Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 02:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe
-
Size
95KB
-
MD5
75b3ba673d7a648f9c1144b65c79b5a1
-
SHA1
b28075a737d5ea25e9a3b46d2421f8d26b291fa2
-
SHA256
c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823
-
SHA512
47939903a9d8cbdcc303a4594f7ab1aa3f9a74d83062005a13d2d0f21302091835459aa90a786fdc17652a4e01e045a1d5462c0d23b22a46ab807b8a0ffab50a
-
SSDEEP
1536:DWLKnBPHpsU98ABOt8Hofm5UD3/JyK33P9BhtzZOM6bOLXi8PmCofGV:DW85plzwt8Ifm43/VHP9BhVZDrLXfzo+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkaehb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eanldqgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdjcffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhkbmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekdchf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfnmmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoijebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpogiglp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kindeddf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphooc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkojbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmmfjip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qlgndbil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkmljcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkdnhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fegjgkla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpojkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpckece.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfebhmbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maldfbjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hfepod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hieiqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cqglng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dmjlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Paiaplin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cidddj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjpkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpdmfff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmidlmcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihiphln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kljdkpfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfemmna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhlek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbkqdepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mjcjog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofafgipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnfpifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjpggkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jojkco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkipao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdobdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hofqpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjkkbjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mciabmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejaphpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpfdaml.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1948 Hjlioj32.exe 2256 Hqfaldbo.exe 3064 Hahnac32.exe 936 Hfegij32.exe 1280 Hmoofdea.exe 2436 Hpphhp32.exe 3036 Hfjpdjjo.exe 380 Hpbdmo32.exe 2432 Iikifegp.exe 2572 Inhanl32.exe 2860 Iafnjg32.exe 2236 Iimfld32.exe 1680 Ibejdjln.exe 1652 Iakgefqe.exe 748 Ifgpnmom.exe 2644 Ijclol32.exe 2664 Ihglhp32.exe 2956 Ijehdl32.exe 2204 Iihiphln.exe 840 Jbqmhnbo.exe 1852 Jkhejkcq.exe 2484 Jlkngc32.exe 1920 Jojkco32.exe 1988 Jioopgef.exe 772 Jolghndm.exe 1556 Jlphbbbg.exe 108 Jondnnbk.exe 2176 Kkeecogo.exe 2416 Kncaojfb.exe 2228 Kkgahoel.exe 2336 Kaajei32.exe 2852 Kpgffe32.exe 2724 Kdbbgdjj.exe 2740 Kddomchg.exe 2924 Kgclio32.exe 2856 Kjahej32.exe 2512 Knmdeioh.exe 1392 Ljddjj32.exe 1784 Llbqfe32.exe 2316 Ljfapjbi.exe 800 Locjhqpa.exe 752 Lbafdlod.exe 2896 Lfoojj32.exe 2960 Lklgbadb.exe 1924 Lohccp32.exe 1360 Lnjcomcf.exe 2560 Lqipkhbj.exe 1472 Lddlkg32.exe 572 Lgchgb32.exe 580 Mjaddn32.exe 1584 Mbhlek32.exe 2272 Mdghaf32.exe 2164 Mgedmb32.exe 2168 Mkqqnq32.exe 2688 Mmbmeifk.exe 2812 Mdiefffn.exe 2808 Mggabaea.exe 2608 Mfjann32.exe 2428 Mmdjkhdh.exe 1932 Mqpflg32.exe 1588 Mcnbhb32.exe 2888 Mjhjdm32.exe 2944 Mmgfqh32.exe 2920 Mqbbagjo.exe -
Loads dropped DLL 64 IoCs
