Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23-12-2024 02:17
Static task
static1
Behavioral task
behavioral1
Sample
b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe
Resource
win10v2004-20241007-en
General
-
Target
b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe
-
Size
88KB
-
MD5
bb14980234bd7e64e8b0cdce30f72945
-
SHA1
3aa76d0cfe272cc08809c91f4dca675d5c129589
-
SHA256
b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c
-
SHA512
2b8bd32a4a3ac1217dea00da2f8c6771b83032a9de9fa07777afe57fe8e263e22b001883a5c6d9e41a8436f806929cdb0dc9012e10ef26669cb2a391dc795074
-
SSDEEP
1536:pYqR76hezrIBTDckQjj1Lc/KsVrb8MUvYHmOak3Qc1HrRF0JNnouy8h:qG7sp1DRIj1c/PvUvcakDtr61outh
Malware Config
Extracted
berbew
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkmeoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiehm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aebmjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njbdea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfnneb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcbgkka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famope32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gblkoham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imahkg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgnaehm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meabakda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gneijien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpamde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iafnjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpfgalh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gneijien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgjmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmdeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhomkcoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqombic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eobchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjjpjgjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfahomfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eoiiijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hakkgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfndjdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkbbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoiiijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkecij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jedcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijclol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaqmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijjka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnldjekl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ppcbgkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nijnln32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1944 Ilcoce32.exe 1948 Ilcoce32.exe 2304 Ielclkhe.exe 1248 Iigpli32.exe 2856 Jkhldafl.exe 2892 Jbpdeogo.exe 2784 Jdaqmg32.exe 2908 Jkkija32.exe 2144 Jofejpmc.exe 676 Jdcmbgkj.exe 2792 Jkmeoa32.exe 1628 Joiappkp.exe 2576 Jagnlkjd.exe 544 Jhafhe32.exe 2992 Jkpbdq32.exe 1940 Jaijak32.exe 1832 Jckgicnp.exe 912 Jgfcja32.exe 1924 Jnpkflne.exe 1356 Jpogbgmi.exe 288 Kghpoa32.exe 1756 Kfkpknkq.exe 848 Klehgh32.exe 1308 Koddccaa.exe 2100 Kgkleabc.exe 1764 Kjihalag.exe 2116 Kpcqnf32.exe 2424 Kjleflod.exe 2692 Kljabgnh.exe 2860 Kbgjkn32.exe 2504 Kdefgj32.exe 1520 Kkoncdcp.exe 2432 Knnkpobc.exe 2416 Lkakicam.exe 264 Lblcfnhj.exe 1372 Lqncaj32.exe 576 Lghlndfa.exe 1732 Ljghjpfe.exe 1672 Lqqpgj32.exe 1768 Lgkhdddo.exe 2128 Ljieppcb.exe 1072 Ldoimh32.exe 1860 Lgmeid32.exe 1968 Ljkaeo32.exe 2252 Lqejbiim.exe 884 Lcdfnehp.exe 1108 Ljnnko32.exe 2180 Lmljgj32.exe 2220 Lokgcf32.exe 2372 Lcfbdd32.exe 2776 Mfdopp32.exe 2732 Mjpkqonj.exe 2552 Micklk32.exe 2700 Mmogmjmn.exe 2592 Mpmcielb.exe 1096 Mchoid32.exe 1496 Mfglep32.exe 2820 Mejlalji.exe 1684 Mmadbjkk.exe 2072 Mkddnf32.exe 2284 Mnbpjb32.exe 2004 Melifl32.exe 2476 Mgjebg32.exe 1552 Mpamde32.exe -
Loads dropped DLL 64 IoCs
