Analysis
-
max time kernel
45s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 23:37
Behavioral task
behavioral1
Sample
77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe
-
Size
340KB
-
MD5
ff1e686cd82bbae6375df530fc6bf42c
-
SHA1
399dedf4e2c1a111af45df52b74c8a99e433a427
-
SHA256
77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863
-
SHA512
725e28f09a1f3b5546c735a5a7c19fe1a84da5f28ba8cc127e89ce7bab212cf3d2934bdf6dec6459b550b7cc17abc775a893bcdd036a36b135803ec0af64f282
-
SSDEEP
6144:zs0Q+BSVq+Ju3/fc/UmKyIxLDXXoq9FJZCUmKyIxLjh:zs0Q+B1+F32XXf9Do3i
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coidpiac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knldaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmoone32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlleni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odmhjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clphjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jboanfmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeikohgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhoikfbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqhfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icadpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmnnblmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edokna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epamlegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgclpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedmhlqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ekcmkamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmicnhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffahgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkcoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpeidjfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ombjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajipmocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Afjplj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfnpek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogigpllh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbgnpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njjbjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmknifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbbfmqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efdohq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hanenoeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkhhpeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okmceiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fbqkqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgbpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Engnno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efdohq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jndgfqlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efoobkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icadpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jidppaio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigano32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahomlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjcigcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfjak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfmfchfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohkhjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llbnpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcdgei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caajmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfcqkafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjopnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nogmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apeakonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmpcoabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmboqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mpjboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ibklddof.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3036 Klocba32.exe 2792 Kalkjh32.exe 2788 Kblhdkgk.exe 2876 Kmeiei32.exe 2676 Modano32.exe 2036 Mnlkdk32.exe 1432 Mjcljlea.exe 2244 Njgeel32.exe 3020 Njjbjk32.exe 2988 Nidhfgpl.exe 3012 Onggom32.exe 2352 Ommdqi32.exe 1488 Pfgeoo32.exe 1328 Peooek32.exe 2212 Adkbgf32.exe 2160 Afngoand.exe 1536 Apglgfde.exe 2456 Bnafjo32.exe 1020 Baakem32.exe 1724 Bjlpjp32.exe 920 Bfcqoqeh.exe 2616 Ckebbgoj.exe 1168 Cbagdq32.exe 332 Dklibf32.exe 2536 Ddfjak32.exe 796 Djcbib32.exe 2908 Dmfhqmge.exe 2960 Epgabhdg.exe 2464 Eheblj32.exe 2692 Eamgeo32.exe 2728 Fncddc32.exe 2648 Fjjeid32.exe 2732 Ffaeneno.exe 2612 Fianpp32.exe 640 Gmhmdc32.exe 2752 Ghnaaljp.exe 2976 Giakoc32.exe 1076 Gidgdcli.exe 1204 Hnapja32.exe 2384 Hemeod32.exe 2348 Hcaehhnd.exe 2548 Hkljljko.exe 2552 Hllffmbb.exe 2172 Hdgkkppm.exe 328 Ibklddof.exe 1380 Idkdfo32.exe 2000 Ifoncgpc.exe 1568 Igojmjgf.exe 2252 Iqgofo32.exe 2580 Jkqpfmje.exe 1428 Jidppaio.exe 2756 Jekaeb32.exe 2060 