Analysis
-
max time kernel
84s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 01:37
Behavioral task
behavioral1
Sample
d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe
-
Size
265KB
-
MD5
f05a5d13df3fde1e87c2b5a37d7ebfd0
-
SHA1
a875fe3073324997c98d44dc7009a56844877a05
-
SHA256
d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5e
-
SHA512
b23a7a51792df2342279cccb251dc927a9160faae59b7417490a1984f4446af1e623101f36491a1d93087ac365bb16541dde0d0784171f8e00d14c3300a0d262
-
SSDEEP
6144:pmWUlGUZduU3YaDr2TLp103ETiZ0moGP/2dga1mcyw7I:FYGmFYaDIpScXwuR1mK7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djqcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdpdpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iilocklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bqciha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hikobfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pipklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeglqpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjpnjheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opennf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djkodg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elnagijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jffakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdophn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdolga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpcbhlki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbinad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcegdnna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hefibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jadlgjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alcqcjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abmkhmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffcbce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjkneb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafjfokk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iijdfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbeimf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemhpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpjiik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnenfjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmolkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbokoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dnfkefad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngfhbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifhkpgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbeecaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abmkhmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agmacgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igoagpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lophcpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnefiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqcomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lophcpam.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2384 Hfflfp32.exe 2804 Hiehbl32.exe 3048 Indnqb32.exe 2948 Ihlbih32.exe 2824 Iilocklc.exe 2736 Iniglajj.exe 2132 Ilmgef32.exe 832 Imndmnob.exe 2104 Jdjioh32.exe 2496 Janihlcf.exe 2996 Jmejmm32.exe 2908 Jbbbed32.exe 2100 Jljgni32.exe 624 Jeblgodb.exe 2120 Kloqiijm.exe 2180 Kaliaphd.exe 2308 Klamohhj.exe 1724 Kobfqc32.exe 648 Kpcbhlki.exe 920 Khjkiikl.exe 1720 Lllpclnk.exe 692 Ldchdjom.exe 1572 Lpjiik32.exe 2164 Ljbmbpkb.exe 2808 Lhenmm32.exe 2072 Lckbkfbb.exe 3060 Lbpolb32.exe 2188 Ldokhn32.exe 2832 Mdahnmck.exe 2676 Mhlcnl32.exe 1468 Mnilfc32.exe 900 Mdcdcmai.exe 2508 Mkmmpg32.exe 2028 Mchadifq.exe 2920 Mnneabff.exe 2892 Mdhnnl32.exe 276 Mfijfdca.exe 1000 Mqoocmcg.exe 1748 Npdkdjhp.exe 2300 Ncpgeh32.exe 560 Nfncad32.exe 1600 Nlklik32.exe 2236 Ncbdjhnf.exe 1328 Necqbp32.exe 1668 Nmjicn32.exe 544 Niaihojk.exe 1040 Nloedjin.exe 1460 Nbinad32.exe 1576 Nehjmppo.exe 1684 Nhffikob.exe 2064 Nbljfdoh.exe 2772 Oejgbonl.exe 1624 Ohhcokmp.exe 2052 Ojgokflc.exe 2576 Oelcho32.exe 3020 Ohkpdj32.exe 1528 Ofnppgbh.exe 2144 Onehadbj.exe 352 Opfdim32.exe 2444 Ohmljj32.exe 1012 Ojlife32.exe 820 Omjeba32.exe 2356 Oddmokoo.exe 2404 Ojnelefl.exe -
Loads dropped DLL 64 IoCs
