Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 20:29
Behavioral task
behavioral1
Sample
ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe
-
Size
386KB
-
MD5
f810986d6268d65dcb4f369eac3ca650
-
SHA1
7656cbe5170273ec9193f23da522b38a5ba82d84
-
SHA256
ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508
-
SHA512
bb01026ee120653ace419e4919953da838a01928cb8ad1ae86fdc0cdda38ab86ae207b94b3379cab758b1ec5601523c833e008b9a35d4fe466242bace1f72c59
-
SSDEEP
12288:hIQfwQZ7287xmPFRkfJg9qwQZ7287xmP5:hIQfZZ/aFKm9qZZ/a5
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfagemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mheeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnnfkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfohlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmebcgbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfiocfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jneoojeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joppeeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqllghon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knikfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihdmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onfabgch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdolbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjljnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pebbcdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abdbflnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndbile32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncfcgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjljnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbfnggeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcedne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eomdoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpbih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoomflpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnipak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dklepmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihgmdih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laodmoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idekbgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ailqfooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcfohlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdplfflp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchhqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkmljcdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfgbkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaednh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnpgloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpmooind.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faijggao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pllkpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bmlbaqfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edeclabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hclhjpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmoekf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phfoee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcckibfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mgmoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nphpng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieeqpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljcbcngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bklpjlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocpbfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nojnql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oielnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqochjnk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2760 Lncfcgeb.exe 2736 Ldahkaij.exe 2564 Lnjldf32.exe 2536 Mcknhm32.exe 2588 Mhjcec32.exe 296 Njbfnjeg.exe 2904 Nmcopebh.exe 1444 Obbdml32.exe 2608 Ofqmcj32.exe 2528 Onqkclni.exe 1288 Ohipla32.exe 2184 Phfoee32.exe 2120 Paocnkph.exe 2352 Aphjjf32.exe 1016 Blfapfpg.exe 1568 Bhbkpgbf.exe 1108 Bnochnpm.exe 1468 Cjljnn32.exe 1360 Coicfd32.exe 2452 Dkdmfe32.exe 1776 Dboeco32.exe 1156 Dnjoco32.exe 1420 Dpklkgoj.exe 1704 Elgfkhpi.exe 1524 Ebqngb32.exe 2664 Eafkhn32.exe 2752 Eimcjl32.exe 2708 Fdnjkh32.exe 3056 Fijbco32.exe 2096 Feachqgb.exe 1168 Gajqbakc.exe 2092 Ghdiokbq.exe 484 Gekfnoog.exe 1448 Hgqlafap.exe 2132 Hqiqjlga.exe 836 Hffibceh.exe 804 Ieponofk.exe 2116 Imggplgm.exe 2436 Iebldo32.exe 2372 Igqhpj32.exe 896 Iogpag32.exe 928 Iediin32.exe 560 Iknafhjb.exe 600 Iclbpj32.exe 844 Jnagmc32.exe 2028 Jjhgbd32.exe 2972 Jabponba.exe 2496 Jbclgf32.exe 1400 Jimdcqom.exe 2732 Jllqplnp.exe 2864 Jbfilffm.exe 2716 Jipaip32.exe 2540 Jfcabd32.exe 3016 Jibnop32.exe 1948 Kbjbge32.exe 3020 Kjeglh32.exe 1348 Kapohbfp.exe 1644 Kocpbfei.exe 1880 Khldkllj.exe 2396 Koflgf32.exe 1084 Kmimcbja.exe 1740 Kpieengb.exe 608 Libjncnc.exe 1236 Ldgnklmi.exe -