pid Process 2260 c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe 2260 c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe 1948 Hjlioj32.exe 1948 Hjlioj32.exe 2256 Hqfaldbo.exe 2256 Hqfaldbo.exe 3064 Hahnac32.exe 3064 Hahnac32.exe 936 Hfegij32.exe 936 Hfegij32.exe 1280 Hmoofdea.exe 1280 Hmoofdea.exe 2436 Hpphhp32.exe 2436 Hpphhp32.exe 3036 Hfjpdjjo.exe 3036 Hfjpdjjo.exe 380 Hpbdmo32.exe 380 Hpbdmo32.exe 2432 Iikifegp.exe 2432 Iikifegp.exe 2572 Inhanl32.exe 2572 Inhanl32.exe 2860 Iafnjg32.exe 2860 Iafnjg32.exe 2236 Iimfld32.exe 2236 Iimfld32.exe 1680 Ibejdjln.exe 1680 Ibejdjln.exe 1652 Iakgefqe.exe 1652 Iakgefqe.exe 748 Ifgpnmom.exe 748 Ifgpnmom.exe 2644 Ijclol32.exe 2644 Ijclol32.exe 2664 Ihglhp32.exe 2664 Ihglhp32.exe 2956 Ijehdl32.exe 2956 Ijehdl32.exe 2204 Iihiphln.exe 2204 Iihiphln.exe 840 Jbqmhnbo.exe 840 Jbqmhnbo.exe 1852 Jkhejkcq.exe 1852 Jkhejkcq.exe 2484 Jlkngc32.exe 2484 Jlkngc32.exe 1920 Jojkco32.exe 1920 Jojkco32.exe 1988 Jioopgef.exe 1988 Jioopgef.exe 772 Jolghndm.exe 772 Jolghndm.exe 1556 Jlphbbbg.exe 1556 Jlphbbbg.exe 108 Jondnnbk.exe 108 Jondnnbk.exe 2176 Kkeecogo.exe 2176 Kkeecogo.exe 2416 Kncaojfb.exe 2416 Kncaojfb.exe 2228 Kkgahoel.exe 2228 Kkgahoel.exe 2336 Kaajei32.exe 2336 Kaajei32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Phcilf32.exe Pplaki32.exe File created C:\Windows\SysWOW64\Mhqnpqce.dll Ccgklc32.exe File opened for modification C:\Windows\SysWOW64\Fgocmc32.exe Fdpgph32.exe File created C:\Windows\SysWOW64\Mkacfiga.exe Mhcfjnhm.exe File created C:\Windows\SysWOW64\Clllik32.dll Akadpn32.exe File created C:\Windows\SysWOW64\Ifpelq32.exe Idohdhbo.exe File created C:\Windows\SysWOW64\Pofkha32.exe Plgolf32.exe File created C:\Windows\SysWOW64\Peefcjlg.exe Pbgjgomc.exe File created C:\Windows\SysWOW64\Fjnignob.exe Ffbmfo32.exe File created C:\Windows\SysWOW64\Qlggjlep.exe Qdpohodn.exe File created C:\Windows\SysWOW64\Eimllb32.dll Dinneo32.exe File opened for modification C:\Windows\SysWOW64\Adfbpega.exe Aahfdihn.exe File opened for modification C:\Windows\SysWOW64\Dcbnpgkh.exe Dadbdkld.exe File created C:\Windows\SysWOW64\Oqfopomn.dll Honnki32.exe File opened for modification C:\Windows\SysWOW64\Cgdqpq32.exe Cdedde32.exe File created C:\Windows\SysWOW64\Mdojnm32.exe Maanab32.exe File created C:\Windows\SysWOW64\Fniamd32.dll Mfgnnhkc.exe File created C:\Windows\SysWOW64\Epflllfi.dll Mjcjog32.exe File created C:\Windows\SysWOW64\Jgifkl32.dll Ofnpnkgf.exe File opened for modification C:\Windows\SysWOW64\Mebnic32.exe Lnkege32.exe File created C:\Windows\SysWOW64\Hcgqbmgm.dll Kijmbnpo.exe File created C:\Windows\SysWOW64\Cfgnmg32.dll Kngekdnf.exe File created C:\Windows\SysWOW64\Kagflkia.dll Nfdddm32.exe File created C:\Windows\SysWOW64\Akpkmo32.exe Adfbpega.exe File created C:\Windows\SysWOW64\Bacihmoo.exe Boemlbpk.exe File created C:\Windows\SysWOW64\Gkmefaan.exe Ghoijebj.exe File created C:\Windows\SysWOW64\Fodkno32.dll Gkmefaan.exe File opened for modification C:\Windows\SysWOW64\Jeoeclek.exe Jbphgpfg.exe File opened for modification C:\Windows\SysWOW64\Eibgpnjk.exe Dbiocd32.exe File opened for modification C:\Windows\SysWOW64\Dlifadkk.exe Dcbnpgkh.exe File opened for modification C:\Windows\SysWOW64\Dhpgfeao.exe Dafoikjb.exe File created C:\Windows\SysWOW64\Goldfelp.exe Gpidki32.exe File opened for modification C:\Windows\SysWOW64\Ocpfkh32.exe Okinik32.exe File created C:\Windows\SysWOW64\Malbbh32.dll Process not Found File created C:\Windows\SysWOW64\Jajdfk32.dll Cjbmll32.exe File created C:\Windows\SysWOW64\Ehhfjcff.exe Eejjnhgc.exe File created C:\Windows\SysWOW64\Cmpppdfa.dll Kcginj32.exe File created C:\Windows\SysWOW64\Iqjcnfeg.dll Mdadjd32.exe File created C:\Windows\SysWOW64\Egjeoijn.dll Bgghac32.exe File created C:\Windows\SysWOW64\Fofndb32.dll Bkbdabog.exe File created C:\Windows\SysWOW64\Njfaognh.dll Fooembgb.exe File opened for modification C:\Windows\SysWOW64\Mndhnd32.exe Mgjpaj32.exe File opened for modification C:\Windows\SysWOW64\Epfhde32.exe Eacghhkd.exe File created C:\Windows\SysWOW64\Fimelc32.dll Ppgcol32.exe File opened for modification C:\Windows\SysWOW64\Lajkbp32.exe Lbgkfbbj.exe File created C:\Windows\SysWOW64\Mclqqeaq.exe Mkdioh32.exe File created C:\Windows\SysWOW64\Kdbbgdjj.exe Kpgffe32.exe File created C:\Windows\SysWOW64\Qeppdo32.exe Qdncmgbj.exe File created C:\Windows\SysWOW64\Lcmdjb32.dll Oehgjfhi.exe File created C:\Windows\SysWOW64\Bhkeohhn.exe Ajhddk32.exe File created C:\Windows\SysWOW64\Pncadjah.dll Hoqjqhjf.exe File opened for modification C:\Windows\SysWOW64\Kablnadm.exe Kjhcag32.exe File created C:\Windows\SysWOW64\Pbjifgcd.exe Pmmqmpdm.exe File created C:\Windows\SysWOW64\Dgnminke.exe Process not Found File created C:\Windows\SysWOW64\Objmgd32.exe Ojceef32.exe File created C:\Windows\SysWOW64\Pbglpg32.exe Ppipdl32.exe File opened for modification C:\Windows\SysWOW64\Iclbpj32.exe Inojhc32.exe File opened for modification C:\Windows\SysWOW64\Nndemg32.exe Ngjlpmnn.exe File created C:\Windows\SysWOW64\Bkhjamcf.exe Bgmnpn32.exe File created C:\Windows\SysWOW64\Fpokjd32.exe Fhhbif32.exe File created C:\Windows\SysWOW64\Fhipniif.dll Ldkdckff.exe File opened for modification C:\Windows\SysWOW64\Mnhnfckm.exe Mkibjgli.exe File opened for modification C:\Windows\SysWOW64\Amhcad32.exe Ajjgei32.exe File created C:\Windows\SysWOW64\Lceeqk32.dll Fbngfo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1996 328 Process not Found 1099 