Jboanfmm.exe 2704 Jbandfkj.exe 2136 Kjopnh32.exe 580 Kcgdgnmc.exe 1260 Kidlodkj.exe 2724 Kigidd32.exe 540 Kfkjnh32.exe 1964 Kpcngnob.exe 316 Kfmfchfo.exe 1528 Lohkhjcj.exe 1532 Laidie32.exe 1084 Lomdcj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2052 77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe 2052 77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe 3036 Klocba32.exe 3036 Klocba32.exe 2792 Kalkjh32.exe 2792 Kalkjh32.exe 2788 Kblhdkgk.exe 2788 Kblhdkgk.exe 2876 Kmeiei32.exe 2876 Kmeiei32.exe 2676 Modano32.exe 2676 Modano32.exe 2036 Mnlkdk32.exe 2036 Mnlkdk32.exe 1432 Mjcljlea.exe 1432 Mjcljlea.exe 2244 Njgeel32.exe 2244 Njgeel32.exe 3020 Njjbjk32.exe 3020 Njjbjk32.exe 2988 Nidhfgpl.exe 2988 Nidhfgpl.exe 3012 Onggom32.exe 3012 Onggom32.exe 2352 Ommdqi32.exe 2352 Ommdqi32.exe 1488 Pfgeoo32.exe 1488 Pfgeoo32.exe 1328 Peooek32.exe 1328 Peooek32.exe 2212 Adkbgf32.exe 2212 Adkbgf32.exe 2160 Afngoand.exe 2160 Afngoand.exe 1536 Apglgfde.exe 1536 Apglgfde.exe 2456 Bnafjo32.exe 2456 Bnafjo32.exe 1020 Baakem32.exe 1020 Baakem32.exe 1724 Bjlpjp32.exe 1724 Bjlpjp32.exe 920 Bfcqoqeh.exe 920 Bfcqoqeh.exe 2616 Ckebbgoj.exe 2616 Ckebbgoj.exe 1168 Cbagdq32.exe 1168 Cbagdq32.exe 332 Dklibf32.exe 332 Dklibf32.exe 2536 Ddfjak32.exe 2536 Ddfjak32.exe 796 Djcbib32.exe 796 Djcbib32.exe 2908 Dmfhqmge.exe 2908 Dmfhqmge.exe 2960 Epgabhdg.exe 2960 Epgabhdg.exe 2464 Eheblj32.exe 2464 Eheblj32.exe 2692 Eamgeo32.exe 2692 Eamgeo32.exe 2728 Fncddc32.exe 2728 Fncddc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gacdmc32.dll Fianpp32.exe File opened for modification C:\Windows\SysWOW64\Iqhhin32.exe Iackhb32.exe File created C:\Windows\SysWOW64\Kqncnjan.exe Kmnnblmj.exe File opened for modification C:\Windows\SysWOW64\Kjopnh32.exe Jbandfkj.exe File opened for modification C:\Windows\SysWOW64\Mebpchmb.exe Mkhocj32.exe File created C:\Windows\SysWOW64\Knckbe32.exe Kgffpk32.exe File created C:\Windows\SysWOW64\Afjplj32.exe Qgeckn32.exe File created C:\Windows\SysWOW64\Gpknjp32.exe Gbgnpl32.exe File created C:\Windows\SysWOW64\Cfhfld32.dll Kgkokjjd.exe File created C:\Windows\SysWOW64\Mojmbg32.exe Lldkem32.exe File created C:\Windows\SysWOW64\Klhniing.dll Caajmilh.exe File opened for modification C:\Windows\SysWOW64\Dopfpkng.exe Dciekjhc.exe File created C:\Windows\SysWOW64\Mainpc32.dll Eheblj32.exe File created C:\Windows\SysWOW64\Hobfgcdb.exe Hanenoeh.exe File created C:\Windows\SysWOW64\Lmgaikep.exe Lpcppgff.exe File opened for modification C:\Windows\SysWOW64\Lmgaikep.exe Lpcppgff.exe File created C:\Windows\SysWOW64\Dhkbak32.dll Lphjkfbq.exe File opened for modification C:\Windows\SysWOW64\Mpjboi32.exe Medobp32.exe File created C:\Windows\SysWOW64\Lomdcj32.exe Laidie32.exe File created C:\Windows\SysWOW64\Bgablmfa.exe Bmhncg32.exe File opened for modification C:\Windows\SysWOW64\Cdooongp.exe Ckgkfi32.exe File opened for modification C:\Windows\SysWOW64\Pnminkof.exe Oeeeeehe.exe File created C:\Windows\SysWOW64\Panboflg.exe Pgfnfq32.exe File opened for modification C:\Windows\SysWOW64\Eqhfoj32.exe Egobfdpi.exe File created C:\Windows\SysWOW64\Epgklj32.dll Ojojmfed.exe File opened for modification C:\Windows\SysWOW64\Fmicnhob.exe Fjhjlm32.exe File created C:\Windows\SysWOW64\Hpaenf32.dll Afgmldhe.exe File opened for modification C:\Windows\SysWOW64\Kbdmboqk.exe Jkhhpeka.exe File created C:\Windows\SysWOW64\Cdmekohf.dll Bpomdmqa.exe File opened for modification C:\Windows\SysWOW64\Peooek32.exe Pfgeoo32.exe File created C:\Windows\SysWOW64\Hfjbkm32.dll Bjlpjp32.exe File created C:\Windows\SysWOW64\Qegnii32.exe Qloiqcbn.exe File created C:\Windows\SysWOW64\Kmbjko32.dll Cnpknl32.exe File created C:\Windows\SysWOW64\Ogigpllh.exe Oggkklnk.exe File created C:\Windows\SysWOW64\Ppdpkopc.dll Fibqhibd.exe File created C:\Windows\SysWOW64\Pgfnfq32.exe Pnminkof.exe File opened for modification C:\Windows\SysWOW64\Knckbe32.exe Kgffpk32.exe File created C:\Windows\SysWOW64\Oggkklnk.exe Nnofbg32.exe File created C:\Windows\SysWOW64\Ngikaijm.exe Mclbkjcf.exe File created C:\Windows\SysWOW64\Mfgpckkm.dll Bpdnjb32.exe File opened for modification C:\Windows\SysWOW64\Clnkdc32.exe Bgablmfa.exe File created C:\Windows\SysWOW64\Jndgfqlh.exe Jkcoee32.exe File opened for modification C:\Windows\SysWOW64\Ajkokgia.exe Agkfil32.exe File created C:\Windows\SysWOW64\Fibqhibd.exe Ffahgn32.exe File created C:\Windows\SysWOW64\Medobp32.exe Mmijmn32.exe File created C:\Windows\SysWOW64\Pgdcjjom.exe Okmceiii.exe File opened for modification C:\Windows\SysWOW64\Djhnmj32.exe Dcofqphi.exe File opened for modification C:\Windows\SysWOW64\Ghcmedmo.exe Gfcqkafl.exe File created C:\Windows\SysWOW64\Heohnaao.dll Hemeod32.exe File created C:\Windows\SysWOW64\Jjdion32.dll Pjkpckob.exe File opened for modification C:\Windows\SysWOW64\Mmojcceo.exe Mojmbg32.exe File created C:\Windows\SysWOW64\Indkgm32.exe Iaknmm32.exe File created C:\Windows\SysWOW64\Boqjdl32.dll Mpeidjfo.exe File created C:\Windows\SysWOW64\Gqhkqk32.dll Hgnjlfam.exe File opened for modification C:\Windows\SysWOW64\Poplqm32.exe