Loads dropped DLL 64 IoCs
pid Process 2248 ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe 2248 ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe 2760 Lncfcgeb.exe 2760 Lncfcgeb.exe 2736 Ldahkaij.exe 2736 Ldahkaij.exe 2564 Lnjldf32.exe 2564 Lnjldf32.exe 2536 Mcknhm32.exe 2536 Mcknhm32.exe 2588 Mhjcec32.exe 2588 Mhjcec32.exe 296 Njbfnjeg.exe 296 Njbfnjeg.exe 2904 Nmcopebh.exe 2904 Nmcopebh.exe 1444 Obbdml32.exe 1444 Obbdml32.exe 2608 Ofqmcj32.exe 2608 Ofqmcj32.exe 2528 Onqkclni.exe 2528 Onqkclni.exe 1288 Ohipla32.exe 1288 Ohipla32.exe 2184 Phfoee32.exe 2184 Phfoee32.exe 2120 Paocnkph.exe 2120 Paocnkph.exe 2352 Aphjjf32.exe 2352 Aphjjf32.exe 1016 Blfapfpg.exe 1016 Blfapfpg.exe 1568 Bhbkpgbf.exe 1568 Bhbkpgbf.exe 1108 Bnochnpm.exe 1108 Bnochnpm.exe 1468 Cjljnn32.exe 1468 Cjljnn32.exe 1360 Coicfd32.exe 1360 Coicfd32.exe 2452 Dkdmfe32.exe 2452 Dkdmfe32.exe 1776 Dboeco32.exe 1776 Dboeco32.exe 1156 Dnjoco32.exe 1156 Dnjoco32.exe 1420 Dpklkgoj.exe 1420 Dpklkgoj.exe 1704 Elgfkhpi.exe 1704 Elgfkhpi.exe 1524 Ebqngb32.exe 1524 Ebqngb32.exe 2664 Eafkhn32.exe 2664 Eafkhn32.exe 2752 Eimcjl32.exe 2752 Eimcjl32.exe 2708 Fdnjkh32.exe 2708 Fdnjkh32.exe 3056 Fijbco32.exe 3056 Fijbco32.exe 2096 Feachqgb.exe 2096 Feachqgb.exe 1168 Gajqbakc.exe 1168 Gajqbakc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Faibdo32.dll Hgqlafap.exe File created C:\Windows\SysWOW64\Ocefpnom.exe Ofafgipc.exe File created C:\Windows\SysWOW64\Mpcmlh32.dll Gkbnap32.exe File opened for modification C:\Windows\SysWOW64\Kjpceebh.exe Kaholp32.exe File opened for modification C:\Windows\SysWOW64\Hplphd32.exe Hchoop32.exe File opened for modification C:\Windows\SysWOW64\Ieponofk.exe Hffibceh.exe File created C:\Windows\SysWOW64\Fpokjd32.exe Fejfmk32.exe File created C:\Windows\SysWOW64\Ofafgipc.exe Onfabgch.exe File opened for modification C:\Windows\SysWOW64\Hijhhl32.exe Glfgnh32.exe File created C:\Windows\SysWOW64\Ndiomdde.exe Nickoldp.exe File opened for modification C:\Windows\SysWOW64\Fiedfb32.exe Fblljhbo.exe File created C:\Windows\SysWOW64\Ndcjglje.dll Hehafe32.exe File created C:\Windows\SysWOW64\Olchjp32.exe Oielnd32.exe File created C:\Windows\SysWOW64\Lophacfl.exe Lalhgogb.exe File opened for modification C:\Windows\SysWOW64\Ppdfimji.exe Pcnfdl32.exe File created C:\Windows\SysWOW64\Lpldcfmd.exe Lmnhgjmp.exe File created C:\Windows\SysWOW64\Pecelm32.exe Pbdipa32.exe File created C:\Windows\SysWOW64\Nklcci32.dll Blfapfpg.exe File created C:\Windows\SysWOW64\Lolijfnc.dll Phcleoho.exe File created C:\Windows\SysWOW64\Amjpgdik.exe Ahngomkd.exe File created C:\Windows\SysWOW64\Cpgecq32.exe Cgnpjkhj.exe File created C:\Windows\SysWOW64\Hbghdj32.exe Hiockd32.exe File created C:\Windows\SysWOW64\Ofobgc32.exe Nhkbmo32.exe File created C:\Windows\SysWOW64\Hmhonm32.dll Ohjkcile.exe File opened for modification C:\Windows\SysWOW64\Jneoojeb.exe Jldbgb32.exe File opened for modification C:\Windows\SysWOW64\Jkllnn32.exe Jngkdj32.exe File created C:\Windows\SysWOW64\Dfmkfcib.dll Cdedde32.exe File created C:\Windows\SysWOW64\Ddhbllim.dll Mecglbfl.exe File created C:\Windows\SysWOW64\Akomon32.dll Ecnpdnho.exe File created C:\Windows\SysWOW64\Nkfkidmk.exe Ndlbmk32.exe File opened for modification C:\Windows\SysWOW64\Gmoppefc.exe Ghbhhnhk.exe File created C:\Windows\SysWOW64\Hakhbifq.dll Ckkenikc.exe File created C:\Windows\SysWOW64\Mkggnp32.exe Mejoei32.exe File created C:\Windows\SysWOW64\Obkglbmf.dll Lnjldf32.exe File created C:\Windows\SysWOW64\Kjeglh32.exe Kbjbge32.exe File created C:\Windows\SysWOW64\Qdofep32.exe Qlgndbil.exe File created C:\Windows\SysWOW64\Aiknnf32.exe Qdofep32.exe File created C:\Windows\SysWOW64\Hhcndhap.exe Hfebhmbm.exe File created C:\Windows\SysWOW64\Bmlbaqfh.exe Bphaglgo.exe File created C:\Windows\SysWOW64\Lbhfkhon.dll Eomdoj32.exe File created C:\Windows\SysWOW64\Cdedde32.exe Cnklgkap.exe File opened for modification C:\Windows\SysWOW64\Ogbldk32.exe Oddphp32.exe File opened for modification C:\Windows\SysWOW64\Gpjfcali.exe Gbffjmmp.exe File created C:\Windows\SysWOW64\Oemmkpog.dll Gplcia32.exe File created C:\Windows\SysWOW64\Ligfakaa.exe Lpoaheja.exe File created C:\Windows\SysWOW64\Endbib32.dll Cagjqbam.exe File created C:\Windows\SysWOW64\Gimcmake.dll Iaobkf32.exe File opened for modification C:\Windows\SysWOW64\Olchjp32.exe Oielnd32.exe File created C:\Windows\SysWOW64\Pepfnd32.exe Ppcmfn32.exe File created