 Jnpfop32.exe 32 Kqnbkl32.exe 264 Kdinljnk.exe 4912 Kghjhemo.exe 1756 Kkcfid32.exe 2504 Knbbep32.exe 2640 Kbmoen32.exe 424 Kelkaj32.exe 4396 Kgjgne32.exe 3644 Kjhcjq32.exe 2340 Kbpkkn32.exe 3700 Kenggi32.exe 2620 Kgmcce32.exe 1248 Knflpoqf.exe 1780 Kaehljpj.exe 1632 Kilpmh32.exe 4376 Kkjlic32.exe 3440 Kniieo32.exe 2800 Kecabifp.exe 4152 Kgamnded.exe 4676 Kjpijpdg.exe 4692 Lajagj32.exe 2352 Lgcjdd32.exe 3104 Ljbfpo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mdpmoppk.dll Ponfka32.exe File created C:\Windows\SysWOW64\Hplbickp.exe Hibjli32.exe File opened for modification C:\Windows\SysWOW64\Jpenfp32.exe Jngbjd32.exe File created C:\Windows\SysWOW64\Ppolhcnm.exe Pnmopk32.exe File opened for modification C:\Windows\SysWOW64\Kbpkkn32.exe Kjhcjq32.exe File opened for modification C:\Windows\SysWOW64\Licfngjd.exe Lalnmiia.exe File opened for modification C:\Windows\SysWOW64\Mjahlgpf.exe Meepdp32.exe File opened for modification C:\Windows\SysWOW64\Iohejo32.exe Imgicgca.exe File opened for modification C:\Windows\SysWOW64\Kghjhemo.exe Kdinljnk.exe File created C:\Windows\SysWOW64\Ejoaandc.dll Aaohcj32.exe File created C:\Windows\SysWOW64\Aknhkd32.dll Fbjena32.exe File opened for modification C:\Windows\SysWOW64\Nmkmjjaa.exe Njmqnobn.exe File created C:\Windows\SysWOW64\Bhoqeibl.exe Bcahmb32.exe File created C:\Windows\SysWOW64\Kahobhgo.dll Oeaoab32.exe File created C:\Windows\SysWOW64\Nlbdlk32.dll Aodogdmn.exe File created C:\Windows\SysWOW64\Efcagd32.dll Mnpabe32.exe File created C:\Windows\SysWOW64\Gikdkj32.exe Gflhoo32.exe File opened for modification C:\Windows\SysWOW64\Neccpd32.exe Nojjcj32.exe File opened for modification C:\Windows\SysWOW64\Bfngdn32.exe Aodogdmn.exe File opened for modification C:\Windows\SysWOW64\Bkafmd32.exe Bhcjqinf.exe File created C:\Windows\SysWOW64\Kmaopfjm.exe Kjccdkki.exe File opened for modification C:\Windows\SysWOW64\Pefabkej.exe Pajeam32.exe File opened for modification C:\Windows\SysWOW64\Bemqih32.exe Bnfihkqm.exe File opened for modification C:\Windows\SysWOW64\Oekiqccc.exe Oblmdhdo.exe File created C:\Windows\SysWOW64\Eplgeokq.exe Emmkiclm.exe File created C:\Windows\SysWOW64\Ffclcgfn.exe Fpjcgm32.exe File created C:\Windows\SysWOW64\Odoogi32.exe Oaqbkn32.exe File created C:\Windows\SysWOW64\Iahqoq32.dll Ajggomog.exe File opened for modification C:\Windows\SysWOW64\Lobjni32.exe Lnangaoa.exe File created C:\Windows\SysWOW64\Jnjejjgh.exe Jklinohd.exe File opened for modification C:\Windows\SysWOW64\Jklinohd.exe Jcdala32.exe File created C:\Windows\SysWOW64\Maggnali.exe Mnhkbfme.exe File created C:\Windows\SysWOW64\Keldkigj.dll Oejbfmpg.exe File opened for modification C:\Windows\SysWOW64\Apaadpng.exe Aopemh32.exe File opened for modification C:\Windows\SysWOW64\Jbaojpgb.exe Jdnoplhh.exe File created C:\Windows\SysWOW64\Ofhjkmkl.dll Malpia32.exe File created C:\Windows\SysWOW64\Onmfimga.exe Offnhpfo.exe File created C:\Windows\SysWOW64\Omdppiif.exe Ofkgcobj.exe File opened for modification C:\Windows\SysWOW64\Pmiikh32.exe Pjkmomfn.exe File opened for modification C:\Windows\SysWOW64\Chdialdl.exe Bajqda32.exe File created C:\Windows\SysWOW64\Pchlpfjb.exe Phbhcmjl.exe File created C:\Windows\SysWOW64\Ljceqb32.exe Lcimdh32.exe File opened for modification C:\Windows\SysWOW64\Cfkmkf32.exe Cndeii32.exe File created C:\Windows\SysWOW64\Jppadk32.dll Objpoh32.exe File created C:\Windows\SysWOW64\Dmcain32.exe Ddligq32.exe File created C:\Windows\SysWOW64\Kegpifod.exe Komhll32.exe File created C:\Windows\SysWOW64\Bkamodje.dll Bogkmgba.exe File opened for modification C:\Windows\SysWOW64\Kjpijpdg.exe Kgamnded.exe File created C:\Windows\SysWOW64\Micoommd.dll Cijpahho.exe File created C:\Windows\SysWOW64\Lggldm32.exe Lgepom32.exe File opened for modification C:\Windows\SysWOW64\Gmojkj32.exe Gidnkkpc.exe File created C:\Windows\SysWOW64\Mmacdg32.dll Knnhjcog.exe File created C:\Windows\SysWOW64\Cklgfgfg.dll Bkphhgfc.exe File created C:\Windows\SysWOW64\Nldfjqkf.dll Mhoipb32.exe File opened for modification C:\Windows\SysWOW64\Bbgeno32.exe Bkmmaeap.exe File created C:\Windows\SysWOW64\Epmfkk32.dll Bjnmpl32.exe File opened for modification C:\Windows\SysWOW64\Llodgnja.exe Ljqhkckn.exe File opened for modification C:\Windows\SysWOW64\Kgjgne32.exe Kelkaj32.exe File created C:\Windows\SysWOW64\Gehcdm32.dll Nhmofj32.exe File created C:\Windows\SysWOW64\Cbfgkffn.exe Cohkokgj.exe File opened for modification C:\Windows\SysWOW64\Pcmeke32.exe Poajkgnc.exe File created C:\Windows\SysWOW64\Dcgmfg32.dll Lekmnajj.exe File created C:\Windows\SysWOW64\Enbjad32.exe Ekdnei32.exe File opened for modification C:\Windows\SysWOW64\Njmqnobn.exe Ncchae32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15020 14912 WerFault.exe 762 