pid Process 2320 d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe 2320 d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe 2384 Hfflfp32.exe 2384 Hfflfp32.exe 2804 Hiehbl32.exe 2804 Hiehbl32.exe 3048 Indnqb32.exe 3048 Indnqb32.exe 2948 Ihlbih32.exe 2948 Ihlbih32.exe 2824 Iilocklc.exe 2824 Iilocklc.exe 2736 Iniglajj.exe 2736 Iniglajj.exe 2132 Ilmgef32.exe 2132 Ilmgef32.exe 832 Imndmnob.exe 832 Imndmnob.exe 2104 Jdjioh32.exe 2104 Jdjioh32.exe 2496 Janihlcf.exe 2496 Janihlcf.exe 2996 Jmejmm32.exe 2996 Jmejmm32.exe 2908 Jbbbed32.exe 2908 Jbbbed32.exe 2100 Jljgni32.exe 2100 Jljgni32.exe 624 Jeblgodb.exe 624 Jeblgodb.exe 2120 Kloqiijm.exe 2120 Kloqiijm.exe 2180 Kaliaphd.exe 2180 Kaliaphd.exe 2308 Klamohhj.exe 2308 Klamohhj.exe 1724 Kobfqc32.exe 1724 Kobfqc32.exe 648 Kpcbhlki.exe 648 Kpcbhlki.exe 920 Khjkiikl.exe 920 Khjkiikl.exe 1720 Lllpclnk.exe 1720 Lllpclnk.exe 692 Ldchdjom.exe 692 Ldchdjom.exe 1572 Lpjiik32.exe 1572 Lpjiik32.exe 2164 Ljbmbpkb.exe 2164 Ljbmbpkb.exe 2808 Lhenmm32.exe 2808 Lhenmm32.exe 2072 Lckbkfbb.exe 2072 Lckbkfbb.exe 3060 Lbpolb32.exe 3060 Lbpolb32.exe 2188 Ldokhn32.exe 2188 Ldokhn32.exe 2832 Mdahnmck.exe 2832 Mdahnmck.exe 2676 Mhlcnl32.exe 2676 Mhlcnl32.exe 1468 Mnilfc32.exe 1468 Mnilfc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ohmpbkmo.dll Process not Found File created C:\Windows\SysWOW64\Pncock32.dll Process not Found File created C:\Windows\SysWOW64\Bpncbi32.dll Gcfioj32.exe File created C:\Windows\SysWOW64\Ghplofkf.dll Jcaahofh.exe File created C:\Windows\SysWOW64\Plfjme32.exe Pembpkfi.exe File created C:\Windows\SysWOW64\Bjomoo32.exe Bfcqoqeh.exe File created C:\Windows\SysWOW64\Fpgain32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nbljfdoh.exe Nhffikob.exe File created C:\Windows\SysWOW64\Ejfnfn32.exe Process not Found File created C:\Windows\SysWOW64\Pdgmhigm.dll Kebgea32.exe File created C:\Windows\SysWOW64\Iljmdh32.dll Process not Found File created C:\Windows\SysWOW64\Ckjnfobi.exe Process not Found File created C:\Windows\SysWOW64\Lllpclnk.exe Khjkiikl.exe File opened for modification C:\Windows\SysWOW64\Phoeomjc.exe Pmjaadjm.exe File created C:\Windows\SysWOW64\Cmocha32.exe Cfekkgla.exe File created C:\Windows\SysWOW64\Odefpfcd.dll Ajbdpblo.exe File opened for modification C:\Windows\SysWOW64\Kaagnp32.exe Process not Found File created C:\Windows\SysWOW64\Ainllp32.dll Process not Found File created C:\Windows\SysWOW64\Fbelmlah.dll Process not Found File opened for modification C:\Windows\SysWOW64\Inbobn32.exe Process not Found File created C:\Windows\SysWOW64\Mdfcaegj.exe Mahgejhf.exe File opened for modification C:\Windows\SysWOW64\Paqoef32.exe Pfkkhmjn.exe File created C:\Windows\SysWOW64\Kknjeong.dll Process not Found File created C:\Windows\SysWOW64\Idncdgai.exe Process not Found File created C:\Windows\SysWOW64\Ancacpck.dll Dedkbb32.exe File created C:\Windows\SysWOW64\Jnlfjjpl.exe Iionacad.exe File created C:\Windows\SysWOW64\Paclje32.exe Pildih32.exe File created C:\Windows\SysWOW64\Fallil32.exe Process not Found File created C:\Windows\SysWOW64\Ehlolh32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Biakbc32.exe Bgpnjkgi.exe File created C:\Windows\SysWOW64\Kcbcah32.exe Process not Found File created C:\Windows\SysWOW64\Kmjhjndm.exe Process not Found File created C:\Windows\SysWOW64\Lacnlhed.dll Qdieaf32.exe File opened for modification C:\Windows\SysWOW64\Ghpngkhm.exe Gpiffngk.exe File created C:\Windows\SysWOW64\Bbeheeho.dll Hkljljko.exe File created C:\Windows\SysWOW64\Ofkoijhc.exe Ocmbmnio.exe File created C:\Windows\SysWOW64\Pmbfoh32.exe Pkajgonp.exe File opened for modification C:\Windows\SysWOW64\Iodolf32.exe Process not Found File created C:\Windows\SysWOW64\Klpjgbfb.dll Dihmae32.exe File created C:\Windows\SysWOW64\Ckkmkh32.dll Gcljdpke.exe File created C:\Windows\SysWOW64\Caqoan32.dll Gdophn32.exe File created C:\Windows\SysWOW64\Hnljkf32.exe Hjpnjheg.exe File created C:\Windows\SysWOW64\Aeokdn32.exe Aflkiapg.exe File created C:\Windows\SysWOW64\Dcaghm32.exe Denglpkc.exe File created C:\Windows\SysWOW64\Mipanmej.dll Process not Found File created C:\Windows\SysWOW64\Ejcaanfg.exe Process not Found File created C:\Windows\SysWOW64\Eijffhjd.exe Egljjmkp.exe File created C:\Windows\SysWOW64\Kcgjllbn.dll Mccaodgj.exe File created C:\Windows\SysWOW64\Fnjklkdh.dll Panpgn32.exe File opened for modification C:\Windows\SysWOW64\Aeahjn32.exe Abbknb32.exe File opened for modification C:\Windows\SysWOW64\Abhnlqlf.exe Process not Found File created C:\Windows\SysWOW64\Mclbkjcf.exe Process not Found File created C:\Windows\SysWOW64\Hmjoiblj.dll Process not