Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-11-2024 16:40
Static task
static1
Behavioral task
behavioral1
Sample
bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exe
Resource
win10v2004-20241007-en
General
-
Target
bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exe
-
Size
576KB
-
MD5
76ec602af38613d3b851ddcda2db5680
-
SHA1
ef31a6873fbbd92f9a98369c51f3eac8cefe72fb
-
SHA256
bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220
-
SHA512
4127cb745fa2b0c00bb28f7bf727acd09a6195e9248089dbc173cc899f2f726ae3fb3fb77946c9238852343272464e81e7975fac4a8d82722ed2f8b32936ea25
-
SSDEEP
12288:SFS/rnNkmn04GyXu1jGG1ws5iETdqvZNemWrsiLk6mqgSgRDO:SFkrnrn5GyXsGG1ws5ipX6
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Kmkbfeab.exeGlipgf32.exePmpolgoi.exeNobdbkhf.exeFmndpq32.exeJdodkebj.exeCnhgjaml.exeFoapaa32.exeOiknlagg.exeDjjebh32.exeAolblopj.exeQlimed32.exeAafemk32.exeDfnbgc32.exeNqbpojnp.exeCnaaib32.exeMnnkgl32.exeCkkiccep.exeNaecop32.exeMhoahh32.exeNjljch32.exeOmdieb32.exeFohfbpgi.exeHicpgc32.exeIojkeh32.exeEmphocjj.exeMadjhb32.exeEbifmm32.exeOqmhqapg.exeDjelgied.exeMjodla32.exeJbojlfdp.exeGgkqgaol.exeMecjif32.exePoajkgnc.exeKjjbjd32.exeKcmfnd32.exeMfenglqf.exeMjbogmdb.exeIcknfcol.exeKgiiiidd.exeEkmhejao.exeGndick32.exeMcdeeq32.exeMhanngbl.exePmmlla32.exePhincl32.exeHpabni32.exePmlmkn32.exeBohibc32.exeFqbliicp.exeBcfahbpo.exeJcfggkac.exeInebjihf.exeNbbeml32.exeMjpbam32.exeNemmoe32.exeAjpqnneo.exeOmmceclc.exeOkgaijaj.exeEfeihb32.exeCklhcfle.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmkbfeab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glipgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpolgoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobdbkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmndpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdodkebj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foapaa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiknlagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djjebh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolblopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlimed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aafemk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfnbgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqbpojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckkiccep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naecop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhoahh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njljch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omdieb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fohfbpgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hicpgc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojkeh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emphocjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Madjhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebifmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqmhqapg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djelgied.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjodla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbojlfdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkqgaol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poajkgnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djelgied.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjjbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmfnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfenglqf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbogmdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekmhejao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gndick32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcdeeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhanngbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmlla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phincl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hpabni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bohibc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djjebh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqbliicp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcfahbpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfggkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inebjihf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbbeml32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nemmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajpqnneo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommceclc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgaijaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cklhcfle.