C:\Windows\SysWOW64\Qddcbgfn.dll Mhflcm32.exe File created C:\Windows\SysWOW64\Ajpqndbo.dll Gllnnc32.exe File created C:\Windows\SysWOW64\Gpqlnhfp.dll Jcckibfg.exe File created C:\Windows\SysWOW64\Kidncq32.dll Dijfch32.exe File created C:\Windows\SysWOW64\Mhgacc32.dll Gpjmnh32.exe File opened for modification C:\Windows\SysWOW64\Kkalcdao.exe Jkopndcb.exe File created C:\Windows\SysWOW64\Hgkfkohg.dll Kkalcdao.exe File created C:\Windows\SysWOW64\Fnjkec32.dll Nphpng32.exe File created C:\Windows\SysWOW64\Dgildi32.exe Dkblohek.exe File opened for modification C:\Windows\SysWOW64\Ghmnmo32.exe Fbpfeh32.exe File created C:\Windows\SysWOW64\Mgcjpkak.exe Lafahdcc.exe File created C:\Windows\SysWOW64\Gonakpgj.dll Ppcmfn32.exe File created C:\Windows\SysWOW64\Hlhddh32.exe Hijhhl32.exe File created C:\Windows\SysWOW64\Iejkhlip.exe Ikagogco.exe File created C:\Windows\SysWOW64\Bklpjlmc.exe Bikcbc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1948 6048 WerFault.exe 577 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilchhgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikjmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iejkhlip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olchjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgadja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkjeeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakaaepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcichb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmpklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckflc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfkkeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhpaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfmbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqobnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdipa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkpakq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpokjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpngd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbnap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkkim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihgmdih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkiih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decdmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgbkacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpcnbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immjnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobhdhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoipnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idekbgji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabplobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moqgiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noohlkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Binikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmilpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqcjaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieeqpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fapgblob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palpneop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkbcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehicoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmeebpkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffibceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijfch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjildbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbhhnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkehql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcndhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkdigfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadobccg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidgcclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdobdc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchhdfem.dll" Qaablcej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gefolhja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hpicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inplqlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjkec32.dll" Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifpjem32.dll" Dgkiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclgbcdk.dll" Ffboohnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnbdnonc.dll" Kbcddlnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Icbkhnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oibohdmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olchjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