Analysis
-
max time kernel
81s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 11:50
Static task
static1
Behavioral task
behavioral1
Sample
5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe
Resource
win10v2004-20241007-en
General
-
Target
5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe
-
Size
768KB
-
MD5
b5f817e660d335cf353cd88f0d8fdd40
-
SHA1
95afc905f7a646bba6b336c7a6e92ab667f4b9c8
-
SHA256
5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074
-
SHA512
31482acb41a46c8f4b20fce39e355ba212e57b331958506843569de3f96ae2be512c929a312c398d8bd4ca84effbb9cdfa3470f0ee31d82278ecdd000ea4a845
-
SSDEEP
12288:wzBy+/+zrWAI5KFum/+zrWAIAqWim/+zrWAI5KF4cr6VDsEqacjgqANXcol27Z5Y:qI+m0BmmvFimm0Xcr6VDsEqacjgqANXF
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpemhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadfah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkilgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cimooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llgljn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkhdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gplcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkbpgeai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ammoel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdjceb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlapaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Halcmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohgfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eejjnhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boleejag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djjeedhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehfafgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajcldpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecobmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkcplien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mecbjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penjdien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjneoeeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcpcho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lgiobadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbginomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhpabdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbiijb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffjng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akkokc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momapqgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klkfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaonji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgnchplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfqiingf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efppqoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hijhhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Camnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lmbabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihjcko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkhdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bheaiekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omphocck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paafmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkaoalg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdfmlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifgekbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdfief32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okpdjjil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhdnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobhdhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmkafhnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfeibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmocbnop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppqoil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpdnpif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjjndeq.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2904 Kageia32.exe 2824 Kkojbf32.exe 2736 Llpfjomf.exe 2860 Lmpcca32.exe 2660 Lcmklh32.exe 2684 Lcohahpn.exe 2520 Llgljn32.exe 1064 Ladebd32.exe 1788 Mdendpbg.exe 2280 Mainndaq.exe 1252 Mkacfiga.exe 2792 Mkcplien.exe 2496 Mcodqkbi.exe 2588 Mlgiiaij.exe 1348 Mjkibehc.exe 1044 Nhbciaki.exe 2408 Nnahgh32.exe 1772 Ogliemkk.exe 332 Ogofkm32.exe 1964 Ogabql32.exe 2068 Oaigib32.exe 2104 Omphocck.exe 1040 Pbajbi32.exe 2528 Pilbocej.exe 2216 Pnhjgj32.exe 2464 Aohgfm32.exe 2360 Alaqjaaa.exe 2608 Agkako32.exe 1476 Bdaojbjf.exe 2072 Bgahkngh.exe 528 Bchhqo32.exe 3008 Bheaiekc.exe 2256 Bfiabjjm.exe 980 Dcjaeamd.exe 1596 Dmebcgbb.exe 1552 Djicmk32.exe 2488 Eejjnhgc.exe 1716 Enbogmnc.exe 2640 Efppqoil.exe 892 Fegjgkla.exe 2380 Ffgfancd.exe 1580 Fpokjd32.exe 2884 Fodgkp32.exe 2784 Fogdap32.exe 1652 Ggfbpaeo.exe 1784 Gdjcjf32.exe 2008 Geloanjg.exe 1696 Hijhhl32.exe 2264 Hdefnjkj.exe 2840 Hdhbci32.exe 2136 Halcmn32.exe 2220 Hjggap32.exe 2324 Iqapnjli.exe 1508 Imhqbkbm.exe 1824 Icbipe32.exe 2836 Iqfiii32.exe 388 Ijnnao32.exe 2776 Jbnlaqhi.exe 2796 Jnemfa32.exe 1612 Jgmaog32.exe 2272 Jaeehmko.exe 2428 Jmocbnop.exe 2680 Kmaphmln.exe 1288 Kbnhpdke.exe -
Loads dropped DLL 64 IoCs