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjbogmdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nagpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgcpokp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lopmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgloefco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmfdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibobdqid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfhad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbicpfdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckqbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moipoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahbbkaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpbpbecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmfimga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhphmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjedffig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenggi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nafjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malpia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokqkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljqhkckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caojpaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbbep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbmokop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpejlmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgibkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkgkapm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfchlbfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmiikh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phigif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaajnfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenmcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahmfpap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najceeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plejdkmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgipcogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnadagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qklmpalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioolkncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklhcfle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgogbgei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidhlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdglmkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffhifdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiaael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijlof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajggomog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmhiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibaeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmdio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcgcqab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobdbkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albpkc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfookdli.dll" Nagpeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjpjel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejlbhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhghaf32.dll" Odoogi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfeip32.dll" Cbfgkffn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kknombmk.dll" Nlphbnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eplgeokq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jklinohd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgijpe32.dll" Bddcenpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oadfkdgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pibdmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Alelqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ennamn32.dll" Cklhcfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plopnh32.dll" Oeokal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkbjjbda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abklmb32.dll" Cljobphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgbefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nqbpojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phcgcqab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdmfqg32.dll" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Najceeoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhnhbn32.dll" Ejlbhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qoelkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmpjlk32.dll" Mqdcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nliaao