Pmpcoabe.exe File created C:\Windows\SysWOW64\Bhdpjaga.exe Anjnllbd.exe File created C:\Windows\SysWOW64\Pjddeg32.dll Feiamj32.exe File created C:\Windows\SysWOW64\Bnbgab32.dll Fallil32.exe File opened for modification C:\Windows\SysWOW64\Bmcnmapk.exe Bpomdmqa.exe File created C:\Windows\SysWOW64\Cmieca32.dll Gfnpek32.exe File opened for modification C:\Windows\SysWOW64\Obpbhk32.exe Ombjpd32.exe File opened for modification C:\Windows\SysWOW64\Cnpknl32.exe Ckoblapc.exe File opened for modification C:\Windows\SysWOW64\Pkglenej.exe Poplqm32.exe File opened for modification C:\Windows\SysWOW64\Bgablmfa.exe Bmhncg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3904 3952 WerFault.exe 337 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheblj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chghodgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqoofhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaknmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dindme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajiag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miphjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfhqmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnnmboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonlld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poplqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdcdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecdhonoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmgpjgph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipmocp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldkem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dciekjhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okhgaqfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gboolneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcaehhnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkqpfmje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jboanfmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnagehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkokjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomdcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmgmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfdlclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljlhme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnidchqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnofbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeidjfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhmdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghnaaljp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcfjkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobfgcdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apeakonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejeglg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidhfgpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlpjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmknifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caajmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjdpgic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdcjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmadj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbqkqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knldaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibqhibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlcbafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnphlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfcnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmfchfo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eijhke32.dll" Dmfhqmge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Eamgeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Napfihmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oggkklnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cnpknl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaopfl32.dll" Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojmkof32.dll" Kqncnjan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Coidpiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kiolio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peooek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Indkgm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qloiqcbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doelpf32.dll" Gboolneo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mbkladpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Afgmldhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okkfoikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgkop32.dll" Bnafjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaicjed.dll" Idkdfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hanenoeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Poplqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epamlegl