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Kijchhbo.exeKeqdmihc.exeKgopidgf.exeKnkekn32.exeLiqihglg.exeLgffic32.exeLankbigo.exeLghcocol.exeLjgpkonp.exeLaqhhi32.exeLacdmh32.exeLijlof32.exeLlhikacp.exeMaeachag.exeMeamcg32.exeMilidebi.exeMlkepaam.exeMjneln32.exeMbenmk32.exeMahnhhod.exeMecjif32.exeMiofjepg.exeMlmbfqoj.exeMjpbam32.exeMbgjbkfg.exeMajjng32.exeMiaboe32.exeMhdckaeo.exeMjbogmdb.exeMnnkgl32.exeMalgcg32.exeMicoed32.exeMhfppabl.exeMnphmkji.exeMblcnj32.exeMejpje32.exeMhilfa32.exeMldhfpib.exeNobdbkhf.exeNbnpcj32.exeNemmoe32.exeNhkikq32.exeNjiegl32.exeNoeahkfc.exeNacmdf32.exeNijeec32.exeNhmeapmd.exeNklbmllg.exeNbcjnilj.exeNeafjdkn.exeNimbkc32.exeNlkngo32.exeNojjcj32.exeNahgoe32.exeNiooqcad.exeNhbolp32.exeNkqkhk32.exeNbgcih32.exeNefped32.exeNhdlao32.exeOkchnk32.exeOondnini.exeOampjeml.exeOidhlb32.exepid Process 4588 Kijchhbo.exe 2712 Keqdmihc.exe 1112 Kgopidgf.exe 2544 Knkekn32.exe 4544 Liqihglg.exe 2752 Lgffic32.exe 5048 Lankbigo.exe 3424 Lghcocol.exe 3140 Ljgpkonp.exe 3760 Laqhhi32.exe 3276 Lacdmh32.exe 3256 Lijlof32.exe 2828 Llhikacp.exe 4136 Maeachag.exe 4752 Meamcg32.exe 2064 Milidebi.exe 996 Mlkepaam.exe 5112 Mjneln32.exe 208 Mbenmk32.exe 3320 Mahnhhod.exe 2724 Mecjif32.exe 1164 Miofjepg.exe 3964 Mlmbfqoj.exe 968 Mjpbam32.exe 4556 Mbgjbkfg.exe 1676 Majjng32.exe 3992 Miaboe32.exe 3036 Mhdckaeo.exe 4808 Mjbogmdb.exe 2176 Mnnkgl32.exe 776 Malgcg32.exe 2604 Micoed32.exe 1936 Mhfppabl.exe 4568 Mnphmkji.exe 808 Mblcnj32.exe 4800 Mejpje32.exe 1600 Mhilfa32.exe 4580 Mldhfpib.exe 2920 Nobdbkhf.exe 100 Nbnpcj32.exe 4928 Nemmoe32.exe 4956 Nhkikq32.exe 2924 Njiegl32.exe 5036 Noeahkfc.exe 2660 Nacmdf32.exe 4780 Nijeec32.exe 4756 Nhmeapmd.exe 4944 Nklbmllg.exe 4876 Nbcjnilj.exe 4192 Neafjdkn.exe 2900 Nimbkc32.exe 4340 Nlkngo32.exe 2440 Nojjcj32.exe 856 Nahgoe32.exe 1996 Niooqcad.exe 3176 Nhbolp32.exe 4412 Nkqkhk32.exe 2376 Nbgcih32.exe 952 Nefped32.exe 2380 Nhdlao32.exe 2928 Okchnk32.exe 116 Oondnini.exe 1712 Oampjeml.exe 632 Oidhlb32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Noeahkfc.exePchlpfjb.exeHienlpel.exeJeapcq32.exeNbbeml32.exeAomifecf.exeCcbadp32.exeNnhmnn32.exeJlbejloe.exeMfkkqmiq.exebd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exeEiloco32.exeCgnomg32.exeDkekjdck.exeBkkple32.exeFpjcgm32.exeCkeimm32.exeGgmmlamj.exeLchfib32.exeOcihgnam.exeJblmgf32.exePkadoiip.exeIhdldn32.exeOafcqcea.exePiijno32.exePecellgl.exeDigehphc.exeDqnjgl32.exeAmjbbfgo.exeFfceip32.exeQacameaj.exeGnblnlhl.exeIlfennic.exeKibeoo32.exeDjelgied.exeMjaabq32.exeFajbjh32.exeKpiqfima.exeMhdckaeo.exeOekiqccc.exeQepkbpak.exeAllpejfe.exeGphphj32.exeJlhljhbg.exePalbgl32.exePlbfdekd.exeNpgmpf32.exeEdgbii32.exeNlkngo32.exeQikgco32.exeKjepjkhf.exeMnfnlf32.exeAlpbecod.exeLebijnak.exeLlqjbhdc.exePadnaq32.exeOohgdhfn.exeEkmhejao.exeKflide32.exeFinnef32.exeLcnfohmi.exeBajqda32.exeLjdkll32.exeMahnhhod.exedescription ioc Process File created C:\Windows\SysWOW64\Pbbigf32.dll Noeahkfc.exe File created C:\Windows\SysWOW64\Qhkjegqi.dll Pchlpfjb.exe File created C:\Windows\SysWOW64\Kideagnd.dll Hienlpel.exe File created C:\Windows\SysWOW64\Clpchk32.dll Jeapcq32.exe File created C:\Windows\SysWOW64\Nmhijd32.exe Nbbeml32.exe File opened for modification C:\Windows\SysWOW64\Aakebqbj.exe Aomifecf.exe File opened for modification C:\Windows\SysWOW64\Cjliajmo.exe Ccbadp32.exe File opened for modification C:\Windows\SysWOW64\Nceefd32.exe Nnhmnn32.exe File created C:\Windows\SysWOW64\Flinad32.dll Jlbejloe.exe File created C:\Windows\SysWOW64\Iankhggi.dll Mfkkqmiq.exe File opened for modification C:\Windows\SysWOW64\Kijchhbo.exe bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exe File created C:\Windows\SysWOW64\Bcbbjj32.dll Eiloco32.exe File opened for modification C:\Windows\SysWOW64\Cnhgjaml.exe Cgnomg32.exe File opened for modification C:\Windows\SysWOW64\Dbocfo32.exe Dkekjdck.exe File created C:\Windows\SysWOW64\Bcahmb32.exe Bkkple32.exe File created C:\Windows\SysWOW64\Fbhpch32.exe Fpjcgm32.exe File created C:\Windows\SysWOW64\Cfkmkf32.exe Ckeimm32.exe File created C:\Windows\SysWOW64\Nkphhg32.dll Ggmmlamj.exe File created C:\Windows\SysWOW64\Legben32.exe Lchfib32.exe File opened for modification C:\Windows\SysWOW64\Oifppdpd.exe Ocihgnam.exe File opened for modification C:\Windows\SysWOW64\Jifecp32.exe Jblmgf32.exe File opened for modification C:\Windows\SysWOW64\Pchlpfjb.exe