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bheffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbfgkffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phfcipoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bajqda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icknfcol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojbacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlhccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdbjhbbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onmfimga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpfcfmlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lalnmiia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpejlmcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdbcfp32.dll" Jjafok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmaopfjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blielbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dheibpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ankkea32.dll" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Moipoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hammhcij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilchfdgp.dll" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqmmqg32.dll" Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll" Hefnkkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofdmmgd.dll" Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjhhfnd.dll" Bedgjgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelgfl32.dll" Cammjakm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgnfmhaj.dll" Nijeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlijb32.dll" Piijno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpenfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnifekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpockdl.dll" Aknbkjfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phincl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1340 wrote to memory of 4984 1340 0a23f135f1523e186408b95ff37d0963d00be96e3e66571393b6c0f87085525bN.exe 83 PID 1340 wrote to memory of 4984 1340 0a23f135f1523e186408b95ff37d0963d00be96e3e66571393b6c0f87085525bN.exe 83 PID 1340 wrote to memory of 4984 1340 0a23f135f1523e186408b95ff37d0963d00be96e3e66571393b6c0f87085525bN.exe 83 PID 4984 wrote to memory of 3208 4984 Gdfoio32.exe 84 PID 4984 wrote to memory of 3208 4984 Gdfoio32.exe 84 PID 4984 wrote to memory of 3208 4984 Gdfoio32.exe 84 PID 3208 wrote to memory of 2036 3208 Hnodaecc.exe 85 PID 3208 wrote to memory of 2036 3208 Hnodaecc.exe 85 PID 3208 wrote to memory of 2036 3208 Hnodaecc.exe 85 PID 2036 wrote to memory of 2040 2036 Hjedffig.exe 87 PID 2036 wrote to memory of 2040 2036 Hjedffig.exe 87 PID 2036 wrote to memory of 2040 2036 Hjedffig.exe 87 PID 2040 wrote to memory of 3960 2040 Hammhcij.exe 88 PID 2040 wrote to memory of 3960 2040 Hammhcij.exe 88 PID 2040 wrote to memory of 3960 2040 Hammhcij.exe 88 PID 3960 wrote to memory of 4444 3960 Hncmmd32.exe 90 PID 3960 wrote to memory of 4444 3960 Hncmmd32.exe 90 PID 3960 wrote to memory of 4444 3960 Hncmmd32.exe 90 PID 4444 wrote to memory of 5052 4444 Hglaej32.exe 91 PID 4444 wrote to memory of 5052 4444 Hglaej32.exe 91 PID 4444 wrote to memory of 5052 4444 Hglaej32.exe 91 PID 5052 wrote to memory of 2780 5052 Hpdfnolo.exe 93 PID 5052 wrote to memory of 2780 5052 Hpdfnolo.exe 93 PID 5052 wrote to memory of 2780 5052 Hpdfnolo.exe 93 PID 2780 wrote to memory of 2980 2780 Hkjjlhle.exe 94 PID 2780 wrote to memory of 2980 2780 Hkjjlhle.exe 94 PID 2780 wrote to memory of 2980 2780 Hkjjlhle.exe 94 PID 2980 wrote to memory of 4436 2980 Hnhghcki.exe 95 PID 2980 wrote to memory of 4436 2980 Hnhghcki.exe 95 PID 2980 wrote to memory of 4436 2980 Hnhghcki.exe 95 PID 4436 wrote to memory of 2312 4436 Iklgah32.exe 96 PID 4436 wrote to memory of 2312 4436 Iklgah32.exe 96 PID 4436 wrote to memory of 2312 4436 Iklgah32.exe 96 PID 2312 wrote to memory of 3772 2312 Iddljmpc.exe 97 PID 2312 wrote to memory of 3772 2312 Iddljmpc.exe 97 PID 2312 wrote to memory of 3772 2312 Iddljmpc.exe 97 PID 3772 wrote to memory of 2496 3772 Ikndgg32.exe 98 PID 3772 wrote to memory of 2496 3772 Ikndgg32.exe 98 PID 3772 wrote to memory of 2496 3772 Ikndgg32.exe 98 PID 2496 wrote to memory of 4112 2496 Igedlh32.exe 99 PID 2496 wrote to memory of 4112 2496 Igedlh32.exe 99 PID 2496 wrote to memory of 4112 2496 Igedlh32.exe 99 PID 4112 wrote to memory of 600 4112 Iakiia32.exe 100 PID 4112 wrote to memory of 600 4112 Iakiia32.exe 100 PID 4112 wrote to memory of 600 4112 Iakiia32.exe 100 PID 600 wrote to memory of 1220 600 Ihdafkdg.exe 101 PID 600 wrote to memory of 1220 600 Ihdafkdg.exe 101 PID 600 wrote to memory of 1220 600 