plkkkh32.dll" Cgadja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aadobccg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdkkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igqcmh32.dll" Hgoadp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmamfddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnanlhmd.dll" Lidgcclp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nklcci32.dll" Blfapfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aaklmhak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngemqa32.dll" Okbapi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ialadj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ngencpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paocnkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edmilpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghmnmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hijhhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Epkepakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdfmpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ingmmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hocmpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jqhdfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcepfhka.dll" Hqiqjlga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldbaopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gigkbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piihaccl.dll" Mohhea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Edjlgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmabqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lefikg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohipla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodilc32.dll" Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmdcijc.dll" Aoomflpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Laodmoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmdfje32.dll" Ghbhhnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iciaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobgmfjh.dll" Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mhkhgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ebqngb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgnfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilmaf32.dll" Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnbekph.dll" Doqkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjkqg32.dll" Nmggllha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aphjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opgikjgo.dll" Djghpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndcjglje.dll" Hehafe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qcjoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llgljn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 2760 2248 ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe 30 PID 2248 wrote to memory of 2760 2248 ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe 30 PID 2248 wrote to memory of 2760 2248 ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe 30 PID 2248 wrote to memory of 2760 2248 ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe 30 PID 2760 wrote to memory of 2736 2760 Lncfcgeb.exe 31 PID 2760 wrote to memory of 2736 2760 Lncfcgeb.exe 31 PID 2760 wrote to memory of 2736 2760 Lncfcgeb.exe 31 PID 2760 wrote to memory of 2736 2760 Lncfcgeb.exe 31 PID 2736 wrote to memory of 2564 2736 Ldahkaij.exe 32 PID 2736 wrote to memory of 2564 2736 Ldahkaij.exe 32 PID 2736 wrote to memory of 2564 2736 Ldahkaij.exe 32 PID 2736 wrote to memory of 2564 2736 Ldahkaij.exe 32 PID 2564 wrote to memory of 2536 2564 Lnjldf32.exe 33 PID 2564 wrote to memory of 2536 2564 Lnjldf32.exe 33 PID 2564 wrote to memory of 2536 2564 Lnjldf32.exe 33 PID 2564 wrote to memory of 2536 2564 Lnjldf32.exe 33 PID 2536 wrote to memory of 2588 2536 Mcknhm32.exe 34 PID 2536 wrote to memory of 2588 2536 Mcknhm32.exe 34 PID 2536 wrote to memory of 2588 2536 Mcknhm32.exe 34 PID 2536 wrote to memory of 2588 2536 Mcknhm32.exe 34 PID 2588 wrote to memory of 296 2588 Mhjcec32.exe 35 PID 2588 wrote to memory of 296 2588 Mhjcec32.exe 35 PID 2588 wrote to memory of 296 2588 Mhjcec32.exe 35 PID 2588 wrote to memory of 296 2588 Mhjcec32.exe 35 PID 296 wrote to memory of 2904 296 Njbfnjeg.exe 36 PID 296 wrote to memory of 2904 296 Njbfnjeg.exe 36 PID 296 wrote to memory of 2904 296 Njbfnjeg.exe 36 PID 296 wrote to memory of 2904 296 Njbfnjeg.exe 36 PID 2904 wrote to memory of 1444 2904 Nmcopebh.exe 37 PID 2904 wrote to memory of 1444 2904 Nmcopebh.exe 37 PID 2904 wrote to memory of 1444 2904 Nmcopebh.exe 37 PID 2904 wrote to memory