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Knckbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbkjc32.dll" Bdkpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpqoofhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Baakem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kigidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Obpbhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmecdgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfnpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqhkqk32.dll" Hgnjlfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gpdhiaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqfppfnc.dll" Nibcgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmekohf.dll" Bpomdmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhmonoli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kigidd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oeeeeehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkglenej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlgodgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kjopnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blocad32.dll" Ajipmocp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnofbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckoblapc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjnkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Anigaeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hpnbjfjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aapkdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbdmboqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mkhocj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bbpdmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcognhco.dll" Fbbfmqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hobfgcdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pnebgcqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmlqd32.dll" Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iaknmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bhoikfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioebelhe.dll" Dfhial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlleni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocjfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okhgaqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkmddm32.dll" Gigano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmojcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hljegpof.dll" Cdooongp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 3036 2052 77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe 29 PID 2052 wrote to memory of 3036 2052 77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe 29 PID 2052 wrote to memory of 3036 2052 77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe 29 PID 2052 wrote to memory of 3036 2052 77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe 29 PID 3036 wrote to memory of 2792 3036 Klocba32.exe 30 PID 3036 wrote to memory of 2792 3036 Klocba32.exe 30 PID 3036 wrote to memory of 2792 3036 Klocba32.exe 30 PID 3036 wrote to memory of 2792 3036 Klocba32.exe 30 PID 2792 wrote to memory of 2788 2792 Kalkjh32.exe 31 PID 2792 wrote to memory of 2788 2792 Kalkjh32.exe 31 PID 2792 wrote to memory of 2788 2792 Kalkjh32.exe 31 PID 2792 wrote to memory of 2788 2792 Kalkjh32.exe 31 PID 2788 wrote to memory of 2876 2788 Kblhdkgk.exe 32 PID 2788 wrote to memory of 2876 2788 Kblhdkgk.exe 32 PID 2788 wrote to memory of 2876 2788 Kblhdkgk.exe 32 PID 2788 wrote to memory of 2876 2788 Kblhdkgk.exe 32 PID 2876 wrote to memory of 2676 2876 Kmeiei32.exe 33 PID 2876 wrote to memory of 2676 2876 Kmeiei32.exe 33 PID 2876 wrote to memory of 2676 2876 Kmeiei32.exe 33 PID 2876 wrote to memory of 2676 2876 Kmeiei32.exe 33 PID 2676 wrote to memory of 2036 2676 Modano32.exe 34 PID 2676 wrote to memory of 2036 2676 Modano32.exe 34 PID 2676 wrote to memory of 2036 2676 Modano32.exe 34 PID 2676 wrote to memory of 2036 2676 Modano32.exe 34 PID 2036 wrote to memory of 1432 2036 Mnlkdk32.exe 35 PID 2036 wrote to memory of 1432 2036 Mnlkdk32.exe 35 PID 2036 wrote to memory of 1432 2036 Mnlkdk32.exe 35 PID 2036 wrote to memory of 1432 2036 Mnlkdk32.exe 35 PID 1432 wrote to memory of 2244 1432 Mjcljlea.exe 36 PID 1432 wrote to memory of 2244 1432 Mjcljlea.exe 36 PID 1432 wrote to memory of 2244 1432 Mjcljlea.exe 36 PID 1432 wrote to memory of 2244 1432 Mjcljlea.exe 36 PID 2244 wrote to memory of 3020 2244 Njgeel32.exe 37 PID 2244 wrote to memory of 3020 2244 Njgeel32.exe 37 PID 2244 wrote to memory of 3020 2244 Njgeel32.exe 37 PID 2244 wrote to memory of 3020 2244 Njgeel32.exe 37 PID 3020 wrote to memory of 2988 3020 Njjbjk32.exe 38 PID 3020 wrote to memory of 2988 3020 Njjbjk32.exe 38 PID 3020 wrote to memory of 2988 3020 Njjbjk32.exe 38 PID 3020 wrote to memory of 2988 3020 Njjbjk32.exe 38 PID 2988 wrote to memory of 3012 2988 Nidhfgpl.exe 39 PID 2988 wrote to memory of 3012 2988 Nidhfgpl.exe 39 PID 2988 wrote to memory of 