Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 20:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe
-
Size
74KB
-
MD5
80ff926a6dc1bb9716b83f94f277a38b
-
SHA1
ffd9e064a1e46d703124b15f6e1129fbcaf11da6
-
SHA256
23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb
-
SHA512
2dd5ed649c99265328676f187e530b5caa67e2a35b865f817ca1b8bb225dd8e05a4b0097832c98fe364741e841831a630e12ab69d4485d3cfa64ce0910a75871
-
SSDEEP
1536:Lkjr8PaRihzw2T4HOuLabwxJfqr5Q7yYLnjKECrHp54+W92MTpl:4jrQmNOu+bUiYNiUZ9vTpl
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlckbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgffhkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpmjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgllgedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpdaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdbdqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqbbagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pafdjmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkjdndjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aggiigmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inhanl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndkhngdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nenkqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jlckbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amohfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkgngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kcecbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdqlajbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqgmfkhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfkpknkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnofjfhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmhnkfpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohhmcinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knhjjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caifjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lneaqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpdjaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okpcoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqdiga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dahifbpk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2392 Jgdfdbhk.exe 1740 Jjbbpmgo.exe 2208 Jplkmgol.exe 2760 Jckgicnp.exe 2736 Jkbojpna.exe 2688 Jlckbh32.exe 1168 Kdjccf32.exe 816 Kfkpknkq.exe 2344 Knbhlkkc.exe 2848 Klehgh32.exe 1012 Kcopdb32.exe 1984 Khlili32.exe 2904 Klhemhpk.exe 3040 Kcamjb32.exe 2372 Kfpifm32.exe 2188 Kljabgnh.exe 280 Kohnoc32.exe 3000 Kfbfkmeh.exe 1324 Khabghdl.exe 308 Kllnhg32.exe 1700 Kokjdb32.exe 1380 Knnkpobc.exe 1932 Kdhcli32.exe 3020 Lkakicam.exe 2132 Lnpgeopa.exe 1076 Lqncaj32.exe 2380 Lhelbh32.exe 2204 Lghlndfa.exe 2448 Lqqpgj32.exe 2844 Lkfddc32.exe 2636 Lneaqn32.exe 2620 Lcaiiejc.exe 2612 Lfpeeqig.exe 1828 Lqejbiim.exe 1964 Lcdfnehp.exe 1500 Liqoflfh.exe 600 Lokgcf32.exe 1952 Lokgcf32.exe 2436 Mjpkqonj.exe 2936 Micklk32.exe 2928 Mkaghg32.exe 1852 Mfglep32.exe 2696 Mmadbjkk.exe 1596 Mpopnejo.exe 1260 Mfihkoal.exe 1720 Mpamde32.exe 2252 Mbpipp32.exe 2068 Macilmnk.exe 2292 Meoell32.exe 1724 Mlhnifmq.exe 2384 Mngjeamd.exe 2744 Mngjeamd.exe 2764 Mbbfep32.exe 2628 Meabakda.exe 2716 Mlkjne32.exe 1492 Mjnjjbbh.exe 700 Nmlgfnal.exe 1496 Nagbgl32.exe 1924 Necogkbo.exe 1684 Nhakcfab.exe 2176 Njpgpbpf.exe 2952 Najpll32.exe 2992 Npmphinm.exe 924 Nfghdcfj.exe -
Loads dropped DLL 64 IoCs
pid Process 2376 23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe 2376 23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe 2392 Jgdfdbhk.exe 2392 Jgdfdbhk.exe 1740 Jjbbpmgo.exe 1740 Jjbbpmgo.exe 2208 Jplkmgol.exe 2208 Jplkmgol.exe 2760 Jckgicnp.exe 2760 Jckgicnp.exe 2736 Jkbojpna.exe 2736 Jkbojpna.exe 2688 Jlckbh32.exe 2688 Jlckbh32.exe 1168 Kdjccf32.exe 1168 Kdjccf32.exe 816 Kfkpknkq.exe 816 Kfkpknkq.exe 2344 Knbhlkkc.exe 2344 Knbhlkkc.exe 2848 Klehgh32.exe 2848 Klehgh32.exe 1012 Kcopdb32.exe 1012 Kcopdb32.exe 1984 Khlili32.exe 1984 Khlili32.exe 2904 Klhemhpk.exe 2904 Klhemhpk.exe 3040 Kcamjb32.exe 3040 Kcamjb32.exe 2372 Kfpifm32.exe 2372 Kfpifm32.exe 2188 Kljabgnh.exe 2188 Kljabgnh.exe 280 Kohnoc32.exe 280 Kohnoc32.exe 3000 Kfbfkmeh.exe 3000 Kfbfkmeh.exe 1324 Khabghdl.exe 1324 Khabghdl.exe 308 Kllnhg32.exe 308 Kllnhg32.exe 1700 Kokjdb32.exe 1700 Kokjdb32.exe 1380 Knnkpobc.exe 1380 Knnkpobc.exe 1932 Kdhcli32.exe 1932 Kdhcli32.exe 3020 Lkakicam.exe 3020 Lkakicam.exe 2132 Lnpgeopa.exe 2132 Lnpgeopa.exe 1076 Lqncaj32.exe 1076 Lqncaj32.exe 2380 Lhelbh32.exe 2380 Lhelbh32.exe 2204 Lghlndfa.exe 2204 Lghlndfa.exe 2448 Lqqpgj32.exe 2448 Lqqpgj32.exe 2844 Lkfddc32.exe 2844 Lkfddc32.exe 2636 Lneaqn32.exe 2636 Lneaqn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cpkmcldj.exe Clpabm32.exe File created C:\Windows\SysWOW64\Ekdehk32.dll Fhdjgoha.exe File created C:\Windows\SysWOW64\Kglehp32.exe Khielcfh.exe File created C:\Windows\SysWOW64\Meabakda.exe Mbbfep32.exe File created C:\Windows\SysWOW64\Lmhjag32.dll Gifclb32.exe File created C:\Windows\SysWOW64\Lldmleam.exe Lhiakf32.exe File