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homdhjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjjde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbcoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnqjnhge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhninb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amgjnepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnnao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iebldo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alaqjaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoaill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcmnja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejioln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbmfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmlniea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojabdlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iladfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppefg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkjmfjmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbobkol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnpbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkdhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabmbbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjpaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkilka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhmcelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfeaiime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oniebmda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogolc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnhjgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpmjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponklpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfjggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmklh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qigebglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmpce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkacfiga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbejp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfkihon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncaojfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeekmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenoifpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdadjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onqkclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbnhpdke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmplen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejcpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcgpkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beadgdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objaha32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jllqplnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfbm32.dll" Bedhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iciopdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfenf32.dll" Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmbhcoif.dll" Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacgdmh.dll" Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgjkggck.dll" Mebnic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnooiab.dll" Hjlioj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opnbbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pgfjhcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Klhioioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odljflhj.dll" Nfglfdeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iipejmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmnojp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Maoalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Njgpij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dgknkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgpklj32.dll" Mkcplien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmglihnc.dll" Ndfpnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baclaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmoofdea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnblhddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nndemg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djdjalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlnih32.dll" Bpbmqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kckhdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aldhcb32.dll" Qlgkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqhbk32.dll" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcinlc.dll" Ajjgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccblb32.dll" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcjpobko.dll" Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aiaoclgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Anadojlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gonale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mkofaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kambcbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nklopg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqmfpqmc.dll" Pmkhjncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnbaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Olpbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbpi32.dll" Bjembh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flabdecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iianmlfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Paafmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmihbe32.dll" Jelfdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmkcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkkgfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blipno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Malbbh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipdbellh.dll" Iikkon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhklji32.dll" Oqennbbl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 1948 2260 c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe 28 PID 2260 wrote to memory of 1948 2260 c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe 28 PID 2260 wrote to memory of 1948 2260 c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe 28 PID 2260 wrote to memory of 1948 2260 c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe 28 PID 1948 wrote to memory of 2256 1948 Hjlioj32.exe 29 PID 1948 wrote to memory of 2256 1948 Hjlioj32.exe 29 PID 1948 wrote to memory of 2256 1948 Hjlioj32.exe 29 PID 1948 wrote to memory of 2256 1948 Hjlioj32.exe 29 PID 2256 wrote to memory of 3064 2256 Hqfaldbo.exe 30 PID 2256 wrote to memory of 3064 2256 Hqfaldbo.exe 30 PID 2256 wrote to memory of 3064 2256 Hqfaldbo.exe 30 PID 2256 wrote to memory of 3064 2256 Hqfaldbo.exe 30 PID 3064 wrote to memory of 936 3064 Hahnac32.exe 31 PID 3064 wrote to memory of 936 3064 Hahnac32.exe 31 PID 3064 wrote to memory of 936 3064 Hahnac32.exe 31 PID 3064 wrote to memory of 936 3064 Hahnac32.exe 31 PID 936 wrote to memory of 1280 936 Hfegij32.exe 32 PID 936 wrote to memory of 1280 936 Hfegij32.exe 32 PID 936 wrote to memory of 1280 936 Hfegij32.exe 32 PID 936 wrote to memory of 1280 936 Hfegij32.exe 32 PID 1280 wrote to memory of 2436 1280 Hmoofdea.exe 33 PID 1280 wrote to memory of 2436 1280 Hmoofdea.exe 33 PID 1280 wrote to memory of 2436 1280 Hmoofdea.exe 33 PID 1280 wrote to memory of 2436 1280 Hmoofdea.exe 33 PID 2436 wrote to memory of 3036 2436 Hpphhp32.exe 34 PID 2436 wrote to memory of 3036 2436 Hpphhp32.exe 34 PID 2436 wrote to memory of 3036 2436 Hpphhp32.exe 34 PID 2436 wrote to memory of 3036 2436 Hpphhp32.exe 34 PID 3036 wrote to memory of 380 3036 Hfjpdjjo.exe 35 PID 3036 wrote to memory of 380 3036 Hfjpdjjo.exe 35 PID 3036 wrote to memory of 380 3036 Hfjpdjjo.exe 35 PID 3036 wrote to memory of 380 3036 Hfjpdjjo.exe 35 PID 380 wrote to memory of 2432 380 Hpbdmo32.exe 36 PID 380 wrote to memory of 2432 380 Hpbdmo32.exe 36 PID 380 wrote to memory of 2432 380 Hpbdmo32.exe 36 PID 380 wrote to memory of 2432 380 Hpbdmo32.exe 36 PID 2432 wrote to memory of 2572 2432 Iikifegp.exe 37 PID 2432 wrote to memory of 2572 2432 Iikifegp.exe 37 PID 2432 wrote to memory of 2572 2432 Iikifegp.exe 37 PID 2432 wrote to memory of 2572 2432 Iikifegp.exe 37 PID 2572 wrote to memory of 2860 2572 Inhanl32.exe 38 PID 2572 wrote to memory of 2860 2572 Inhanl32.exe 38 PID 2572 wrote to memory of 2860 2572 Inhanl32.exe 38 PID 2572 wrote to memory of 2860 2572 Inhanl32.exe 38 PID 2860 wrote to memory of 2236 2860 Iafnjg32.exe 39 PID 2860 wrote to memory of 2236 2860 Iafnjg32.exe 39 PID 2860 wrote to memory of 2236 2860 Iafnjg32.exe 39 PID 2860 wrote to memory of 2236 2860 Iafnjg32.exe 39 PID 2236 wrote to memory of 1680 2236 Iimfld32.exe 40 PID 2236 wrote to memory of 1680 2236 Iimfld32.exe 40 PID 2236 wrote to memory of 1680 2236 Iimfld32.exe 40 PID 2236 wrote to memory of 1680 2236 Iimfld32.exe 40 PID 1680 wrote to memory of 1652 1680 Ibejdjln.exe 41 PID 1680 wrote to memory of 1652 1680 Ibejdjln.exe 41 PID 1680 wrote to memory of 1652 1680 Ibejdjln.exe 41 PID 1680 wrote to memory of 1652 1680 Ibejdjln.exe 41 PID 1652 wrote to memory of 748 1652 Iakgefqe.exe 43 PID 1652 wrote to memory of 748 1652 Iakgefqe.exe 43 PID 1652 wrote to memory of 748 1652 Iakgefqe.exe 43 PID 1652 wrote to memory of 748 1652 Iakgefqe.exe 43 PID 748 wrote to memory of 2644 748 Ifgpnmom.exe 44 PID 748 wrote to memory of 2644 748 Ifgpnmom.exe 44 PID 748 wrote to memory of 2644 748 Ifgpnmom.exe 44 PID 748 wrote to memory of 2644 748 Ifgpnmom.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe"C:\Users\Admin\AppData\Local\Temp\c751b881202a2a436aec523a0122b2ce10654ff2e1779f58ffeb144fe7d74823.