3012 2988 Nidhfgpl.exe 39 PID 2988 wrote to memory of 3012 2988 Nidhfgpl.exe 39 PID 3012 wrote to memory of 2352 3012 Onggom32.exe 40 PID 3012 wrote to memory of 2352 3012 Onggom32.exe 40 PID 3012 wrote to memory of 2352 3012 Onggom32.exe 40 PID 3012 wrote to memory of 2352 3012 Onggom32.exe 40 PID 2352 wrote to memory of 1488 2352 Ommdqi32.exe 41 PID 2352 wrote to memory of 1488 2352 Ommdqi32.exe 41 PID 2352 wrote to memory of 1488 2352 Ommdqi32.exe 41 PID 2352 wrote to memory of 1488 2352 Ommdqi32.exe 41 PID 1488 wrote to memory of 1328 1488 Pfgeoo32.exe 42 PID 1488 wrote to memory of 1328 1488 Pfgeoo32.exe 42 PID 1488 wrote to memory of 1328 1488 Pfgeoo32.exe 42 PID 1488 wrote to memory of 1328 1488 Pfgeoo32.exe 42 PID 1328 wrote to memory of 2212 1328 Peooek32.exe 43 PID 1328 wrote to memory of 2212 1328 Peooek32.exe 43 PID 1328 wrote to memory of 2212 1328 Peooek32.exe 43 PID 1328 wrote to memory of 2212 1328 Peooek32.exe 43 PID 2212 wrote to memory of 2160 2212 Adkbgf32.exe 44 PID 2212 wrote to memory of 2160 2212 Adkbgf32.exe 44 PID 2212 wrote to memory of 2160 2212 Adkbgf32.exe 44 PID 2212 wrote to memory of 2160 2212 Adkbgf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe"C:\Users\Admin\AppData\Local\Temp\77766e0ec675016b24d3abe8256a33a862836c03c39330e2b19c2a905594a863.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kblhdkgk.exeC:\Windows\system32\Kblhdkgk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Kmeiei32.exeC:\Windows\system32\Kmeiei32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Mnlkdk32.exeC:\Windows\system32\Mnlkdk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Mjcljlea.exeC:\Windows\system32\Mjcljlea.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Njgeel32.exeC:\Windows\system32\Njgeel32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Njjbjk32.exeC:\Windows\system32\Njjbjk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Ommdqi32.exeC:\Windows\system32\Ommdqi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Pfgeoo32.exeC:\Windows\system32\Pfgeoo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Peooek32.exeC:\Windows\system32\Peooek32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1328 -
C:\Windows\SysWOW64\Adkbgf32.exeC:\Windows\system32\Adkbgf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Afngoand.exeC:\Windows\system32\Afngoand.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Apglgfde.exeC:\Windows\system32\Apglgfde.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Bnafjo32.exeC:\Windows\system32\Bnafjo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Bfcqoqeh.exeC:\Windows\system32\Bfcqoqeh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Ddfjak32.exeC:\Windows\system32\Ddfjak32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Dmfhqmge.exeC:\Windows\system32\Dmfhqmge.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Eheblj32.exeC:\Windows\system32\Eheblj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2464 -
C:\Windows\SysWOW64\Eamgeo32.exeC:\Windows\system32\Eamgeo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Fncddc32.exeC:\Windows\system32\Fncddc32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Fjjeid32.exeC:\Windows\system32\Fjjeid32.exe33⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ffaeneno.exeC:\Windows\system32\Ffaeneno.exe34⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Fianpp32.exeC:\Windows\system32\Fianpp32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Gmhmdc32.exeC:\Windows\system32\Gmhmdc32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:640 -
C:\Windows\SysWOW64\Ghnaaljp.exeC:\Windows\system32\Ghnaaljp.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe38⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Gidgdcli.exeC:\Windows\system32\Gidgdcli.exe39⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Hnapja32.exeC:\Windows\system32\Hnapja32.exe40⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Hemeod32.exeC:\Windows\system32\Hemeod32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Hcaehhnd.exeC:\Windows\system32\Hcaehhnd.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Hkljljko.exeC:\Windows\system32\Hkljljko.exe43⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Hllffmbb.exeC:\Windows\system32\Hllffmbb.exe44⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Hdgkkppm.exeC:\Windows\system32\Hdgkkppm.exe45⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ibklddof.exeC:\Windows\system32\Ibklddof.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Idkdfo32.exeC:\Windows\system32\Idkdfo32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Ifoncgpc.exeC:\Windows\system32\Ifoncgpc.exe48⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Igojmjgf.exeC:\Windows\system32\Igojmjgf.exe49⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Iqgofo32.exeC:\Windows\system32\Iqgofo32.exe50⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Jkqpfmje.exeC:\Windows\system32\Jkqpfmje.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Jidppaio.exeC:\Windows\system32\Jidppaio.