Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 20:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe
-
Size
74KB
-
MD5
d26095d826e2b8fc5b8531f8fefacd40
-
SHA1
8eb20ef90db043f75ea182d19c7cfbab03aca573
-
SHA256
ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954
-
SHA512
e6693d79937540ab10023dc512b0d0891bee335720f3480e15994731e0010104bd2e8cb8c5c9d5b2d3698fa0ef51c2421d3747fec3b6a3995c47f6dc6c3629e8
-
SSDEEP
1536:K8V67PCLxmE7PsOU9kQA5j5PHQYMG1qDL:K87N73UmldQYMG1qDL
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einebddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkipao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagcpdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcngenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimjhnnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgnnab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkcilc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkmjlca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Baefnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cceogcfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecmjid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maldfbjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjqmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icifjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhbgpia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piadma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjnqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elcpbigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gockgdeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Palpneop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkglj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjifodii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjkkbjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmlhbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijaaae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdefnjkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiecgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Momfan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ponklpcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aphcppmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpcmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Emgioakg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiafee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadojlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceogcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afpogk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhjoof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oioipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedehaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcgpkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfjajma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofafgipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jgpndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhincn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fckhhgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjfalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oqmmbqgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemkle32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2956 Danpemej.exe 380 Djfdob32.exe 1700 Dpcmgi32.exe 2788 Dfmeccao.exe 2768 Dmgmpnhl.exe 2728 Dbdehdfc.exe 2556 Dphfbiem.exe 3056 Dpjbgh32.exe 304 Eibgpnjk.exe 1156 Elcpbigl.exe 2052 Eeldkonl.exe 764 Emgioakg.exe 1816 Egonhf32.exe 2432 Ephbal32.exe 912 Flocfmnl.exe 2844 Feggob32.exe 2280 Flapkmlj.exe 1748 Fckhhgcf.exe 292 Fiepea32.exe 1772 Foahmh32.exe 2176 Felajbpg.exe 2140 Fhjmfnok.exe 2228 Fdqnkoep.exe 1424 Fnibcd32.exe 1240 Ghofam32.exe 2944 Gpjkeoha.exe 2932 Gaihob32.exe 2164 Gckdgjeb.exe 2656 Gnphdceh.exe 2676 Gghmmilh.exe 2836 Gmeeepjp.exe 2324 Gjifodii.exe 2660 Gmhbkohm.exe 2440 Hjlbdc32.exe 580 Hcdgmimg.exe 1952 Hmlkfo32.exe 540 Hfepod32.exe 2028 Hbkqdepm.exe 2776 Hnbaif32.exe 2584 Ikfbbjdj.exe 1996 Iacjjacb.exe 448 Ifpcchai.exe 1980 Iaegpaao.exe 1964 Ijnkifgp.exe 896 Icfpbl32.exe 1896 Ijphofem.exe 1524 Iladfn32.exe 688 Ichmgl32.exe 2308 Ifgicg32.exe 872 Imaapa32.exe 3024 Inbnhihl.exe 2880 Jigbebhb.exe 2172 Jndjmifj.exe 2704 Jijokbfp.exe 2848 Jjkkbjln.exe 2712 Jdcpkp32.exe 2620 Joidhh32.exe 1008 Jhahanie.exe 1704 Jokqnhpa.exe 2364 Jhdegn32.exe 1988 Jkbaci32.exe 900 Kpojkp32.exe 2648 Kbmfgk32.exe 1116 Kmcjedcg.exe -
Loads dropped DLL 64 IoCs