pid Process 2668 b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe 2668 b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe 1944 Ilcoce32.exe 1944 Ilcoce32.exe 1948 Ilcoce32.exe 1948 Ilcoce32.exe 2304 Ielclkhe.exe 2304 Ielclkhe.exe 1248 Iigpli32.exe 1248 Iigpli32.exe 2856 Jkhldafl.exe 2856 Jkhldafl.exe 2892 Jbpdeogo.exe 2892 Jbpdeogo.exe 2784 Jdaqmg32.exe 2784 Jdaqmg32.exe 2908 Jkkija32.exe 2908 Jkkija32.exe 2144 Jofejpmc.exe 2144 Jofejpmc.exe 676 Jdcmbgkj.exe 676 Jdcmbgkj.exe 2792 Jkmeoa32.exe 2792 Jkmeoa32.exe 1628 Joiappkp.exe 1628 Joiappkp.exe 2576 Jagnlkjd.exe 2576 Jagnlkjd.exe 544 Jhafhe32.exe 544 Jhafhe32.exe 2992 Jkpbdq32.exe 2992 Jkpbdq32.exe 1940 Jaijak32.exe 1940 Jaijak32.exe 1832 Jckgicnp.exe 1832 Jckgicnp.exe 912 Jgfcja32.exe 912 Jgfcja32.exe 1924 Jnpkflne.exe 1924 Jnpkflne.exe 1356 Jpogbgmi.exe 1356 Jpogbgmi.exe 288 Kghpoa32.exe 288 Kghpoa32.exe 1756 Kfkpknkq.exe 1756 Kfkpknkq.exe 848 Klehgh32.exe 848 Klehgh32.exe 1308 Koddccaa.exe 1308 Koddccaa.exe 2100 Kgkleabc.exe 2100 Kgkleabc.exe 1764 Kjihalag.exe 1764 Kjihalag.exe 2116 Kpcqnf32.exe 2116 Kpcqnf32.exe 2424 Kjleflod.exe 2424 Kjleflod.exe 2692 Kljabgnh.exe 2692 Kljabgnh.exe 2860 Kbgjkn32.exe 2860 Kbgjkn32.exe 2504 Kdefgj32.exe 2504 Kdefgj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cbblda32.exe Cocphf32.exe File created C:\Windows\SysWOW64\Jppgpfpi.dll Lkakicam.exe File opened for modification C:\Windows\SysWOW64\Ndmecgba.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Oaqbln32.exe Oijjka32.exe File created C:\Windows\SysWOW64\Qlomqkmp.dll Inhanl32.exe File opened for modification C:\Windows\SysWOW64\Mmbmeifk.exe Mjcaimgg.exe File opened for modification C:\Windows\SysWOW64\Bniajoic.exe Bkjdndjo.exe File created C:\Windows\SysWOW64\Jnpkflne.exe Jgfcja32.exe File opened for modification C:\Windows\SysWOW64\Ohhmcinf.exe Opaebkmc.exe File opened for modification C:\Windows\SysWOW64\Fkpjnkig.exe Fgdnnl32.exe File created C:\Windows\SysWOW64\Flnlpo32.dll Jaoqqflp.exe File created C:\Windows\SysWOW64\Lfmbek32.exe Lbafdlod.exe File created C:\Windows\SysWOW64\Hcldhnkk.exe Hldlga32.exe File opened for modification C:\Windows\SysWOW64\Pckajebj.exe Popeif32.exe File created C:\Windows\SysWOW64\Cpehmcmg.dll Jedcpi32.exe File created C:\Windows\SysWOW64\Aohdmdoh.exe Apedah32.exe File created C:\Windows\SysWOW64\Clmdmm32.exe Ciohqa32.exe File created C:\Windows\SysWOW64\Kjmnjkjd.exe Kgnbnpkp.exe File opened for modification C:\Windows\SysWOW64\Qgjccb32.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Ehpalp32.exe Eddeladm.exe File created C:\Windows\SysWOW64\Jpigma32.exe Jhbold32.exe File created C:\Windows\SysWOW64\Apedah32.exe Qnghel32.exe File created C:\Windows\SysWOW64\Mmadbjkk.exe Mejlalji.exe File created C:\Windows\SysWOW64\Apldjp32.dll Gblkoham.exe File created C:\Windows\SysWOW64\Bdqlajbb.exe Bbbpenco.exe File opened for modification C:\Windows\SysWOW64\Anlhkbhq.exe Agbpnh32.exe File created C:\Windows\SysWOW64\Jpefpo32.dll Qdncmgbj.exe File created C:\Windows\SysWOW64\Eggndi32.exe Edibhmml.exe File created C:\Windows\SysWOW64\Ehmdgp32.exe Eeohkeoe.exe File created C:\Windows\SysWOW64\Gpihdl32.dll Lcofio32.exe File opened for modification C:\Windows\SysWOW64\Nlefhcnc.exe Ncnngfna.exe File created C:\Windows\SysWOW64\Mpgobc32.exe Mklcadfn.exe File created C:\Windows\SysWOW64\Abmgjo32.exe Aoojnc32.exe File created C:\Windows\SysWOW64\Ogqhpm32.dll Oidiekdn.exe File opened for modification C:\Windows\SysWOW64\Pnbojmmp.exe Pkcbnanl.exe File created C:\Windows\SysWOW64\Cmfaflol.dll Qkfocaki.exe File created C:\Windows\SysWOW64\Fhgpia32.dll Cpfmmf32.exe File opened for modification C:\Windows\SysWOW64\Mndmoaog.exe Mpamde32.exe File opened for modification C:\Windows\SysWOW64\Kgnbnpkp.exe Khkbbc32.exe File created C:\Windows\SysWOW64\Lbafdlod.exe Lcofio32.exe File created C:\Windows\SysWOW64\Adqaqk32.dll Nbjeinje.exe File opened for modification C:\Windows\SysWOW64\Dmbcen32.exe Dnpciaef.exe File opened for modification C:\Windows\SysWOW64\Inhanl32.exe Ipeaco32.exe File opened for modification C:\Windows\SysWOW64\Iamdkfnc.exe Imahkg32.exe File created C:\Windows\SysWOW64\Kccllg32.dll Ljfapjbi.exe File created C:\Windows\SysWOW64\Nagbgl32.exe Mnifja32.exe File created C:\Windows\SysWOW64\Afgmodel.exe Agdmdg32.exe File created C:\Windows\SysWOW64\Klbdgb32.exe Khghgchk.exe File created C:\Windows\SysWOW64\Pdkefp32.dll Dmbcen32.exe File created C:\Windows\SysWOW64\Nhakcfab.exe Necogkbo.exe File created C:\Windows\SysWOW64\Cpiqmlfm.exe Clmdmm32.exe File created C:\Windows\SysWOW64\Cpgkadij.dll Jpgjgboe.exe File created C:\Windows\SysWOW64\Koaqcn32.exe Klbdgb32.exe File created C:\Windows\SysWOW64\Pgnjde32.exe Ppcbgkka.exe File opened for modification C:\Windows\SysWOW64\Eoiiijcc.exe Eknmhk32.exe File opened for modification C:\Windows\SysWOW64\Jefpeh32.exe Jajcdjca.exe File opened for modification C:\Windows\SysWOW64\Kaompi32.