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Jekaeb32.exeC:\Windows\system32\Jekaeb32.exe53⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Jbandfkj.exeC:\Windows\system32\Jbandfkj.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Kjopnh32.exeC:\Windows\system32\Kjopnh32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Kcgdgnmc.exeC:\Windows\system32\Kcgdgnmc.exe57⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Kidlodkj.exeC:\Windows\system32\Kidlodkj.exe58⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Kigidd32.exeC:\Windows\system32\Kigidd32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Kfkjnh32.exeC:\Windows\system32\Kfkjnh32.exe60⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Kpcngnob.exeC:\Windows\system32\Kpcngnob.exe61⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Kfmfchfo.exeC:\Windows\system32\Kfmfchfo.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Lohkhjcj.exeC:\Windows\system32\Lohkhjcj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Laidie32.exeC:\Windows\system32\Laidie32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Lghigl32.exeC:\Windows\system32\Lghigl32.exe66⤵PID:3064
-
C:\Windows\SysWOW64\Lkfbmj32.exeC:\Windows\system32\Lkfbmj32.exe67⤵PID:440
-
C:\Windows\SysWOW64\Lmdnjf32.exeC:\Windows\system32\Lmdnjf32.exe68⤵PID:2012
-
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Mebpchmb.exeC:\Windows\system32\Mebpchmb.exe70⤵PID:1592
-
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe71⤵PID:1604
-
C:\Windows\SysWOW64\Miphjf32.exeC:\Windows\system32\Miphjf32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe73⤵PID:2780
-
C:\Windows\SysWOW64\Mhgbpb32.exeC:\Windows\system32\Mhgbpb32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe75⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Npecjdaf.exeC:\Windows\system32\Npecjdaf.exe76⤵PID:2620
-
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe77⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe78⤵PID:3028
-
C:\Windows\SysWOW64\Ndeifbfj.exeC:\Windows\system32\Ndeifbfj.exe79⤵PID:2468
-
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe82⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe85⤵PID:1784
-
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe86⤵
- Drops file in System32 directory
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Pnminkof.exeC:\Windows\system32\Pnminkof.exe87⤵
- Drops file in System32 directory
PID:1108 -
C:\Windows\SysWOW64\Pgfnfq32.exeC:\Windows\system32\Pgfnfq32.exe88⤵
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Panboflg.exeC:\Windows\system32\Panboflg.exe89⤵PID:2768
-
C:\Windows\SysWOW64\Pmecdgbk.exeC:\Windows\system32\Pmecdgbk.exe90⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe92⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Pjkpckob.exeC:\Windows\system32\Pjkpckob.exe93⤵
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe94⤵PID:3032
-
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe95⤵PID:976
-
C:\Windows\SysWOW64\Qloiqcbn.exeC:\Windows\system32\Qloiqcbn.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe97⤵PID:2344
-
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe99⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Ajipmocp.exeC:\Windows\system32\Ajipmocp.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Afoqbpid.exeC:\Windows\system32\Afoqbpid.exe101⤵PID:2004
-
C:\Windows\SysWOW64\Ahomlb32.exeC:\Windows\system32\Ahomlb32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Bffgbo32.exeC:\Windows\system32\Bffgbo32.exe104⤵PID:2824
-
C:\Windows\SysWOW64\Bbmggp32.exeC:\Windows\system32\Bbmggp32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe106⤵PID:952
-
C:\Windows\SysWOW64\Bbpdmp32.exeC:\Windows\system32\Bbpdmp32.exe107⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Bcbabodk.exeC:\Windows\system32\Bcbabodk.exe108⤵PID:924
-
C:\Windows\SysWOW64\Bhoikfbb.exeC:\Windows\system32\Bhoikfbb.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe110⤵PID:2168
-
C:\Windows\SysWOW64\Ckoblapc.exeC:\Windows\system32\Ckoblapc.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Cnpknl32.exeC:\Windows\system32\Cnpknl32.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe113⤵
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Dqcmdjjo.exeC:\Windows\system32\Dqcmdjjo.exe114⤵PID:1712
-
C:\Windows\SysWOW64\Engnno32.exeC:\Windows\system32\Engnno32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Egobfdpi.exeC:\Windows\system32\Egobfdpi.exe116⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Eqhfoj32.exeC:\Windows\system32\Eqhfoj32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Efdohq32.exeC:\Windows\system32\Efdohq32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Efglmpbn.exeC:\Windows\system32\Efglmpbn.exe119⤵PID:2696
-
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe120⤵PID:584
-
C:\Windows\SysWOW64\Epamlegl.exeC:\Windows\system32\Epamlegl.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2984
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-