pid Process 2316 ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe 2316 ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe 2956 Danpemej.exe 2956 Danpemej.exe 380 Djfdob32.exe 380 Djfdob32.exe 1700 Dpcmgi32.exe 1700 Dpcmgi32.exe 2788 Dfmeccao.exe 2788 Dfmeccao.exe 2768 Dmgmpnhl.exe 2768 Dmgmpnhl.exe 2728 Dbdehdfc.exe 2728 Dbdehdfc.exe 2556 Dphfbiem.exe 2556 Dphfbiem.exe 3056 Dpjbgh32.exe 3056 Dpjbgh32.exe 304 Eibgpnjk.exe 304 Eibgpnjk.exe 1156 Elcpbigl.exe 1156 Elcpbigl.exe 2052 Eeldkonl.exe 2052 Eeldkonl.exe 764 Emgioakg.exe 764 Emgioakg.exe 1816 Egonhf32.exe 1816 Egonhf32.exe 2432 Ephbal32.exe 2432 Ephbal32.exe 912 Flocfmnl.exe 912 Flocfmnl.exe 2844 Feggob32.exe 2844 Feggob32.exe 2280 Flapkmlj.exe 2280 Flapkmlj.exe 1748 Fckhhgcf.exe 1748 Fckhhgcf.exe 292 Fiepea32.exe 292 Fiepea32.exe 1772 Foahmh32.exe 1772 Foahmh32.exe 2176 Felajbpg.exe 2176 Felajbpg.exe 2140 Fhjmfnok.exe 2140 Fhjmfnok.exe 2228 Fdqnkoep.exe 2228 Fdqnkoep.exe 1424 Fnibcd32.exe 1424 Fnibcd32.exe 1240 Ghofam32.exe 1240 Ghofam32.exe 2944 Gpjkeoha.exe 2944 Gpjkeoha.exe 2932 Gaihob32.exe 2932 Gaihob32.exe 2164 Gckdgjeb.exe 2164 Gckdgjeb.exe 2656 Gnphdceh.exe 2656 Gnphdceh.exe 2676 Gghmmilh.exe 2676 Gghmmilh.exe 2836 Gmeeepjp.exe 2836 Gmeeepjp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Blkjkflb.exe Baefnmml.exe File opened for modification C:\Windows\SysWOW64\Oiafee32.exe Oajndh32.exe File created C:\Windows\SysWOW64\Pdnnln32.dll Ahedjb32.exe File created C:\Windows\SysWOW64\Jigbebhb.exe Inbnhihl.exe File created C:\Windows\SysWOW64\Pehbqi32.dll Kfodfh32.exe File created C:\Windows\SysWOW64\Mnpobefe.exe Mkacfiga.exe File created C:\Windows\SysWOW64\Eiabmg32.dll Ekghcq32.exe File opened for modification C:\Windows\SysWOW64\Plmbkd32.exe Pfpibn32.exe File created C:\Windows\SysWOW64\Eakhdj32.exe Efedga32.exe File opened for modification C:\Windows\SysWOW64\Gigkbm32.exe Gdjcjf32.exe File created C:\Windows\SysWOW64\Ammmlcgi.exe Addhcn32.exe File created C:\Windows\SysWOW64\Blkjkflb.exe Baefnmml.exe File created C:\Windows\SysWOW64\Gkebafoa.exe Gcjmmdbf.exe File created C:\Windows\SysWOW64\Omfpmb32.dll Jfjolf32.exe File created C:\Windows\SysWOW64\Koflgf32.exe Kfodfh32.exe File created C:\Windows\SysWOW64\Bhkghqpb.exe Bemkle32.exe File created C:\Windows\SysWOW64\Pqdhpbib.dll Mkipao32.exe File opened for modification C:\Windows\SysWOW64\Eakhdj32.exe Efedga32.exe File opened for modification C:\Windows\SysWOW64\Njeelc32.exe Nopaoj32.exe File created C:\Windows\SysWOW64\Ppkmjlca.exe Piadma32.exe File created C:\Windows\SysWOW64\Aldfcpjn.exe Aejnfe32.exe File created C:\Windows\SysWOW64\Geoghd32.dll Iacjjacb.exe File created C:\Windows\SysWOW64\Mjpdkq32.dll Einebddd.exe File created C:\Windows\SysWOW64\Ekddecnj.dll Danpemej.exe File created C:\Windows\SysWOW64\Jjbpqjma.dll Ghdiokbq.exe File opened for modification C:\Windows\SysWOW64\Paafmp32.exe Pncjad32.exe File opened for modification C:\Windows\SysWOW64\Opialpld.exe Oioipf32.exe File created C:\Windows\SysWOW64\Hokjkbkp.exe Hkpnjd32.exe File created C:\Windows\SysWOW64\Lmalgq32.exe Klmbjh32.exe File opened for modification C:\Windows\SysWOW64\Gmeeepjp.exe Gghmmilh.exe File opened for modification C:\Windows\SysWOW64\Lhlqjone.exe Lemdncoa.exe File created C:\Windows\SysWOW64\Docopbaf.exe Dmebcgbb.exe File created C:\Windows\SysWOW64\Ecmjid32.exe Ejdfqogm.exe File opened for modification C:\Windows\SysWOW64\Heqimm32.exe Hcblqb32.exe File opened for modification C:\Windows\SysWOW64\Maldfbjn.exe Mpkhoj32.exe File created C:\Windows\SysWOW64\Jmmjqf32.dll Mcfemmna.exe File created C:\Windows\SysWOW64\Hjhlmfio.dll Hhcndhap.exe File created C:\Windows\SysWOW64\Ifpelq32.exe Icbipe32.exe File opened for modification C:\Windows\SysWOW64\Kimjhnnl.exe Kbbakc32.exe File created C:\Windows\SysWOW64\Djoeki32.exe Dcemnopj.exe File created C:\Windows\SysWOW64\Gflfedag.dll Hqgddm32.exe File created C:\Windows\SysWOW64\Alonfb32.dll Mgmmfjip.exe File opened for modification C:\Windows\SysWOW64\Eaqkcimg.exe Eldbkbop.exe File opened for modification C:\Windows\SysWOW64\Fhhbif32.exe Fejfmk32.exe File opened for modification C:\Windows\SysWOW64\Dkdmfe32.exe Difqji32.exe File created C:\Windows\SysWOW64\Ogmkng32.dll Akpkmo32.exe File created C:\Windows\SysWOW64\Bkknac32.exe Bjjaikoa.exe File opened for modification C:\Windows\SysWOW64\Dcemnopj.exe Dbdagg32.exe File created C:\Windows\SysWOW64\Dilfgala.dll Gmeeepjp.exe File opened for modification C:\Windows\SysWOW64\Ngbpehpj.exe Nphghn32.exe File created C:\Windows\SysWOW64\Phobjp32.exe Padjmfdg.exe File created C:\Windows\SysWOW64\Njboon32.dll Icncgf32.exe File created C:\Windows\SysWOW64\Jkbcekmn.dll Koflgf32.exe File created C:\Windows\SysWOW64\Fejfmk32.exe Fbkjap32.exe File created C:\Windows\SysWOW64\Mpbelhkp.dll Ngbpehpj.exe File created C:\Windows\SysWOW64\Dphfbiem.exe Dbdehdfc.exe File created C:\Windows\SysWOW64\Ikgkei32.exe Hfjbmb32.exe File created C:\Windows\SysWOW64\Amgjnepn.exe Aepbmhpl.exe File opened for modification C:\Windows\SysWOW64\Ejdfqogm.exe Eiciig32.exe File created C:\Windows\SysWOW64\Pcbookpp.exe Pimkbbpi.exe File created C:\Windows\SysWOW64\Nldhfnkd.dll Phklaacg.exe File opened for modification C:\Windows\SysWOW64\Ofafgipc.exe Oepjoa32.exe File created C:\Windows\SysWOW64\Ofkbipak.dll Bnicbh32.exe File created C:\Windows\SysWOW64\Nlohmonb.exe Ngbpehpj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7108 7092 WerFault.exe 655 