pid Process 3052 5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe 3052 5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe 2904 Kageia32.exe 2904 Kageia32.exe 2824 Kkojbf32.exe 2824 Kkojbf32.exe 2736 Llpfjomf.exe 2736 Llpfjomf.exe 2860 Lmpcca32.exe 2860 Lmpcca32.exe 2660 Lcmklh32.exe 2660 Lcmklh32.exe 2684 Lcohahpn.exe 2684 Lcohahpn.exe 2520 Llgljn32.exe 2520 Llgljn32.exe 1064 Ladebd32.exe 1064 Ladebd32.exe 1788 Mdendpbg.exe 1788 Mdendpbg.exe 2280 Mainndaq.exe 2280 Mainndaq.exe 1252 Mkacfiga.exe 1252 Mkacfiga.exe 2792 Mkcplien.exe 2792 Mkcplien.exe 2496 Mcodqkbi.exe 2496 Mcodqkbi.exe 2588 Mlgiiaij.exe 2588 Mlgiiaij.exe 1348 Mjkibehc.exe 1348 Mjkibehc.exe 1044 Nhbciaki.exe 1044 Nhbciaki.exe 2408 Nnahgh32.exe 2408 Nnahgh32.exe 1772 Ogliemkk.exe 1772 Ogliemkk.exe 332 Ogofkm32.exe 332 Ogofkm32.exe 1964 Ogabql32.exe 1964 Ogabql32.exe 2068 Oaigib32.exe 2068 Oaigib32.exe 2104 Omphocck.exe 2104 Omphocck.exe 1040 Pbajbi32.exe 1040 Pbajbi32.exe 2528 Pilbocej.exe 2528 Pilbocej.exe 2216 Pnhjgj32.exe 2216 Pnhjgj32.exe 2464 Aohgfm32.exe 2464 Aohgfm32.exe 2360 Alaqjaaa.exe 2360 Alaqjaaa.exe 2608 Agkako32.exe 2608 Agkako32.exe 1476 Bdaojbjf.exe 1476 Bdaojbjf.exe 2072 Bgahkngh.exe 2072 Bgahkngh.exe 528 Bchhqo32.exe 528 Bchhqo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jmnbbmon.dll Olkjaflh.exe File created C:\Windows\SysWOW64\Ckfeic32.exe Cooddbfh.exe File opened for modification C:\Windows\SysWOW64\Mlhmkbhb.exe Mjgqcj32.exe File created C:\Windows\SysWOW64\Ffkicc32.dll Bmoaoikj.exe File opened for modification C:\Windows\SysWOW64\Cejfckie.exe Cnpnga32.exe File created C:\Windows\SysWOW64\Lcohahpn.exe Lcmklh32.exe File created C:\Windows\SysWOW64\Hmmobd32.dll Lenffl32.exe File opened for modification C:\Windows\SysWOW64\Gnicoh32.exe Geaofc32.exe File created C:\Windows\SysWOW64\Glomllkd.exe Geddoa32.exe File opened for modification C:\Windows\SysWOW64\Cobhdhha.exe Ciepkajj.exe File created C:\Windows\SysWOW64\Kecmfg32.exe Keappgmg.exe File created C:\Windows\SysWOW64\Ajcldpkd.exe Amplklmj.exe File opened for modification C:\Windows\SysWOW64\Bojkib32.exe Bllomg32.exe File opened for modification C:\Windows\SysWOW64\Llpfjomf.exe Kkojbf32.exe File created C:\Windows\SysWOW64\Ahojng32.dll Oaigib32.exe File created C:\Windows\SysWOW64\Pnhjgj32.exe Pilbocej.exe File created C:\Windows\SysWOW64\Bfpmog32.exe Bacefpbg.exe File created C:\Windows\SysWOW64\Midnqh32.exe Mfebdm32.exe File opened for modification C:\Windows\SysWOW64\Egeecf32.exe Elpqemll.exe File created C:\Windows\SysWOW64\Boghbgla.dll Niqgof32.exe File opened for modification C:\Windows\SysWOW64\Aaflgb32.exe Adblnnbk.exe File created C:\Windows\SysWOW64\Kemqig32.dll Lgiobadq.exe File opened for modification C:\Windows\SysWOW64\Pngbcldl.exe Plffkc32.exe File created C:\Windows\SysWOW64\Paghojip.exe Pkmobp32.exe File created C:\Windows\SysWOW64\Ekdmib32.dll Hdeoccgn.exe File opened for modification C:\Windows\SysWOW64\Heakefnf.exe Gdihmo32.exe File created C:\Windows\SysWOW64\Fgigok32.dll Iagaod32.exe File created C:\Windows\SysWOW64\Pkmobp32.exe Pdcgeejf.exe File created C:\Windows\SysWOW64\Polobd32.exe Pjofjm32.exe File opened for modification C:\Windows\SysWOW64\Lojjfo32.exe Kdqifajl.exe File created C:\Windows\SysWOW64\Iifmcp32.dll Mainndaq.exe File created C:\Windows\SysWOW64\Mlanmb32.dll Cpiaipmh.exe File created C:\Windows\SysWOW64\Bceclhel.dll Idbnmgll.exe File opened for modification C:\Windows\SysWOW64\Llbnnq32.exe Lehfafgp.exe File created C:\Windows\SysWOW64\Cbnlbf32.dll Djicmk32.exe File created C:\Windows\SysWOW64\Amafgc32.exe Afcdpi32.exe File created C:\Windows\SysWOW64\Ciepkajj.exe Biccfalm.exe File created C:\Windows\SysWOW64\Fphepgbl.dll Hmneebeb.exe File opened for modification C:\Windows\SysWOW64\Cffjagko.exe Cpiaipmh.exe File created C:\Windows\SysWOW64\Folqfbjh.dll Hfaqbh32.exe File created C:\Windows\SysWOW64\Kkhdml32.exe Khglkqfj.exe File opened for modification C:\Windows\SysWOW64\Bpbabf32.exe Bfjmia32.exe File created C:\Windows\SysWOW64\Ocfkaone.exe Okkfmmqj.exe File created C:\Windows\SysWOW64\Hbppfnao.dll Llgljn32.exe File created C:\Windows\SysWOW64\Mdendpbg.exe Ladebd32.exe File opened for modification C:\Windows\SysWOW64\Bdaojbjf.exe Agkako32.exe File opened for modification C:\Windows\SysWOW64\Kbnhpdke.exe Kmaphmln.exe File created C:\Windows\SysWOW64\Dhlmpmai.dll Kbpefc32.exe File created C:\Windows\SysWOW64\Pkhdnh32.exe Obnbpb32.exe File created C:\Windows\SysWOW64\Mhlmhiho.dll Dlbaljhn.exe File created C:\Windows\SysWOW64\Doegcd32.dll Nkbcgnie.exe File created C:\Windows\SysWOW64\Bnbnnm32.exe Bcmjpd32.exe File created C:\Windows\SysWOW64\Eldplnan.dll Kdfmlc32.exe File created C:\Windows\SysWOW64\Kddpplhi.dll Jkabmi32.exe File created C:\Windows\SysWOW64\Knanmoan.dll Pniohk32.exe File created C:\Windows\SysWOW64\Dcjaeamd.exe Bfiabjjm.exe File created C:\Windows\SysWOW64\Hpnlndkp.exe Hcjldp32.exe File created C:\Windows\SysWOW64\Kaekljjo.exe Kgjjndeq.exe File created C:\Windows\SysWOW64\Qmcelb32.dll Icdhnn32.exe File opened for modification C:\Windows\SysWOW64\Bhndnpnp.exe Bhkghqpb.exe File created C:\Windows\SysWOW64\Jmlobg32.exe Jmibmhoj.exe File created C:\Windows\SysWOW64\Adlqbf32.dll Lehfafgp.exe File created C:\Windows\SysWOW64\Fgfbnp32.dll Gnofng32.exe File opened for modification C:\Windows\SysWOW64\Fhjhdp32.exe Ebcmfj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1976 1148 WerFault.exe 436 