of 1444 2904 Nmcopebh.exe 37 PID 1444 wrote to memory of 2608 1444 Obbdml32.exe 38 PID 1444 wrote to memory of 2608 1444 Obbdml32.exe 38 PID 1444 wrote to memory of 2608 1444 Obbdml32.exe 38 PID 1444 wrote to memory of 2608 1444 Obbdml32.exe 38 PID 2608 wrote to memory of 2528 2608 Ofqmcj32.exe 39 PID 2608 wrote to memory of 2528 2608 Ofqmcj32.exe 39 PID 2608 wrote to memory of 2528 2608 Ofqmcj32.exe 39 PID 2608 wrote to memory of 2528 2608 Ofqmcj32.exe 39 PID 2528 wrote to memory of 1288 2528 Onqkclni.exe 40 PID 2528 wrote to memory of 1288 2528 Onqkclni.exe 40 PID 2528 wrote to memory of 1288 2528 Onqkclni.exe 40 PID 2528 wrote to memory of 1288 2528 Onqkclni.exe 40 PID 1288 wrote to memory of 2184 1288 Ohipla32.exe 41 PID 1288 wrote to memory of 2184 1288 Ohipla32.exe 41 PID 1288 wrote to memory of 2184 1288 Ohipla32.exe 41 PID 1288 wrote to memory of 2184 1288 Ohipla32.exe 41 PID 2184 wrote to memory of 2120 2184 Phfoee32.exe 42 PID 2184 wrote to memory of 2120 2184 Phfoee32.exe 42 PID 2184 wrote to memory of 2120 2184 Phfoee32.exe 42 PID 2184 wrote to memory of 2120 2184 Phfoee32.exe 42 PID 2120 wrote to memory of 2352 2120 Paocnkph.exe 43 PID 2120 wrote to memory of 2352 2120 Paocnkph.exe 43 PID 2120 wrote to memory of 2352 2120 Paocnkph.exe 43 PID 2120 wrote to memory of 2352 2120 Paocnkph.exe 43 PID 2352 wrote to memory of 1016 2352 Aphjjf32.exe 44 PID 2352 wrote to memory of 1016 2352 Aphjjf32.exe 44 PID 2352 wrote to memory of 1016 2352 Aphjjf32.exe 44 PID 2352 wrote to memory of 1016 2352 Aphjjf32.exe 44 PID 1016 wrote to memory of 1568 1016 Blfapfpg.exe 45 PID 1016 wrote to memory of 1568 1016 Blfapfpg.exe 45 PID 1016 wrote to memory of 1568 1016 Blfapfpg.exe 45 PID 1016 wrote to memory of 1568 1016 Blfapfpg.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe"C:\Users\Admin\AppData\Local\Temp\ba7664c21aaa85fa2ad04ad9c0dccb22d74888a62c9fa1af380c2328847e8508N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:296 -
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Obbdml32.exeC:\Windows\system32\Obbdml32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\Phfoee32.exeC:\Windows\system32\Phfoee32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\SysWOW64\Bhbkpgbf.exeC:\Windows\system32\Bhbkpgbf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Bnochnpm.exeC:\Windows\system32\Bnochnpm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Cjljnn32.exeC:\Windows\system32\Cjljnn32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Coicfd32.exeC:\Windows\system32\Coicfd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Dkdmfe32.exeC:\Windows\system32\Dkdmfe32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1420 -
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Ebqngb32.exeC:\Windows\system32\Ebqngb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Eafkhn32.exeC:\Windows\system32\Eafkhn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Fdnjkh32.exeC:\Windows\system32\Fdnjkh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Fijbco32.exeC:\Windows\system32\Fijbco32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Feachqgb.exeC:\Windows\system32\Feachqgb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Gajqbakc.exeC:\Windows\system32\Gajqbakc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Ghdiokbq.exeC:\Windows\system32\Ghdiokbq.exe33⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Gekfnoog.exeC:\Windows\system32\Gekfnoog.exe34⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Hgqlafap.exeC:\Windows\system32\Hgqlafap.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Hffibceh.exeC:\Windows\system32\Hffibceh.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Ieponofk.exeC:\Windows\system32\Ieponofk.exe38⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Imggplgm.exeC:\Windows\system32\Imggplgm.exe39⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Iebldo32.exeC:\Windows\system32\Iebldo32.exe40⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe41⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Iogpag32.exeC:\Windows\system32\Iogpag32.exe42⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Iediin32.exeC:\Windows\system32\Iediin32.exe43⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Iknafhjb.exeC:\Windows\system32\Iknafhjb.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Iclbpj32.exeC:\Windows\system32\Iclbpj32.exe45⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Jnagmc32.exeC:\Windows\system32\Jnagmc32.exe46⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Jjhgbd32.exeC:\Windows\system32\Jjhgbd32.exe47⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Jabponba.exeC:\Windows\system32\Jabponba.exe48⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe49⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Jimdcqom.exeC:\Windows\system32\Jimdcqom.