Found File created C:\Windows\SysWOW64\Npdkdjhp.exe Mqoocmcg.exe File opened for modification C:\Windows\SysWOW64\Noighakn.exe Nkmkgc32.exe File created C:\Windows\SysWOW64\Diklpn32.exe Djhldahb.exe File opened for modification C:\Windows\SysWOW64\Okomappb.exe Oiqaed32.exe File created C:\Windows\SysWOW64\Ihjfolmn.exe Process not Found File created C:\Windows\SysWOW64\Gdhimfaj.dll Process not Found File created C:\Windows\SysWOW64\Pbcahgjd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ghcmedmo.exe Process not Found File created C:\Windows\SysWOW64\Anbnkfdj.dll Ibjikk32.exe File opened for modification C:\Windows\SysWOW64\Mhbflj32.exe Mbhnpplb.exe File created C:\Windows\SysWOW64\Mgdpnqfn.exe Mdfcaegj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4712 4824 Process not Found 1517 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiehbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioochn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnmfmoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfpif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flphccbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcllmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeffpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchadifq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkcgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkcedgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnakege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqcei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obilip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aapikqel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddjmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkefcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqknqleg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoqeekme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdncb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boolhikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jollgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommdqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elleai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkpckob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdhnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckijdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmbmnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plljbkml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhaibnim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danaqbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqamaeii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqcam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekppjmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnenfjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnegldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcdcmai.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggeiooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpgain32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekmghppe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dhdddnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpjgbfb.dll" Dihmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbinloge.dll" Gfhikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Majdkifd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hgjdcghp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlcnaaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miegjbih.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdamhocm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmifofko.dll" Lafekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obdjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnahndn.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iphfcnka.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdhnnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cafbmdbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojdlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kafopn32.dll" Eelfedpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiahci32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombkhdcj.dll" Pllmkcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifiogon.dll" Alfflhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqiidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkdaqcl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfhficcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fejjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedabe32.dll" Kpqaanqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Janihlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfijfdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfnfjmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhadgbpa.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dndoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlbjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgbkf32.dll" Adekhkng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hjpnjheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcoddhio.dll" Jgidnobg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpmdff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coapim32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmhmgbif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glpdbfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnimeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbegonmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjlicgq.dll" Imdjlida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnmfpnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pdqfnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gechnn32.dll" Hdloab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Obilip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjdjpda.dll" Cdmgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqkgeb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbmgkoo.dll" Ohhcokmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opkndldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noieei32.dll" Edidcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcdmikma.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2320 wrote to memory of 2384 2320 d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe 29 PID 2320 wrote to memory of 2384 2320 d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe 29 PID 2320 wrote to memory of 2384 2320 d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe 29 PID 2320 wrote to memory of 2384 2320 d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe 29 PID 2384 wrote to memory of 2804 2384 Hfflfp32.exe 30 PID 2384 wrote to memory of 2804 2384 Hfflfp32.exe 30 PID 2384 wrote to memory of 2804 2384 Hfflfp32.exe 30 PID 2384 wrote to memory of 2804 2384 Hfflfp32.exe 30 PID 2804 wrote to memory of 3048 2804 Hiehbl32.exe 31 PID 2804 wrote to memory of 3048 2804 Hiehbl32.exe 31 PID 2804 wrote to memory of 3048 2804 Hiehbl32.exe 31 PID 2804 wrote to memory of 3048 2804 Hiehbl32.exe 31 PID 3048 wrote to memory of 2948 3048 Indnqb32.exe 32 PID 3048 wrote to memory of 2948 3048 Indnqb32.exe 32 PID 3048 wrote to memory of 2948 3048 Indnqb32.exe 32 PID 3048 wrote to memory of 2948 3048 Indnqb32.exe 32 PID 2948 wrote to memory of 2824 2948 Ihlbih32.exe 33 PID 2948 wrote to memory of 2824 2948 Ihlbih32.exe 33 PID 2948 wrote to memory of 2824 2948 Ihlbih32.exe 33 PID 2948 wrote to memory of 2824 2948 Ihlbih32.exe 33 PID 2824 wrote to memory of 2736 2824 Iilocklc.exe 34 PID 2824 wrote to memory of 2736 2824 Iilocklc.exe 34 PID 2824 wrote to memory of 2736 2824 Iilocklc.exe 34 PID 2824 wrote to memory of 2736 2824 Iilocklc.exe 34 PID 2736 wrote to memory of 2132 2736 Iniglajj.exe 35 PID 2736 wrote to memory of 2132 2736 Iniglajj.exe 35 PID 2736 wrote to memory of 2132 2736 Iniglajj.exe 35 PID 2736 wrote to memory of 2132 2736 Iniglajj.exe 35 PID 2132 wrote to memory of 832 2132 Ilmgef32.exe 36 PID 2132 wrote to memory of 832 2132 Ilmgef32.exe 36 PID 2132 wrote to memory of 832 2132 Ilmgef32.exe 36 PID 2132 wrote to memory of 832 2132 Ilmgef32.exe 36 PID 832 wrote to memory of 2104 832 Imndmnob.exe 37 PID 832 wrote to memory of 2104 832 Imndmnob.exe 37 PID 832 wrote to memory of 2104 832 Imndmnob.exe 37 PID 832 wrote to memory of 2104 832 Imndmnob.exe 37 PID 2104 wrote to memory of 2496 2104 Jdjioh32.exe 38 PID 2104 wrote to memory of 2496 2104 Jdjioh32.exe 38 PID 2104 wrote to memory of 2496 2104 Jdjioh32.exe 38 PID 2104 wrote to memory of 2496 2104 Jdjioh32.exe 38 PID 2496 wrote to memory of 2996 2496 Janihlcf.exe 39 PID 2496 wrote to memory of 2996 2496 Janihlcf.exe 39 PID 2496 wrote to memory of 2996 2496 Janihlcf.exe 39 PID 2496 wrote to memory of 2996 2496 Janihlcf.exe 39 PID 2996 wrote to memory of 2908 2996 Jmejmm32.exe 40 