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoeki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlqjone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfgjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnejim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmljcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdapcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahbmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkelpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iladfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjljpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbmfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goddjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijidfpci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpdnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faijggao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohaklfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdiokbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcekfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcgpkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efppqoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iejkhlip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkifkdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmbkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koflgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdfgilj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bngfmhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikagogco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeoidik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbookpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjeejep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfocnjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foahmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiafee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnblhddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcageqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnemfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flocfmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moenkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoebgcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbjdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmlqigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmkoepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnphdceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonibk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcodkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkebafoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepbmhpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfinam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejioln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fckhhgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimjhnnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immjnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaegpaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmefdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmebcgbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eacghhkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqlnjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addhcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejdphkml.dll" Meljbqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iladfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfpcblfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicagla.dll" Eaqkcimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjkajpb.dll" Kecjmodq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mhkfnlme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnbaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Finlmjmi.dll" Ckbpqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oninhgae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Emjhmipi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fdfmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiobie32.dll" Jijacjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cdpdnpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amgjnepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bedhgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgkpogp.dll" Fbngfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amoibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Inbnhihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjkggck.dll" Lklikj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkndgnaf.dll" Jahbmlil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpkhoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpfmo32.dll" Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jacibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Felajbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Phklaacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlklph32.dll" Pmmneg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkcilc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlohmonb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnehm32.dll" Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Colpld