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Jbfilffm.exeC:\Windows\system32\Jbfilffm.exe52⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Jipaip32.exeC:\Windows\system32\Jipaip32.exe53⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Jfcabd32.exeC:\Windows\system32\Jfcabd32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe55⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Kbjbge32.exeC:\Windows\system32\Kbjbge32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Kjeglh32.exeC:\Windows\system32\Kjeglh32.exe57⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Kapohbfp.exeC:\Windows\system32\Kapohbfp.exe58⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe60⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Koflgf32.exeC:\Windows\system32\Koflgf32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe62⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe64⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe65⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Lcmklh32.exeC:\Windows\system32\Lcmklh32.exe67⤵PID:2076
-
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe68⤵PID:620
-
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe69⤵PID:2448
-
C:\Windows\SysWOW64\Llgljn32.exeC:\Windows\system32\Llgljn32.exe70⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe71⤵PID:2576
-
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe72⤵
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Lafahdcc.exeC:\Windows\system32\Lafahdcc.exe73⤵
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe74⤵PID:2568
-
C:\Windows\SysWOW64\Mploiq32.exeC:\Windows\system32\Mploiq32.exe75⤵PID:3004
-
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe76⤵PID:780
-
C:\Windows\SysWOW64\Mclgklel.exeC:\Windows\system32\Mclgklel.exe77⤵PID:1388
-
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe78⤵PID:2996
-
C:\Windows\SysWOW64\Mndhnd32.exeC:\Windows\system32\Mndhnd32.exe79⤵PID:2340
-
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe80⤵PID:2840
-
C:\Windows\SysWOW64\Nqeapo32.exeC:\Windows\system32\Nqeapo32.exe81⤵PID:1228
-
C:\Windows\SysWOW64\Nbfnggeo.exeC:\Windows\system32\Nbfnggeo.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1548 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe83⤵PID:2964
-
C:\Windows\SysWOW64\Nojnql32.exeC:\Windows\system32\Nojnql32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:352 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe85⤵PID:1736
-
C:\Windows\SysWOW64\Nkaoemjm.exeC:\Windows\system32\Nkaoemjm.exe86⤵PID:948
-
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe87⤵PID:832
-
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe88⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe89⤵PID:2676
-
C:\Windows\SysWOW64\Nkehql32.exeC:\Windows\system32\Nkehql32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe91⤵PID:1496
-
C:\Windows\SysWOW64\Onfabgch.exeC:\Windows\system32\Onfabgch.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe93⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe94⤵PID:2404
-
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe95⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe96⤵PID:3000
-
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe99⤵PID:2392
-
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe100⤵PID:2900
-
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe101⤵PID:2724
-
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe102⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe104⤵PID:408
-
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:984 -
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe107⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe108⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe109⤵PID:1960
-
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe110⤵PID:1912
-
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe111⤵PID:1064
-
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe112⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe113⤵
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe114⤵PID:3008
-
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe115⤵PID:2660
-
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe117⤵PID:1356
-
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe118⤵PID:1656
-
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe119⤵PID:1884
-
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe120⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2932
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-