created C:\Windows\SysWOW64\Iofjqboi.dll Jfliim32.exe File created C:\Windows\SysWOW64\Knmdeioh.exe Kcgphp32.exe File opened for modification C:\Windows\SysWOW64\Lcaiiejc.exe Lneaqn32.exe File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe Bkjdndjo.exe File opened for modification C:\Windows\SysWOW64\Pciddedl.exe Ppkhhjei.exe File created C:\Windows\SysWOW64\Eijdkcgn.exe Eeohkeoe.exe File created C:\Windows\SysWOW64\Dldlhdpl.dll Khghgchk.exe File created C:\Windows\SysWOW64\Ihnijmcj.dll Lcjlnpmo.exe File created C:\Windows\SysWOW64\Pghfnc32.exe Pdjjag32.exe File created C:\Windows\SysWOW64\Egkoigpo.dll Pecgea32.exe File created C:\Windows\SysWOW64\Hifpke32.exe Hfhcoj32.exe File opened for modification C:\Windows\SysWOW64\Pohhna32.exe Pljlbf32.exe File created C:\Windows\SysWOW64\Efpolbgp.dll Npdfhhhe.exe File created C:\Windows\SysWOW64\Jmfafgbd.exe Jkhejkcq.exe File opened for modification C:\Windows\SysWOW64\Kaompi32.exe Kncaojfb.exe File created C:\Windows\SysWOW64\Cpgkadij.dll Jpgjgboe.exe File created C:\Windows\SysWOW64\Adnpkjde.exe Abpcooea.exe File created C:\Windows\SysWOW64\Ahqmla32.dll Kohnoc32.exe File opened for modification C:\Windows\SysWOW64\Hfcjdkpg.exe Hcdnhoac.exe File created C:\Windows\SysWOW64\Dfefmpeo.dll Boljgg32.exe File created C:\Windows\SysWOW64\Bfdmobkp.dll Mlhnifmq.exe File created C:\Windows\SysWOW64\Oeehln32.exe Oajlkojn.exe File created C:\Windows\SysWOW64\Oanefo32.exe Oopijc32.exe File created C:\Windows\SysWOW64\Lnpfoc32.dll Qkibcg32.exe File opened for modification C:\Windows\SysWOW64\Bnnaoe32.exe Bkpeci32.exe File opened for modification C:\Windows\SysWOW64\Ggnmbn32.exe Gepafc32.exe File opened for modification C:\Windows\SysWOW64\Cocphf32.exe Ckhdggom.exe File created C:\Windows\SysWOW64\Olpecfkn.dll Qdlggg32.exe File opened for modification C:\Windows\SysWOW64\Npmphinm.exe Najpll32.exe File created C:\Windows\SysWOW64\Eaeipfei.exe Eogmcjef.exe File opened for modification C:\Windows\SysWOW64\Hqfaldbo.exe Hnheohcl.exe File created C:\Windows\SysWOW64\Llechb32.dll Ljfapjbi.exe File created C:\Windows\SysWOW64\Cljoegei.dll Lddlkg32.exe File created C:\Windows\SysWOW64\Kjkfeo32.dll Mqpflg32.exe File created C:\Windows\SysWOW64\Qggfio32.dll Mgjnhaco.exe File opened for modification C:\Windows\SysWOW64\Lldmleam.exe Lhiakf32.exe File created C:\Windows\SysWOW64\Phnpagdp.exe Pdbdqh32.exe File created C:\Windows\SysWOW64\Liqoflfh.exe Lcdfnehp.exe File created C:\Windows\SysWOW64\Giqhcmil.dll Ihpfgalh.exe File opened for modification C:\Windows\SysWOW64\Lgchgb32.exe Lddlkg32.exe File created C:\Windows\SysWOW64\Oqlecd32.dll Pkjphcff.exe File opened for modification C:\Windows\SysWOW64\Pecgea32.exe Pgpgjepk.exe File created C:\Windows\SysWOW64\Ocmbnbgf.dll Qackpado.exe File created C:\Windows\SysWOW64\Klngkfge.exe Knkgpi32.exe File created C:\Windows\SysWOW64\Elkmmodo.exe Eddeladm.exe File opened for modification C:\Windows\SysWOW64\Mfihkoal.exe Mpopnejo.exe File opened for modification C:\Windows\SysWOW64\Ackmih32.exe Aopahjll.exe File created C:\Windows\SysWOW64\Goembl32.dll Onfoin32.exe File opened for modification C:\Windows\SysWOW64\Pidfdofi.exe Pgfjhcge.exe File created C:\Windows\SysWOW64\Mhmdim32.dll Pcghof32.exe File opened for modification C:\Windows\SysWOW64\Gneijien.exe Gjjmijme.exe File created C:\Windows\SysWOW64\Lcghbo32.dll Iahkpg32.exe File opened for modification C:\Windows\SysWOW64\Kohnoc32.exe Kljabgnh.exe File opened for modification C:\Windows\SysWOW64\Mmadbjkk.exe Mfglep32.exe File created C:\Windows\SysWOW64\Aihfap32.exe Aggiigmn.exe File created C:\Windows\SysWOW64\Fkecij32.exe Fgigil32.exe File created C:\Windows\SysWOW64\Khghgchk.exe Kdklfe32.exe File created C:\Windows\SysWOW64\Paodbg32.dll Nhjjgd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6256 7044 WerFault.exe 669 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjmpcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgkii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahifbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijdkcgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njdqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaaeepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkchmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndqkleln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncaojfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loqmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbiiog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghajacmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpkqonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niedqnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daacecfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokjdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necogkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbncfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddblgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgchgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfghdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkifdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkhhjei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbhhdnlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boidnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpgeopa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhknaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmgbao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpgjepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjkpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchbgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckjhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmojkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfoin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpbglhjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghlndfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbfep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgghnmp.dll" Opnbbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phqmgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncinl32.dll" Bnqned32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhmhhmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajcbch32.dll" Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkqmpip.dll" Idicbbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgehno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nbbbdcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decimbli.dll" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paodbg32.dll" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfihkoal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeaiio32.dll" Lokgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnheohcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckmnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhakcfab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmbnbgf.dll" Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aciqcifh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikbiheg.dll" Djdgic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oijjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddblgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pondgbkk.dll" Bbjmpcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jefpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmmnnh32.dll" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll" Bieopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cpiqmlfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfcnegnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bflbigdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpqglen.dll" Alnalh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nagbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Oanefo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll" Bqlfaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgono32.dll" Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oadkej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Khkbbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeoggjip.dll" Lgchgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bieopm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nenakoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjegog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ijqoilii.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2376 wrote to memory of 2392 2376 23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe 30 PID 2376 wrote to memory of 2392 2376 23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe 30 PID 2376 wrote to memory of 2392 2376 23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe 30 PID 2376 wrote to memory of 2392 2376 23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe 30 PID 2392 wrote to memory of 1740 2392 Jgdfdbhk.exe 31 PID 2392 wrote to memory of 1740 2392 Jgdfdbhk.exe 31 PID 2392 wrote to memory of 1740 2392 Jgdfdbhk.exe 31 PID 2392 wrote to memory of 1740 2392 Jgdfdbhk.exe 31 PID 1740 wrote to memory of 2208 1740 Jjbbpmgo.exe 32 PID 1740 wrote to memory of 2208 1740 Jjbbpmgo.exe 32 PID 1740 wrote to memory of 2208 1740 Jjbbpmgo.exe 32 PID 1740 wrote to memory of 2208 1740 Jjbbpmgo.exe 32 PID 2208 wrote to memory of 2760 2208 Jplkmgol.exe 33 PID 2208 wrote to memory of 2760 2208 Jplkmgol.exe 33 PID 2208 wrote to memory of 2760 2208 Jplkmgol.exe 33 PID 2208 wrote to memory of 2760 2208 Jplkmgol.exe 33 PID 2760 wrote to memory of 2736 2760 Jckgicnp.exe 34 PID 2760 wrote to memory of 2736 2760 Jckgicnp.exe 34 PID 2760 wrote to memory of 2736 2760 Jckgicnp.exe 34 PID 2760 wrote to memory of 2736 2760 Jckgicnp.exe 34 PID 2736 wrote to memory of 2688 2736 Jkbojpna.exe 35 PID 2736 wrote to memory of 2688 2736 Jkbojpna.exe 35 PID 2736 wrote to memory of 2688 2736 Jkbojpna.exe 35 PID 2736 wrote to memory of 2688 2736 Jkbojpna.exe 35 PID 2688 wrote to memory of 1168 2688 Jlckbh32.exe 36 PID 2688 wrote to memory of 1168 2688 Jlckbh32.exe 36 PID 2688 wrote to memory of 1168 2688 Jlckbh32.exe 36 PID 2688 wrote to memory of 1168 2688 Jlckbh32.exe 36 PID 1168 wrote to memory of 816 1168 Kdjccf32.exe 37 PID 1168 wrote to