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plndcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qiiahgjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdgcbgmg.dll" Ggklka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjggap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egonhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ohipla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojblbgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogomoj32.dll" Booiep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cqglng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dlpbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fhjmfnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jigbebhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kocpbfei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofafgipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnmoiqo.dll" Fhjoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghoijebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefllkej.dll" Bknmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdmkoepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkkmgncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nphghn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnkglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ficehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpmjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Goddjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjkjk32.dll" Nohaklfk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2956 2316 ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe 31 PID 2316 wrote to memory of 2956 2316 ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe 31 PID 2316 wrote to memory of 2956 2316 ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe 31 PID 2316 wrote to memory of 2956 2316 ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe 31 PID 2956 wrote to memory of 380 2956 Danpemej.exe 32 PID 2956 wrote to memory of 380 2956 Danpemej.exe 32 PID 2956 wrote to memory of 380 2956 Danpemej.exe 32 PID 2956 wrote to memory of 380 2956 Danpemej.exe 32 PID 380 wrote to memory of 1700 380 Djfdob32.exe 33 PID 380 wrote to memory of 1700 380 Djfdob32.exe 33 PID 380 wrote to memory of 1700 380 Djfdob32.exe 33 PID 380 wrote to memory of 1700 380 Djfdob32.exe 33 PID 1700 wrote to memory of 2788 1700 Dpcmgi32.exe 34 PID 1700 wrote to memory of 2788 1700 Dpcmgi32.exe 34 PID 1700 wrote to memory of 2788 1700 Dpcmgi32.exe 34 PID 1700 wrote to memory of 2788 1700 Dpcmgi32.exe 34 PID 2788 wrote to memory of 2768 2788 Dfmeccao.exe 35 PID 2788 wrote to memory of 2768 2788 Dfmeccao.exe 35 PID 2788 wrote to memory of 2768 2788 Dfmeccao.exe 35 PID 2788 wrote to memory of 2768 2788 Dfmeccao.exe 35 PID 2768 wrote to memory of 2728 2768 Dmgmpnhl.exe 36 PID 2768 wrote to memory of 2728 2768 Dmgmpnhl.exe 36 PID 2768 wrote to memory of 2728 2768 Dmgmpnhl.exe 36 PID 2768 wrote to memory of 2728 2768 Dmgmpnhl.exe 36 PID 2728 wrote to memory of 2556 2728 Dbdehdfc.exe 37 PID 2728 wrote to memory of 2556 2728 Dbdehdfc.exe 37 PID 2728 wrote to memory of 2556 2728 Dbdehdfc.exe 37 PID 2728 wrote to memory of 2556 2728 Dbdehdfc.exe 37 PID 2556 wrote to memory of 3056 2556 Dphfbiem.exe 38 PID 2556 wrote to memory of 3056 2556 Dphfbiem.exe 38 PID 2556 wrote to memory of 3056 2556 Dphfbiem.exe 38 PID 2556 wrote to memory of 3056 2556 Dphfbiem.exe 38 PID 3056 wrote to memory of 304 3056 Dpjbgh32.exe 39 PID 3056 wrote to memory of 304 3056 Dpjbgh32.exe 39 PID 3056 wrote to memory of 304 3056 Dpjbgh32.exe 39 PID 3056 wrote to memory of 304 3056 Dpjbgh32.exe 39 PID 304 wrote to memory of 1156 304 Eibgpnjk.exe 40 PID 304 wrote to memory of 1156 304 Eibgpnjk.exe 40 PID 304 wrote to memory of 1156 304 Eibgpnjk.exe 40 PID 304 wrote to memory of 1156 304 Eibgpnjk.exe 40 PID 1156 wrote to memory of 2052 1156 Elcpbigl.exe 41 PID 1156 wrote to memory of 2052 1156 Elcpbigl.exe 41 PID 1156 wrote to memory of 2052 1156 Elcpbigl.exe 41 PID 1156 wrote to memory of 2052 1156 Elcpbigl.exe 41 PID 2052 wrote to memory of 764 2052 Eeldkonl.exe 42 PID 2052 wrote to memory of 764 2052 Eeldkonl.exe 42 PID 2052 wrote to memory of 764 2052 Eeldkonl.exe 42 PID 2052 wrote to memory of 764 2052 Eeldkonl.exe 42 PID 764 wrote to memory of 1816 764 Emgioakg.exe 43 PID 764 wrote to memory of 1816 764 Emgioakg.exe 43 PID 764 wrote to memory of 1816 764 Emgioakg.exe 43 PID 764 wrote to memory of 1816 764 Emgioakg.exe 43 PID 1816 wrote to memory of 2432 1816 Egonhf32.exe 44 PID 1816 wrote to memory of 2432 1816 Egonhf32.exe 44 PID 1816 wrote to memory of 2432 1816 Egonhf32.exe 44 PID 1816 wrote to memory of 2432 1816 Egonhf32.exe 44 PID 2432 wrote to memory of 912 2432 Ephbal32.exe 45 PID 2432 wrote to memory of 912 2432 Ephbal32.exe 45 PID 2432 wrote to memory of 912 2432 Ephbal32.exe 45 PID 2432 wrote to memory of 912 2432 Ephbal32.exe 45 PID 912 wrote to memory of 2844 912 Flocfmnl.exe 46 PID 912 wrote to memory of 2844 912 Flocfmnl.exe 46 PID 912 wrote to memory of 2844 912 Flocfmnl.exe 46 PID 912 wrote to memory of 2844 912 Flocfmnl.