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkmjlca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcdpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjjndeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codeih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heakefnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inebpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqfhqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpoeoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmkhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqeogll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plffkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilomj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momapqgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkojoghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppmcmah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elejqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geddoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnhhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjaeamd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbipdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaofc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecobmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmipko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abiqcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogofkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogabql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilbocej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbmcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciepkajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honiikpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keappgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqiingf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmhfpkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pniohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfdkehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncdpdcfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfkchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnicoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihjcko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijgnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbogmnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padccpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoffd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgiiaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfbpaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkfdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnlndkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apfici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjbba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoaaqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpefc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhpin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqnfkoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkiobge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pelnniga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdcgeejf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjnlikic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ajcldpkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpiaipmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lncgollm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddnfql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnjii32.dll" Cejfckie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bphkjefo.dll" Lofkoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooocab32.dll" Cooddbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecobmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafdca32.dll" Mgoaap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cejfckie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Camnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fghjnd32.dll" Imhqbkbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjnkpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohdglfoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmeckg32.dll" Mlhmkbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pelnniga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbajbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djndfdbb.dll" Nhebhipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhlmhiho.dll" Dlbaljhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcfjhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnifdmnc.dll" Nlldmimi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njnokdaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Geloanjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mclqqeaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjfdcidn.dll" Aohgfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kdfmlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bebfpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmipko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icdefc32.dll" Oqkpmaif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panfjh32.dll" Enmnahnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mainndaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jibpghbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqnfkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhbig32.dll" Icbipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Beadgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfgal32.dll" Kgjjndeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qfhddn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Enhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apepdbkl.dll" Gfdaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeppfdk.dll" Plbmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll" Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kecmfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocfkaone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeojifki.dll" Momapqgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgahkngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggfbpaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmjemjh.dll" Jmocbnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mncmib32.dll" Apfici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lndqbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkcplien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkegikfe.dll" Hjggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbiffmpn.dll" Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmljkb32.dll" Edpoeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Folqfbjh.dll" Hfaqbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doohjohm.dll" Komjmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pilbocej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fogdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boleejag.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3052 wrote to memory of 2904 3052 5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe 30 PID 3052 wrote to memory of 2904 3052 5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe 30 PID 3052 wrote to memory of 2904 3052 5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe 30 PID 3052 wrote to memory of 2904 3052 5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe 30 PID 2904 wrote to memory of 2824 2904 Kageia32.exe 31 PID 2904 wrote to memory of 2824 2904 Kageia32.exe 31 PID 2904 wrote to memory of 2824 2904 Kageia32.exe 31 PID 2904 wrote to memory of 2824 2904 Kageia32.exe 31 PID 2824 wrote to memory of 2736 2824 Kkojbf32.exe 32 PID 2824 wrote to memory of 2736 2824 Kkojbf32.exe 32 PID 2824 wrote to memory of 2736 2824 Kkojbf32.exe 32 PID 2824 wrote to memory of 2736 2824 Kkojbf32.exe 32 PID 2736 wrote to memory of 2860 2736 Llpfjomf.exe 33 PID 2736 wrote to memory of 2860 2736 Llpfjomf.exe 33 PID 2736 wrote to memory of 2860 2736 Llpfjomf.exe 33 PID 2736 wrote to memory of 2860 2736 Llpfjomf.exe 33 PID 2860 wrote to memory of 2660 2860 Lmpcca32.exe 34 PID 2860 wrote to memory of 2660 2860 Lmpcca32.exe 34 PID 2860 wrote to memory of 2660 2860 Lmpcca32.exe 34 PID 2860 wrote to memory of 2660 2860 Lmpcca32.exe 34 PID 2660 wrote to memory of 2684 2660 Lcmklh32.exe 35 PID 2660 wrote to memory of 2684 2660 Lcmklh32.exe 35 PID 2660 wrote to memory of 2684 2660 Lcmklh32.exe 35 PID 2660 wrote to memory of 2684 2660 Lcmklh32.exe 35 PID 2684 wrote to memory of 2520 2684 Lcohahpn.exe 36 PID 2684 wrote to memory of 2520 2684 Lcohahpn.exe 36 PID 2684 wrote to memory of 2520 2684 Lcohahpn.exe 36 PID 2684 wrote to memory of 2520 2684 Lcohahpn.exe 36 PID 2520 wrote to memory of 1064 2520 Llgljn32.exe 37 PID 2520 wrote to memory of 1064 2520 Llgljn32.exe 37 PID 2520 wrote to memory of 1064 2520 Llgljn32.exe 37 PID 2520 wrote to memory of 1064 2520 Llgljn32.exe 37 PID 1064 wrote to memory of 1788 1064 Ladebd32.exe 38 PID 1064 wrote to memory of 1788 1064 Ladebd32.exe 38 PID 1064 wrote to memory of 1788 1064 Ladebd32.exe 38 PID 1064 wrote to memory of 1788 1064 Ladebd32.exe 38 PID 1788 wrote to memory of 2280 1788 Mdendpbg.exe 39 PID 1788 wrote to memory of 2280 1788 Mdendpbg.exe 39 PID 1788 wrote to memory of 2280 1788 Mdendpbg.exe 39 PID 1788 wrote to memory of 2280 1788 Mdendpbg.exe 39 PID 2280 wrote to memory of 1252 2280 Mainndaq.exe 40 PID 2280 wrote to memory of 1252 2280 Mainndaq.exe 40 PID 2280 wrote to memory of 1252 2280 Mainndaq.exe 40 PID 2280 wrote to memory of 1252 2280 Mainndaq.exe 40 PID 1252 wrote to memory of 2792 1252 Mkacfiga.exe 41 PID 1252 wrote to memory of 2792 1252 Mkacfiga.exe 41 PID 1252 wrote to memory of 2792 1252 Mkacfiga.exe 41 PID 1252 wrote to memory of 2792 1252 Mkacfiga.exe 41 PID 2792 wrote to memory of 2496 2792 Mkcplien.exe 42 PID 2792 wrote to memory of 2496 2792 Mkcplien.exe 42 PID 2792 wrote to memory of 2496 2792 Mkcplien.exe 42 PID 2792 wrote to memory of 2496 2792 Mkcplien.exe 42 PID 2496 wrote to memory of 2588 2496 Mcodqkbi.exe 43 PID 2496 wrote to memory of 2588 2496 Mcodqkbi.exe 43 PID 2496 wrote to memory of 2588 2496 Mcodqkbi.exe 43 PID 2496 wrote to memory of 2588 2496 Mcodqkbi.exe 43 PID 2588 wrote to memory of 1348 2588 Mlgiiaij.exe 44 PID 2588 wrote to memory of 1348 2588 Mlgiiaij.exe 44 PID 2588 wrote to memory of 1348 2588 Mlgiiaij.exe 44 PID 2588 wrote to memory of 1348 2588 Mlgiiaij.exe 44 PID 1348 wrote to memory of 1044 1348 Mjkibehc.exe 45 PID 1348 wrote to memory of 1044 1348 Mjkibehc.exe 45 PID 1348 wrote to memory of 1044 1348 Mjkibehc.exe 45 PID 1348 wrote to memory of 1044 1348 Mjkibehc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe"C:\Users\Admin\AppData\Local\Temp\5ec03d04aecbe3ca0d23caab7f86c80e0dc7c33a62e603a4e89cff1ff1604074N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Kageia32.exeC:\Windows\system32\Kageia32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Kkojbf32.exeC:\Windows\system32\Kkojbf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Lmpcca32.exeC:\Windows\system32\Lmpcca32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Llgljn32.exeC:\Windows\system32\Llgljn32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Mainndaq.exeC:\Windows\system32\Mainndaq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Mjkibehc.exeC:\Windows\system32\Mjkibehc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:332 -