PID 2996 wrote to memory of 2908 2996 Jmejmm32.exe 40 PID 2996 wrote to memory of 2908 2996 Jmejmm32.exe 40 PID 2996 wrote to memory of 2908 2996 Jmejmm32.exe 40 PID 2908 wrote to memory of 2100 2908 Jbbbed32.exe 41 PID 2908 wrote to memory of 2100 2908 Jbbbed32.exe 41 PID 2908 wrote to memory of 2100 2908 Jbbbed32.exe 41 PID 2908 wrote to memory of 2100 2908 Jbbbed32.exe 41 PID 2100 wrote to memory of 624 2100 Jljgni32.exe 42 PID 2100 wrote to memory of 624 2100 Jljgni32.exe 42 PID 2100 wrote to memory of 624 2100 Jljgni32.exe 42 PID 2100 wrote to memory of 624 2100 Jljgni32.exe 42 PID 624 wrote to memory of 2120 624 Jeblgodb.exe 43 PID 624 wrote to memory of 2120 624 Jeblgodb.exe 43 PID 624 wrote to memory of 2120 624 Jeblgodb.exe 43 PID 624 wrote to memory of 2120 624 Jeblgodb.exe 43 PID 2120 wrote to memory of 2180 2120 Kloqiijm.exe 44 PID 2120 wrote to memory of 2180 2120 Kloqiijm.exe 44 PID 2120 wrote to memory of 2180 2120 Kloqiijm.exe 44 PID 2120 wrote to memory of 2180 2120 Kloqiijm.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe"C:\Users\Admin\AppData\Local\Temp\d2dcf2f6474baff2abea83a00f9a4128e18b1bb76e7b8c11b319258a1317fc5eN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Hfflfp32.exeC:\Windows\system32\Hfflfp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Hiehbl32.exeC:\Windows\system32\Hiehbl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Indnqb32.exeC:\Windows\system32\Indnqb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Ihlbih32.exeC:\Windows\system32\Ihlbih32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ilmgef32.exeC:\Windows\system32\Ilmgef32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Jdjioh32.exeC:\Windows\system32\Jdjioh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Jmejmm32.exeC:\Windows\system32\Jmejmm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Jbbbed32.exeC:\Windows\system32\Jbbbed32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Jeblgodb.exeC:\Windows\system32\Jeblgodb.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Kloqiijm.exeC:\Windows\system32\Kloqiijm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Klamohhj.exeC:\Windows\system32\Klamohhj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:648 -
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Ldchdjom.exeC:\Windows\system32\Ldchdjom.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Lpjiik32.exeC:\Windows\system32\Lpjiik32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Ljbmbpkb.exeC:\Windows\system32\Ljbmbpkb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Mdahnmck.exeC:\Windows\system32\Mdahnmck.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Mnilfc32.exeC:\Windows\system32\Mnilfc32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\Mkmmpg32.exeC:\Windows\system32\Mkmmpg32.exe34⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Mchadifq.exeC:\Windows\system32\Mchadifq.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe36⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Mdhnnl32.exeC:\Windows\system32\Mdhnnl32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe40⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ncpgeh32.exeC:\Windows\system32\Ncpgeh32.exe41⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe42⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe43⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe44⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe45⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe46⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe47⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Nloedjin.exeC:\Windows\system32\Nloedjin.exe48⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe50⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe52⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe53⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe55⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Oelcho32.exeC:\Windows\system32\Oelcho32.exe56⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe57⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe58⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe59⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Opfdim32.exeC:\Windows\system32\Opfdim32.exe60⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe61⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe62⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Omjeba32.exeC:\Windows\system32\Omjeba32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:820 -