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Fkdqjn32.dll Ccjoli32.exe File created C:\Windows\SysWOW64\Qaipli32.dll Opfbngfb.exe File created C:\Windows\SysWOW64\Cfnmapnj.dll Mjkgjl32.exe File created C:\Windows\SysWOW64\Ppnnai32.exe Pmpbdm32.exe File opened for modification C:\Windows\SysWOW64\Aoojnc32.exe Alqnah32.exe File created C:\Windows\SysWOW64\Pecgea32.exe Pcdkif32.exe File created C:\Windows\SysWOW64\Cfcijf32.exe Cbgmigeq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6852 6800 WerFault.exe 684 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcoce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfghdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpcckck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacclpae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boogmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjdmjgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akiobk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookpodkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palepb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgldnkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pincfpoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknajh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qackpado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caaggpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idicbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohdmdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeppdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcoce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpeci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahifbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeohkeoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbefcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjahej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigpli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omklkkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlhkbhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhomkcoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkglnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdlad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hboddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imahkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgjgboe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimgeigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncbdomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpbglhjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfglep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjpjgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beimfpfn.dll" Cpfdhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkgen32.dll" Elajgpmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ingkfk32.dll" Aqmamm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjhjdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onfoin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Akiobk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifppipg.dll" Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efeckm32.dll" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oiffkkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibcnojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jppgpfpi.dll" Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgcdgcc.dll" Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaoqqflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qododfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnjbeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaokcb32.dll" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopbda32.dll" Oabkom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgoime32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gifclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqpflg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcnbhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ndkhngdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Afgmodel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqbolhmg.dll" Offmipej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekhchoj.dll" Ggkqmoma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" Alnalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akiobk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfocegkg.dll" Emagacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqgkdo32.dll" Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cpkmcldj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inlkik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knhjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll" Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphcfh32.dll" Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajjnjlc.dll" Cicalakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpomb32.dll" Dddimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfkgo32.dll" Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaogad32.dll" Nfidjbdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkhldafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkffng32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2668 