Pkadoiip.exe File created C:\Windows\SysWOW64\Ibjqaf32.exe Ihdldn32.exe File opened for modification C:\Windows\SysWOW64\Oimkbaed.exe Oafcqcea.exe File created C:\Windows\SysWOW64\Dmlijb32.dll Piijno32.exe File created C:\Windows\SysWOW64\Phaahggp.exe Pecellgl.exe File opened for modification C:\Windows\SysWOW64\Dkfadkgf.exe Digehphc.exe File opened for modification C:\Windows\SysWOW64\Dhdbhifj.exe Dqnjgl32.exe File created C:\Windows\SysWOW64\Adcjop32.exe Amjbbfgo.exe File created C:\Windows\SysWOW64\Fpkibf32.exe Ffceip32.exe File created C:\Windows\SysWOW64\Egilaj32.dll Qacameaj.exe File created C:\Windows\SysWOW64\Geldkfpi.exe Gnblnlhl.exe File opened for modification C:\Windows\SysWOW64\Inebjihf.exe Ilfennic.exe File opened for modification C:\Windows\SysWOW64\Kplmliko.exe Kibeoo32.exe File created C:\Windows\SysWOW64\Lfifmo32.dll Djelgied.exe File opened for modification C:\Windows\SysWOW64\Mmpmnl32.exe Mjaabq32.exe File created C:\Windows\SysWOW64\Hpaoan32.dll Fajbjh32.exe File opened for modification C:\Windows\SysWOW64\Kbhmbdle.exe Kpiqfima.exe File created C:\Windows\SysWOW64\Mjbogmdb.exe Mhdckaeo.exe File created C:\Windows\SysWOW64\Ponfhp32.dll Oekiqccc.exe File created C:\Windows\SysWOW64\Qikgco32.exe Qepkbpak.exe File created C:\Windows\SysWOW64\Klobfk32.dll Allpejfe.exe File created C:\Windows\SysWOW64\Gipdap32.exe Gphphj32.exe File opened for modification C:\Windows\SysWOW64\Jdodkebj.exe Jlhljhbg.exe File created C:\Windows\SysWOW64\Plbfdekd.exe Palbgl32.exe File created C:\Windows\SysWOW64\Pejkmk32.exe Plbfdekd.exe File created C:\Windows\SysWOW64\Baiinofi.dll Npgmpf32.exe File opened for modification C:\Windows\SysWOW64\Ekajec32.exe Edgbii32.exe File created C:\Windows\SysWOW64\Cmakeiil.dll Nlkngo32.exe File opened for modification C:\Windows\SysWOW64\Qljcoj32.exe Qikgco32.exe File created C:\Windows\SysWOW64\Nbkdke32.dll Kjepjkhf.exe File created C:\Windows\SysWOW64\Madjhb32.exe Mnfnlf32.exe File opened for modification C:\Windows\SysWOW64\Aehgnied.exe Alpbecod.exe File created C:\Windows\SysWOW64\Mjliff32.dll Lebijnak.exe File created C:\Windows\SysWOW64\Lancko32.exe Llqjbhdc.exe File opened for modification C:\Windows\SysWOW64\Pcbkml32.exe Padnaq32.exe File created C:\Windows\SysWOW64\Fnnhjlpl.dll Oohgdhfn.exe File opened for modification C:\Windows\SysWOW64\Enkdaepb.exe Ekmhejao.exe File created C:\Windows\SysWOW64\Edqnimdf.dll Kflide32.exe File created C:\Windows\SysWOW64\Fohfbpgi.exe Finnef32.exe File created C:\Windows\SysWOW64\Ehmjob32.dll Lcnfohmi.exe File opened for modification C:\Windows\SysWOW64\Ckbemgcp.exe Bajqda32.exe File created C:\Windows\SysWOW64\Lpochfji.exe Ljdkll32.exe File created C:\Windows\SysWOW64\Mecjif32.exe Mahnhhod.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1896 4352 WerFault.exe 817 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pefhlaie.exeAlnfpcag.exeHolfoqcm.exeJemfhacc.exeFoapaa32.exeNhkikq32.exeNabfjpak.exeDolmodpi.exeHkdjfb32.exeHoclopne.exeImnocf32.exeOanokhdb.exeEbfign32.exeNcbafoge.exeLlhikacp.exeFbhpch32.exeHmpjmn32.exeHcmbee32.exeNnfgcd32.exeAefjii32.exeFpbflg32.exeOiknlagg.exeCioilg32.exeKgopidgf.exeDmohno32.exeHipmfjee.exeBphgeo32.exeBnlhncgi.exeIogopi32.exebd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exeMldhfpib.exeBopocbcq.exeLfeljd32.exeLcnfohmi.exeLebijnak.exeKiphjo32.exeMbenmk32.exeOeoblb32.exeAakebqbj.exeBcahmb32.exeFpjcgm32.exeAlelqb32.exeIajdgcab.exeMlljnf32.exeBcfahbpo.exeNghekkmn.exeLfgipd32.exeOcjoadei.exeApaadpng.exeNjedbjej.exeCgnomg32.exeQlggjk32.exeDcnqpo32.exeEjfeng32.exeMcjmel32.exePhodcg32.exeJmbhoeid.exePfandnla.exeEeelnp32.exeDgeenfog.exeAojlaeei.exeBcinna32.exeAednci32.exeMilidebi.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefhlaie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnfpcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holfoqcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jemfhacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foapaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkikq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabfjpak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolmodpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoclopne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnocf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanokhdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbafoge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhikacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpjmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmbee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefjii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiknlagg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cioilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgopidgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmohno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogopi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldhfpib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopocbcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnfohmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebijnak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiphjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbenmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeoblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakebqbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcahmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alelqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iajdgcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlljnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcfahbpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghekkmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfgipd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjoadei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njedbjej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnomg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcnqpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfeng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phodcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbhoeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfandnla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgeenfog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojlaeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcinna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aednci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milidebi.exe -
Modifies registry class 64 IoCs
Processes:
Ccdnjp32.exeLljdai32.exeHefnkkkj.exeNopfpgip.exePllgnl32.exeCnfaohbj.exeGbbajjlp.exeOeoblb32.exeGbeejp32.exeObnehj32.exeDdligq32.exeMhanngbl.exeOcihgnam.exeEjoomhmi.exeOmgcpokp.exeIcknfcol.exeBaannc32.exeMalgcg32.exeCkilmcgb.exeLpgmhg32.exeObafpg32.exePjbcplpe.exeKlbnajqc.exeLjdkll32.exePadnaq32.exeOiknlagg.exeEiloco32.exeQpcecb32.exeGkaclqkk.exeMlkepaam.exePcpnhl32.exeKclgmq32.exeHoclopne.exeGaloohke.exePkadoiip.exeBdbnjdfg.exeMcgiefen.exeNgjkfd32.exeDbocfo32.exeEgohdegl.exeMjneln32.exeQcaofebg.exeDmalne32.exeDmhand32.exeElgaeolp.exeHmechmip.exeIcdheded.exeGfjkjo32.exeBkoigdom.exeCjjlkk32.exeJpcapp32.exeJgmjmjnb.exeNjmqnobn.exeDqnjgl32.exeFqbliicp.exeLgqfdnah.exeNjpdnedf.exeNhokljge.exeQhkdof32.exeLcnfohmi.exeCncnob32.exeOemefcap.exeMadjhb32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaeidf32.dll" Lljdai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hefnkkkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndqojdee.dll" Nopfpgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnpaa32.dll" Pllgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnfaohbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeoblb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gbeejp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obnehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklinjmj.dll" Ddligq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhanngbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll" Ocihgnam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejoomhmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omgcpokp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icknfcol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baannc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckilmcgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obafpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lngqkhda.dll" Pjbcplpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klbnajqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ljdkll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Padnaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdidcm32.dll" Oiknlagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbbjj32.dll" Eiloco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhhlki32.dll" Qpcecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefmflff.dll" Mlkepaam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qpcecb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll" Pcpnhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kclgmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hoclopne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhfp32.dll" Galoohke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pkadoiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neiqnh32.dll" Bdbnjdfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnihkq32.dll" Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcleff32.dll" Ngjkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dbocfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ondhkbee.dll" Egohdegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbbond32.dll" Mjneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjmbk32.dll" Qcaofebg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbblbdb.dll" Dmalne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjcmhh32.dll" Dmhand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elgaeolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icdheded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gfjkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkoigdom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbmhabha.dll" Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jpcapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgmjmjnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfcjjj32.dll" Dqnjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqbliicp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgqfdnah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Njpdnedf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmigpf32.dll" Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfedck32.dll" Oemefcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Madjhb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exeKijchhbo.exeKeqdmihc.exeKgopidgf.exeKnkekn32.exeLiqihglg.exeLgffic32.exeLankbigo.exeLghcocol.exeLjgpkonp.exeLaqhhi32.exeLacdmh32.exeLijlof32.exeLlhikacp.exeMaeachag.exeMeamcg32.exeMilidebi.exeMlkepaam.exeMjneln32.exeMbenmk32.exeMahnhhod.exeMecjif32.exedescription pid Process procid_target PID 3224 wrote to memory of 4588 3224 bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exe 83 PID 3224 wrote to memory of 4588 3224 bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exe 83 PID 3224 wrote to memory of 4588 3224 bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exe 83 PID 4588 wrote to memory of 2712 4588 Kijchhbo.exe 84 PID 4588 wrote to memory of 2712 4588 Kijchhbo.exe 84 PID 4588 wrote to memory of 2712 4588 Kijchhbo.exe 84 PID 2712 wrote to memory of 1112 2712 Keqdmihc.exe 85 PID 2712 wrote to memory of 1112 2712 Keqdmihc.exe 85 PID 2712 wrote to memory of 1112 2712 Keqdmihc.exe 85 PID 1112 wrote to memory of 2544 1112 Kgopidgf.exe 87 PID 1112 wrote to memory of 2544 1112 Kgopidgf.exe 87 PID 1112 wrote to memory of 2544 1112 Kgopidgf.exe 87 PID 2544 wrote to memory of 4544 2544 Knkekn32.exe 89 PID 2544 wrote to memory of 4544 2544 Knkekn32.exe 89 PID 2544 wrote to memory of 4544 2544 Knkekn32.exe 89 PID 4544 wrote to memory of 2752 4544 Liqihglg.exe 90 PID 4544 wrote to memory of 2752 4544 Liqihglg.exe 90 PID 4544 wrote to memory of 2752 4544 Liqihglg.exe 90 PID 2752 wrote to memory of 5048 2752 Lgffic32.exe 91 PID 2752 wrote to memory of 5048 2752 Lgffic32.exe 91 PID 2752 wrote to memory of 5048 2752 Lgffic32.exe 91 PID 5048 wrote to memory of 3424 5048 Lankbigo.exe 93 PID 5048 wrote to memory of 3424 5048 Lankbigo.exe 93 PID 5048 wrote to memory of 3424 5048 Lankbigo.exe 93 PID 3424 wrote to memory of 3140 3424 Lghcocol.exe 94 PID 3424 wrote to memory of 3140 3424 Lghcocol.exe 94 PID 3424 wrote to memory of 3140 3424 Lghcocol.exe 94 PID 3140 wrote to memory of 3760 3140 Ljgpkonp.exe 95 PID 3140 wrote to memory of 3760 3140 Ljgpkonp.exe 95 PID 3140 wrote to memory of 3760 3140 Ljgpkonp.exe 95 PID 3760 wrote to memory of 3276 3760 Laqhhi32.exe 96 PID 3760 wrote to memory of 3276 3760 Laqhhi32.exe 96 PID 3760 wrote to memory of 3276 3760 Laqhhi32.exe 96 PID 3276 wrote to memory of 3256 3276 Lacdmh32.exe 97 PID 3276 wrote to memory of 3256 3276 Lacdmh32.exe 97 PID 3276 wrote to memory of 3256 3276 Lacdmh32.exe 97 PID 3256 wrote to memory of 2828 3256 Lijlof32.exe 98 PID 3256 wrote to memory of 2828 3256 Lijlof32.exe 98 PID 3256 wrote to memory of 2828 3256 Lijlof32.exe 98 PID 2828 wrote to memory of 4136 2828 Llhikacp.exe 99 PID 2828 wrote to memory of 4136 2828 Llhikacp.exe 99 PID 2828 wrote to memory of 4136 2828 Llhikacp.exe 99 PID 4136 wrote to memory of 4752 4136 Maeachag.exe 100 