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Jlphbbbg.exeC:\Windows\system32\Jlphbbbg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2228 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe34⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe35⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe36⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe37⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe38⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe39⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe40⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe41⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Locjhqpa.exeC:\Windows\system32\Locjhqpa.exe42⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe43⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe44⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe45⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe46⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe47⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe48⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe49⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe50⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe51⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe53⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe54⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe55⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe56⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe57⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe59⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe60⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe61⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe62⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe63⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe64⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe65⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe67⤵PID:2212
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe68⤵PID:672
-
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe69⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe70⤵PID:2356
-
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe71⤵PID:1600
-
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe72⤵PID:2492
-
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe73⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe74⤵
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe75⤵PID:2840
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe76⤵PID:2932
-
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe77⤵PID:2632
-
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe78⤵PID:584
-
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe79⤵PID:1028
-
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe80⤵PID:2224
-
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe81⤵PID:2764
-
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe82⤵PID:2780
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe83⤵PID:2184
-
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe84⤵PID:2116
-
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe85⤵PID:832
-
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe86⤵PID:324
-
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe87⤵PID:1684
-
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe88⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Nabopjmj.exeC:\Windows\system32\Nabopjmj.exe89⤵PID:2656
-
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe90⤵PID:2684
-
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe91⤵PID:2864
-
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe92⤵PID:2576
-
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe93⤵PID:1440
-
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe94⤵PID:1976
-
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe95⤵PID:1980
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe96⤵PID:2796
-
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe97⤵PID:2784
-
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe98⤵PID:1364
-
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe99⤵PID:2940
-
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe100⤵PID:1576
-
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe101⤵PID:1968
-
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe102⤵PID:1644
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe105⤵PID:2652
-
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe106⤵PID:2648
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe107⤵
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe108⤵
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe109⤵PID:2544
-
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe110⤵PID:2200
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe111⤵PID:2220
-
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe112⤵PID:1348
-
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe113⤵PID:2072
-
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe114⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe115⤵PID:1176
-
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe116⤵PID:2728
-
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe117⤵PID:2904
-
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe118⤵PID:1804
-
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe119⤵PID:1828
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe120⤵PID:1760
-
C:\Windows\SysWOW64\Pmkhjncg.exeC:\Windows\system32\Pmkhjncg.exe121⤵
- Modifies registry class
PID:1908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-