Ihdafkdg.exe 101 PID 1220 wrote to memory of 3372 1220 Ikcmbfcj.exe 102 PID 1220 wrote to memory of 3372 1220 Ikcmbfcj.exe 102 PID 1220 wrote to memory of 3372 1220 Ikcmbfcj.exe 102 PID 3372 wrote to memory of 3400 3372 Iqpfjnba.exe 103 PID 3372 wrote to memory of 3400 3372 Iqpfjnba.exe 103 PID 3372 wrote to memory of 3400 3372 Iqpfjnba.exe 103 PID 3400 wrote to memory of 2928 3400 Igjngh32.exe 104 PID 3400 wrote to memory of 2928 3400 Igjngh32.exe 104 PID 3400 wrote to memory of 2928 3400 Igjngh32.exe 104 PID 2928 wrote to memory of 432 2928 Ikejgf32.exe 105 PID 2928 wrote to memory of 432 2928 Ikejgf32.exe 105 PID 2928 wrote to memory of 432 2928 Ikejgf32.exe 105 PID 432 wrote to memory of 3236 432 Ibobdqid.exe 106 PID 432 wrote to memory of 3236 432 Ibobdqid.exe 106 PID 432 wrote to memory of 3236 432 Ibobdqid.exe 106 PID 3236 wrote to memory of 3032 3236 Jdnoplhh.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a23f135f1523e186408b95ff37d0963d00be96e3e66571393b6c0f87085525bN.exe"C:\Users\Admin\AppData\Local\Temp\0a23f135f1523e186408b95ff37d0963d00be96e3e66571393b6c0f87085525bN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3208 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Hncmmd32.exeC:\Windows\system32\Hncmmd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Hglaej32.exeC:\Windows\system32\Hglaej32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\Hkjjlhle.exeC:\Windows\system32\Hkjjlhle.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Iklgah32.exeC:\Windows\system32\Iklgah32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Iddljmpc.exeC:\Windows\system32\Iddljmpc.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Ikndgg32.exeC:\Windows\system32\Ikndgg32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Ihdafkdg.exeC:\Windows\system32\Ihdafkdg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Ikcmbfcj.exeC:\Windows\system32\Ikcmbfcj.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Iqpfjnba.exeC:\Windows\system32\Iqpfjnba.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ibobdqid.exeC:\Windows\system32\Ibobdqid.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3236 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe23⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Jdpkflfe.exeC:\Windows\system32\Jdpkflfe.exe24⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Jgogbgei.exeC:\Windows\system32\Jgogbgei.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\Jkjcbe32.exeC:\Windows\system32\Jkjcbe32.exe26⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe27⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe28⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Jdbhkk32.exeC:\Windows\system32\Jdbhkk32.exe29⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe30⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Jjopcb32.exeC:\Windows\system32\Jjopcb32.exe31⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe32⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Jqiipljg.exeC:\Windows\system32\Jqiipljg.exe33⤵
- Executes dropped EXE
PID:4524 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe34⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Jgcamf32.exeC:\Windows\system32\Jgcamf32.exe35⤵
- Executes dropped EXE
PID:4820 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe36⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Jnmijq32.exeC:\Windows\system32\Jnmijq32.exe37⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe38⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Jdgafjpn.exeC:\Windows\system32\Jdgafjpn.exe39⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Jgenbfoa.exeC:\Windows\system32\Jgenbfoa.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Jkaicd32.exeC:\Windows\system32\Jkaicd32.exe41⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Jnpfop32.exeC:\Windows\system32\Jnpfop32.exe42⤵
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe43⤵
- Executes dropped EXE
PID:32 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe45⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe48⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Kelkaj32.exeC:\Windows\system32\Kelkaj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:424 -
C:\Windows\SysWOW64\Kgjgne32.exeC:\Windows\system32\Kgjgne32.exe50⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3644 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3700 -
C:\Windows\SysWOW64\Kgmcce32.exeC:\Windows\system32\Kgmcce32.exe54⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Knflpoqf.exeC:\Windows\system32\Knflpoqf.exe55⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe57⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Kkjlic32.exeC:\Windows\system32\Kkjlic32.exe58⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe59⤵