PID 4136 wrote to memory of 4752 4136 Maeachag.exe 100 PID 4136 wrote to memory of 4752 4136 Maeachag.exe 100 PID 4752 wrote to memory of 2064 4752 Meamcg32.exe 101 PID 4752 wrote to memory of 2064 4752 Meamcg32.exe 101 PID 4752 wrote to memory of 2064 4752 Meamcg32.exe 101 PID 2064 wrote to memory of 996 2064 Milidebi.exe 102 PID 2064 wrote to memory of 996 2064 Milidebi.exe 102 PID 2064 wrote to memory of 996 2064 Milidebi.exe 102 PID 996 wrote to memory of 5112 996 Mlkepaam.exe 103 PID 996 wrote to memory of 5112 996 Mlkepaam.exe 103 PID 996 wrote to memory of 5112 996 Mlkepaam.exe 103 PID 5112 wrote to memory of 208 5112 Mjneln32.exe 104 PID 5112 wrote to memory of 208 5112 Mjneln32.exe 104 PID 5112 wrote to memory of 208 5112 Mjneln32.exe 104 PID 208 wrote to memory of 3320 208 Mbenmk32.exe 105 PID 208 wrote to memory of 3320 208 Mbenmk32.exe 105 PID 208 wrote to memory of 3320 208 Mbenmk32.exe 105 PID 3320 wrote to memory of 2724 3320 Mahnhhod.exe 106 PID 3320 wrote to memory of 2724 3320 Mahnhhod.exe 106 PID 3320 wrote to memory of 2724 3320 Mahnhhod.exe 106 PID 2724 wrote to memory of 1164 2724 Mecjif32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exe"C:\Users\Admin\AppData\Local\Temp\bd8e4ead3ac181225cde4dc7e038ac1999c1b21358a8bb332c65b3a8bc1ad220N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\Lacdmh32.exeC:\Windows\system32\Lacdmh32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\Lijlof32.exeC:\Windows\system32\Lijlof32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Maeachag.exeC:\Windows\system32\Maeachag.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Mjneln32.exeC:\Windows\system32\Mjneln32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Mbenmk32.exeC:\Windows\system32\Mbenmk32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:208 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Miofjepg.exeC:\Windows\system32\Miofjepg.exe23⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe24⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe26⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe27⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe28⤵
- Executes dropped EXE
PID:3992 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4808 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe33⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe34⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe35⤵PID:2768
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe36⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe37⤵
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe38⤵
- Executes dropped EXE
PID:4800 -
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe39⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Mldhfpib.exeC:\Windows\system32\Mldhfpib.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4580 -
C:\Windows\SysWOW64\Nobdbkhf.exeC:\Windows\system32\Nobdbkhf.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe42⤵
- Executes dropped EXE
PID:100 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Nhkikq32.exeC:\Windows\system32\Nhkikq32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4956 -
C:\Windows\SysWOW64\Njiegl32.exeC:\Windows\system32\Njiegl32.exe45⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5036 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe47⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe48⤵
- Executes dropped EXE
PID:4780 -
C:\Windows\SysWOW64\Nhmeapmd.exeC:\Windows\system32\Nhmeapmd.exe49⤵
- Executes dropped EXE
PID:4756 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe50⤵
- Executes dropped EXE
PID:4944 -
C:\Windows\SysWOW64\Nbcjnilj.exeC:\Windows\system32\Nbcjnilj.exe51⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe52⤵
- Executes dropped EXE
PID:4192 -
C:\Windows\SysWOW64\Nimbkc32.exeC:\Windows\system32\Nimbkc32.exe53⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4340 -
C:\Windows\SysWOW64\Nojjcj32.exeC:\Windows\system32\Nojjcj32.exe55⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe56⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Niooqcad.exeC:\Windows\system32\Niooqcad.exe57⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Nhbolp32.exeC:\Windows\system32\Nhbolp32.exe58⤵
- Executes dropped EXE
PID:3176 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe59⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe60⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe61⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe62⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe63⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe64⤵