wrote to memory of 1944 2668 b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe 30 PID 2668 wrote to memory of 1944 2668 b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe 30 PID 2668 wrote to memory of 1944 2668 b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe 30 PID 2668 wrote to memory of 1944 2668 b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe 30 PID 1944 wrote to memory of 1948 1944 Ilcoce32.exe 31 PID 1944 wrote to memory of 1948 1944 Ilcoce32.exe 31 PID 1944 wrote to memory of 1948 1944 Ilcoce32.exe 31 PID 1944 wrote to memory of 1948 1944 Ilcoce32.exe 31 PID 1948 wrote to memory of 2304 1948 Ilcoce32.exe 32 PID 1948 wrote to memory of 2304 1948 Ilcoce32.exe 32 PID 1948 wrote to memory of 2304 1948 Ilcoce32.exe 32 PID 1948 wrote to memory of 2304 1948 Ilcoce32.exe 32 PID 2304 wrote to memory of 1248 2304 Ielclkhe.exe 33 PID 2304 wrote to memory of 1248 2304 Ielclkhe.exe 33 PID 2304 wrote to memory of 1248 2304 Ielclkhe.exe 33 PID 2304 wrote to memory of 1248 2304 Ielclkhe.exe 33 PID 1248 wrote to memory of 2856 1248 Iigpli32.exe 34 PID 1248 wrote to memory of 2856 1248 Iigpli32.exe 34 PID 1248 wrote to memory of 2856 1248 Iigpli32.exe 34 PID 1248 wrote to memory of 2856 1248 Iigpli32.exe 34 PID 2856 wrote to memory of 2892 2856 Jkhldafl.exe 35 PID 2856 wrote to memory of 2892 2856 Jkhldafl.exe 35 PID 2856 wrote to memory of 2892 2856 Jkhldafl.exe 35 PID 2856 wrote to memory of 2892 2856 Jkhldafl.exe 35 PID 2892 wrote to memory of 2784 2892 Jbpdeogo.exe 36 PID 2892 wrote to memory of 2784 2892 Jbpdeogo.exe 36 PID 2892 wrote to memory of 2784 2892 Jbpdeogo.exe 36 PID 2892 wrote to memory of 2784 2892 Jbpdeogo.exe 36 PID 2784 wrote to memory of 2908 2784 Jdaqmg32.exe 37 PID 2784 wrote to memory of 2908 2784 Jdaqmg32.exe 37 PID 2784 wrote to memory of 2908 2784 Jdaqmg32.exe 37 PID 2784 wrote to memory of 2908 2784 Jdaqmg32.exe 37 PID 2908 wrote to memory of 2144 2908 Jkkija32.exe 38 PID 2908 wrote to memory of 2144 2908 Jkkija32.exe 38 PID 2908 wrote to memory of 2144 2908 Jkkija32.exe 38 PID 2908 wrote to memory of 2144 2908 Jkkija32.exe 38 PID 2144 wrote to memory of 676 2144 Jofejpmc.exe 39 PID 2144 wrote to memory of 676 2144 Jofejpmc.exe 39 PID 2144 wrote to memory of 676 2144 Jofejpmc.exe 39 PID 2144 wrote to memory of 676 2144 Jofejpmc.exe 39 PID 676 wrote to memory of 2792 676 Jdcmbgkj.exe 40 PID 676 wrote to memory of 2792 676 Jdcmbgkj.exe 40 PID 676 wrote to memory of 2792 676 Jdcmbgkj.exe 40 PID 676 wrote to memory of 2792 676 Jdcmbgkj.exe 40 PID 2792 wrote to memory of 1628 2792 Jkmeoa32.exe 41 PID 2792 wrote to memory of 1628 2792 Jkmeoa32.exe 41 PID 2792 wrote to memory of 1628 2792 Jkmeoa32.exe 41 PID 2792 wrote to memory of 1628 2792 Jkmeoa32.exe 41 PID 1628 wrote to memory of 2576 1628 Joiappkp.exe 42 PID 1628 wrote to memory of 2576 1628 Joiappkp.exe 42 PID 1628 wrote to memory of 2576 1628 Joiappkp.exe 42 PID 1628 wrote to memory of 2576 1628 Joiappkp.exe 42 PID 2576 wrote to memory of 544 2576 Jagnlkjd.exe 43 PID 2576 wrote to memory of 544 2576 Jagnlkjd.exe 43 PID 2576 wrote to memory of 544 2576 Jagnlkjd.exe 43 PID 2576 wrote to memory of 544 2576 Jagnlkjd.exe 43 PID 544 wrote to memory of 2992 544 Jhafhe32.exe 44 PID 544 wrote to memory of 2992 544 Jhafhe32.exe 44 PID 544 wrote to memory of 2992 544 Jhafhe32.exe 44 PID 544 wrote to memory of 2992 544 Jhafhe32.exe 44 PID 2992 wrote to memory of 1940 2992 Jkpbdq32.exe 45 PID 2992 wrote to memory of 1940 2992 Jkpbdq32.exe 45 PID 2992 wrote to memory of 1940 2992 Jkpbdq32.exe 45 PID 2992 wrote to memory of 1940 2992 