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe64⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Ojnelefl.exeC:\Windows\system32\Ojnelefl.exe65⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Omlahqeo.exeC:\Windows\system32\Omlahqeo.exe66⤵PID:632
-
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe67⤵
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe68⤵PID:2596
-
C:\Windows\SysWOW64\Oegflcbj.exeC:\Windows\system32\Oegflcbj.exe69⤵PID:2204
-
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe70⤵PID:3036
-
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe71⤵PID:2976
-
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe72⤵PID:2360
-
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe73⤵PID:2704
-
C:\Windows\SysWOW64\Pieobaiq.exeC:\Windows\system32\Pieobaiq.exe74⤵PID:828
-
C:\Windows\SysWOW64\Pldknmhd.exeC:\Windows\system32\Pldknmhd.exe75⤵PID:2720
-
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe76⤵PID:1784
-
C:\Windows\SysWOW64\Paqdgcfl.exeC:\Windows\system32\Paqdgcfl.exe77⤵PID:2748
-
C:\Windows\SysWOW64\Pihlhagn.exeC:\Windows\system32\Pihlhagn.exe78⤵PID:1596
-
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe79⤵PID:440
-
C:\Windows\SysWOW64\Pkihpi32.exeC:\Windows\system32\Pkihpi32.exe80⤵PID:2292
-
C:\Windows\SysWOW64\Poddphee.exeC:\Windows\system32\Poddphee.exe81⤵PID:2124
-
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe82⤵PID:1532
-
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe83⤵
- Modifies registry class
PID:280 -
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe84⤵PID:2588
-
C:\Windows\SysWOW64\Pogaeg32.exeC:\Windows\system32\Pogaeg32.exe85⤵PID:2856
-
C:\Windows\SysWOW64\Pmjaadjm.exeC:\Windows\system32\Pmjaadjm.exe86⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe87⤵PID:2816
-
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe88⤵PID:2148
-
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe89⤵PID:772
-
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe90⤵PID:2888
-
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe91⤵PID:1556
-
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe92⤵PID:1048
-
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe93⤵PID:536
-
C:\Windows\SysWOW64\Qiekadkl.exeC:\Windows\system32\Qiekadkl.exe94⤵PID:2240
-
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe95⤵PID:2432
-
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe96⤵PID:2264
-
C:\Windows\SysWOW64\Ajghgd32.exeC:\Windows\system32\Ajghgd32.exe97⤵PID:1964
-
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe98⤵PID:2860
-
C:\Windows\SysWOW64\Aglhph32.exeC:\Windows\system32\Aglhph32.exe99⤵PID:2840
-
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe100⤵PID:1824
-
C:\Windows\SysWOW64\Apdminod.exeC:\Windows\system32\Apdminod.exe101⤵PID:2688
-
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe102⤵PID:908
-
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe103⤵PID:2532
-
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe104⤵PID:2900
-
C:\Windows\SysWOW64\Aoijjjcl.exeC:\Windows\system32\Aoijjjcl.exe105⤵PID:2376
-
C:\Windows\SysWOW64\Akpkok32.exeC:\Windows\system32\Akpkok32.exe106⤵PID:2284
-
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe107⤵PID:1448
-
C:\Windows\SysWOW64\Ahdkhp32.exeC:\Windows\system32\Ahdkhp32.exe108⤵PID:1168
-
C:\Windows\SysWOW64\Akbgdkgm.exeC:\Windows\system32\Akbgdkgm.exe109⤵PID:2288
-
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe110⤵PID:1988
-
C:\Windows\SysWOW64\Bqopmbed.exeC:\Windows\system32\Bqopmbed.exe111⤵PID:2420
-
C:\Windows\SysWOW64\Bgihjl32.exeC:\Windows\system32\Bgihjl32.exe112⤵PID:984
-
C:\Windows\SysWOW64\Bjgdfg32.exeC:\Windows\system32\Bjgdfg32.exe113⤵PID:2848
-
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe114⤵PID:1552
-
C:\Windows\SysWOW64\Bqambacb.exeC:\Windows\system32\Bqambacb.exe115⤵PID:2876
-
C:\Windows\SysWOW64\Bgkeol32.exeC:\Windows\system32\Bgkeol32.exe116⤵PID:2724
-
C:\Windows\SysWOW64\Bkgqpjch.exeC:\Windows\system32\Bkgqpjch.exe117⤵PID:1192
-
C:\Windows\SysWOW64\Bmhmgbif.exeC:\Windows\system32\Bmhmgbif.exe118⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Bqciha32.exeC:\Windows\system32\Bqciha32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe120⤵PID:1952
-
C:\Windows\SysWOW64\Bfqaph32.exeC:\Windows\system32\Bfqaph32.exe121⤵PID:2248
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-