- Executes dropped EXE
PID:116 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe65⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe66⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe67⤵PID:1084
-
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe68⤵PID:2720
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe69⤵PID:5080
-
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe70⤵
- Drops file in System32 directory
PID:4388 -
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe71⤵PID:1660
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Oboijgbl.exeC:\Windows\system32\Oboijgbl.exe73⤵PID:5168
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe74⤵
- Modifies registry class
PID:5208 -
C:\Windows\SysWOW64\Ohkbbn32.exeC:\Windows\system32\Ohkbbn32.exe75⤵PID:5248
-
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe76⤵PID:5288
-
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe77⤵
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Oiknlagg.exeC:\Windows\system32\Oiknlagg.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5408 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe80⤵PID:5448
-
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe81⤵
- Drops file in System32 directory
PID:5488 -
C:\Windows\SysWOW64\Oafcqcea.exeC:\Windows\system32\Oafcqcea.exe82⤵
- Drops file in System32 directory
PID:5528 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe83⤵PID:5576
-
C:\Windows\SysWOW64\Pllgnl32.exeC:\Windows\system32\Pllgnl32.exe84⤵
- Modifies registry class
PID:5620 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe85⤵PID:5664
-
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe86⤵PID:5708
-
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe87⤵PID:5748
-
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe88⤵PID:5796
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:5836 -
C:\Windows\SysWOW64\Pchlpfjb.exeC:\Windows\system32\Pchlpfjb.exe90⤵
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe91⤵
- System Location Discovery: System Language Discovery
PID:5928 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe92⤵PID:5972
-
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe93⤵PID:6020
-
C:\Windows\SysWOW64\Pidabppl.exeC:\Windows\system32\Pidabppl.exe94⤵PID:6052
-
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe95⤵PID:6092
-
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6132 -
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe97⤵PID:3600
-
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe98⤵PID:3208
-
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe100⤵PID:2896
-
C:\Windows\SysWOW64\Pcobaedj.exeC:\Windows\system32\Pcobaedj.exe101⤵PID:4296
-
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe102⤵PID:4012
-
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe103⤵
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe104⤵
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe105⤵PID:5176
-
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe106⤵
- Modifies registry class
PID:5276 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe107⤵
- Drops file in System32 directory
PID:4820 -
C:\Windows\SysWOW64\Qikgco32.exeC:\Windows\system32\Qikgco32.exe108⤵
- Drops file in System32 directory
PID:5392 -
C:\Windows\SysWOW64\Qljcoj32.exeC:\Windows\system32\Qljcoj32.exe109⤵PID:5444
-
C:\Windows\SysWOW64\Qohpkf32.exeC:\Windows\system32\Qohpkf32.exe110⤵PID:5512
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe111⤵PID:5584
-
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe112⤵PID:2480
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe113⤵
- Drops file in System32 directory
PID:5732 -
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe114⤵
- System Location Discovery: System Language Discovery
PID:5804 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe115⤵PID:3192
-
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5920 -
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe117⤵
- Drops file in System32 directory
PID:4940 -
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe118⤵
- System Location Discovery: System Language Discovery
PID:4656 -
C:\Windows\SysWOW64\Ahenokjf.exeC:\Windows\system32\Ahenokjf.exe119⤵PID:1808
-
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe120⤵PID:6080
-
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe121⤵PID:3056
-
C:\Windows\SysWOW64\Akffafgg.exeC:\Windows\system32\Akffafgg.exe122⤵PID:2524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-