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe"C:\Users\Admin\AppData\Local\Temp\ec8ee28c1493bb4ce7e6f16986fbeb9f134cf6fa944801592398b9b05780f954N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Dfmeccao.exeC:\Windows\system32\Dfmeccao.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Dbdehdfc.exeC:\Windows\system32\Dbdehdfc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1424 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe34⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe35⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe36⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe37⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe38⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Hbkqdepm.exeC:\Windows\system32\Hbkqdepm.exe39⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe41⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe43⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe45⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe46⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe47⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe49⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe51⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe54⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe57⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe58⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe59⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe60⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe61⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe62⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe63⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe64⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe66⤵PID:2416
-
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe67⤵PID:928
-
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe69⤵PID:976
-
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe70⤵PID:2100
-
C:\Windows\SysWOW64\Lcblan32.exeC:\Windows\system32\Lcblan32.exe71⤵PID:2168
-
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe72⤵PID:348
-
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe73⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2900 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe75⤵PID:652
-
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2608 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe77⤵PID:1056
-
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe78⤵PID:980
-
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe79⤵PID:1036
-
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe80⤵PID:2004
-
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe81⤵PID:2800
-
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe83⤵PID:1380
-
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe84⤵PID:1728
-
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe85⤵PID:1560
-
C:\Windows\SysWOW64\Mdogedmh.exeC:\Windows\system32\Mdogedmh.exe86⤵PID:2260
-
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe88⤵PID:1616
-
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe89⤵PID:1804
-
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe90⤵
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe91⤵PID:2812
-
C:\Windows\SysWOW64\Ncfalqpm.exeC:\Windows\system32\Ncfalqpm.exe92⤵PID:2592
-
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe93⤵
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe94⤵PID:568
-
C:\Windows\SysWOW64\Nfgjml32.exeC:\Windows\system32\Nfgjml32.exe95⤵
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe96⤵PID:2020
-
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe97⤵PID:2856
-
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe98⤵PID:1744
-
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe99⤵PID:908
-
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe100⤵PID:2460
-
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe101⤵PID:884
-
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1324 -
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1588 -
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe104⤵PID:2736
-
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe105⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe107⤵PID:532
-
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe108⤵PID:1940
-
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe109⤵PID:2636
-
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe110⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe111⤵PID:2348
-
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe113⤵PID:2512
-
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe114⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2988 -
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe117⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe119⤵PID:2872
-
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe120⤵PID:1752
-
C:\Windows\SysWOW64\Qejpoi32.exeC:\Windows\system32\Qejpoi32.exe121⤵PID:1552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-