Jkpbdq32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe"C:\Users\Admin\AppData\Local\Temp\b4471267fa7e464f532cac446cbf619e152cc2bd992bda98a31633cda0e8438c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Iigpli32.exeC:\Windows\system32\Iigpli32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Joiappkp.exeC:\Windows\system32\Joiappkp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe33⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe34⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe36⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe37⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe38⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe39⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe40⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe41⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe42⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe43⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe44⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe45⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe46⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe47⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe48⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe49⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe51⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe53⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe54⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe55⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe56⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe60⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe61⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe62⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe63⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe64⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe66⤵PID:808
-
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe67⤵PID:1696
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe68⤵PID:3024
-
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe69⤵PID:1740
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe70⤵PID:2744
-
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe71⤵PID:2876
-
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe73⤵PID:772
-
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe74⤵PID:1488
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe75⤵
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe76⤵PID:2808
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe77⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe78⤵PID:2132
-
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe79⤵PID:2544
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe80⤵PID:1144
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe81⤵PID:1776
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe82⤵PID:1192
-
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe83⤵PID:2056
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe84⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe86⤵PID:2884
-
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe87⤵PID:2428
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe88⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe89⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe90⤵PID:1548
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe91⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe92⤵PID:1988
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe94⤵PID:836
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe95⤵PID:2488
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe96⤵PID:1996
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe98⤵PID:2740
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe99⤵PID:2632
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe100⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe101⤵PID:776
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe102⤵PID:1200
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe103⤵PID:2344
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe104⤵PID:2988
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe105⤵
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe106⤵PID:2932
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe107⤵PID:2000
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe108⤵PID:3068
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe109⤵PID:2880
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe110⤵PID:2760
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe111⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe112⤵PID:568
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe113⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe114⤵PID:2780
-
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe115⤵PID:1692
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe117⤵
- Modifies registry class
PID:1376 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe119⤵PID:2052
-
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe120⤵PID:2596
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe121⤵PID:760
-
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe122⤵PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-