- Executes dropped EXE
PID:3440 -
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe60⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Kgamnded.exeC:\Windows\system32\Kgamnded.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4152 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe62⤵
- Executes dropped EXE
PID:4676 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4692 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe64⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe65⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:5108 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe67⤵PID:4568
-
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe68⤵PID:4976
-
C:\Windows\SysWOW64\Lbkkgl32.exeC:\Windows\system32\Lbkkgl32.exe69⤵PID:928
-
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe70⤵PID:1036
-
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe71⤵PID:5048
-
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe72⤵PID:1236
-
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe73⤵PID:3968
-
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe74⤵PID:2408
-
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe75⤵PID:1500
-
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe76⤵PID:1740
-
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe77⤵
- System Location Discovery: System Language Discovery
PID:5064 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe79⤵PID:4496
-
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe80⤵PID:3564
-
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe81⤵
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe82⤵PID:4360
-
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1528 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe84⤵PID:1588
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe85⤵PID:1972
-
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe86⤵PID:1192
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe87⤵
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe88⤵PID:4388
-
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe89⤵PID:772
-
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe90⤵PID:4500
-
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe91⤵PID:2284
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe92⤵PID:2656
-
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe93⤵PID:1168
-
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe94⤵
- System Location Discovery: System Language Discovery
PID:3708 -
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe95⤵PID:1408
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe96⤵PID:2844
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe97⤵PID:372
-
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe98⤵
- Modifies registry class
PID:3680 -
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe99⤵
- Modifies registry class
PID:1300 -
C:\Windows\SysWOW64\Nognnj32.exeC:\Windows\system32\Nognnj32.exe100⤵PID:5132
-
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe101⤵
- System Location Discovery: System Language Discovery
PID:5172 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe102⤵PID:5212
-
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe103⤵
- Drops file in System32 directory
PID:5284 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe104⤵PID:5340
-
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe105⤵
- System Location Discovery: System Language Discovery
PID:5380 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5420 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5452 -
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5500 -
C:\Windows\SysWOW64\Nlphbnoe.exeC:\Windows\system32\Nlphbnoe.exe109⤵
- Modifies registry class
PID:5540 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe110⤵PID:5580
-
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe111⤵
- Drops file in System32 directory
PID:5620 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe112⤵PID:5656
-
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5700 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe114⤵PID:5740
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe115⤵PID:5780
-
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5820 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5860 -
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe118⤵PID:5900
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe119⤵PID:5940
-
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe120⤵PID:5980
-
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe121⤵PID:6020
-
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe122⤵PID:6060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-