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Pbajbi32.exeC:\Windows\system32\Pbajbi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Alaqjaaa.exeC:\Windows\system32\Alaqjaaa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:528 -
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe36⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe41⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe42⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe43⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe44⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe47⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe50⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe51⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Iqapnjli.exeC:\Windows\system32\Iqapnjli.exe54⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Icbipe32.exeC:\Windows\system32\Icbipe32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe57⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe58⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe59⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe60⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe61⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe62⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe65⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe67⤵PID:2260
-
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe68⤵PID:2208
-
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe69⤵PID:2916
-
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe71⤵PID:2940
-
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe72⤵PID:564
-
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe73⤵PID:2732
-
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe74⤵PID:884
-
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe76⤵PID:2356
-
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe77⤵PID:1648
-
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1484 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe79⤵
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe80⤵PID:1980
-
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe81⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe82⤵PID:2184
-
C:\Windows\SysWOW64\Ncnjeh32.exeC:\Windows\system32\Ncnjeh32.exe83⤵PID:316
-
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe84⤵PID:748
-
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe86⤵PID:2328
-
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe87⤵PID:1692
-
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe88⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Oqmmbqgd.exeC:\Windows\system32\Oqmmbqgd.exe90⤵PID:2632
-
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe91⤵PID:2952
-
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe93⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe94⤵PID:568
-
C:\Windows\SysWOW64\Piadma32.exeC:\Windows\system32\Piadma32.exe95⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe96⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe97⤵
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe98⤵
- Modifies registry class
PID:704 -
C:\Windows\SysWOW64\Qblfkgqb.exeC:\Windows\system32\Qblfkgqb.exe99⤵PID:976
-
C:\Windows\SysWOW64\Qaablcej.exeC:\Windows\system32\Qaablcej.exe100⤵PID:2984
-
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Aaflgb32.exeC:\Windows\system32\Aaflgb32.exe102⤵PID:2756
-
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:628 -
C:\Windows\SysWOW64\Amafgc32.exeC:\Windows\system32\Amafgc32.exe104⤵PID:2000
-
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe105⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Bhkghqpb.exeC:\Windows\system32\Bhkghqpb.exe106⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe107⤵PID:1396
-
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe108⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Boleejag.exeC:\Windows\system32\Boleejag.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe110⤵PID:824
-
C:\Windows\SysWOW64\Camnge32.exeC:\Windows\system32\Camnge32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe112⤵PID:588
-
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe113⤵PID:2812
-
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe115⤵PID:1720
-
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe117⤵PID:1164
-
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe118⤵PID:2036
-
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe119⤵PID:2224
-
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1020 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe121⤵PID:1644
-
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe122⤵
- System Location Discovery: System Language Discovery
PID:1268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-