memory of 816 1168 Kdjccf32.exe 37 PID 1168 wrote to memory of 816 1168 Kdjccf32.exe 37 PID 1168 wrote to memory of 816 1168 Kdjccf32.exe 37 PID 816 wrote to memory of 2344 816 Kfkpknkq.exe 38 PID 816 wrote to memory of 2344 816 Kfkpknkq.exe 38 PID 816 wrote to memory of 2344 816 Kfkpknkq.exe 38 PID 816 wrote to memory of 2344 816 Kfkpknkq.exe 38 PID 2344 wrote to memory of 2848 2344 Knbhlkkc.exe 39 PID 2344 wrote to memory of 2848 2344 Knbhlkkc.exe 39 PID 2344 wrote to memory of 2848 2344 Knbhlkkc.exe 39 PID 2344 wrote to memory of 2848 2344 Knbhlkkc.exe 39 PID 2848 wrote to memory of 1012 2848 Klehgh32.exe 40 PID 2848 wrote to memory of 1012 2848 Klehgh32.exe 40 PID 2848 wrote to memory of 1012 2848 Klehgh32.exe 40 PID 2848 wrote to memory of 1012 2848 Klehgh32.exe 40 PID 1012 wrote to memory of 1984 1012 Kcopdb32.exe 41 PID 1012 wrote to memory of 1984 1012 Kcopdb32.exe 41 PID 1012 wrote to memory of 1984 1012 Kcopdb32.exe 41 PID 1012 wrote to memory of 1984 1012 Kcopdb32.exe 41 PID 1984 wrote to memory of 2904 1984 Khlili32.exe 42 PID 1984 wrote to memory of 2904 1984 Khlili32.exe 42 PID 1984 wrote to memory of 2904 1984 Khlili32.exe 42 PID 1984 wrote to memory of 2904 1984 Khlili32.exe 42 PID 2904 wrote to memory of 3040 2904 Klhemhpk.exe 43 PID 2904 wrote to memory of 3040 2904 Klhemhpk.exe 43 PID 2904 wrote to memory of 3040 2904 Klhemhpk.exe 43 PID 2904 wrote to memory of 3040 2904 Klhemhpk.exe 43 PID 3040 wrote to memory of 2372 3040 Kcamjb32.exe 44 PID 3040 wrote to memory of 2372 3040 Kcamjb32.exe 44 PID 3040 wrote to memory of 2372 3040 Kcamjb32.exe 44 PID 3040 wrote to memory of 2372 3040 Kcamjb32.exe 44 PID 2372 wrote to memory of 2188 2372 Kfpifm32.exe 45 PID 2372 wrote to memory of 2188 2372 Kfpifm32.exe 45 PID 2372 wrote to memory of 2188 2372 Kfpifm32.exe 45 PID 2372 wrote to memory of 2188 2372 Kfpifm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe"C:\Users\Admin\AppData\Local\Temp\23d950c59ea1421dcb7063384c4d5d744ed1ad58b43f0ebfdbe72a32e443d7cb.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:280 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:308 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1700 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1380 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe33⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe34⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe35⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe37⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe39⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe41⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe42⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1852 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe44⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Mpamde32.exeC:\Windows\system32\Mpamde32.exe47⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe48⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe49⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe50⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe52⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe55⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe56⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe57⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe58⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe62⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe64⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe66⤵PID:2296
-
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe67⤵
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe68⤵PID:2364
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe69⤵PID:620
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2532 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe71⤵PID:2812
-
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe72⤵PID:1632
-
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe74⤵PID:2596
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe75⤵PID:1936
-
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe76⤵PID:552
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe77⤵PID:388
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe78⤵
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe79⤵PID:1768
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe80⤵
- Drops file in System32 directory
PID:1760 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe81⤵
- Modifies registry class
PID:444 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe82⤵PID:1920
-
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe83⤵PID:1716
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe84⤵PID:108
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe85⤵PID:2964
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe86⤵PID:1592
-
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe87⤵PID:2088
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe88⤵PID:2968
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe89⤵PID:2624
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:684 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe91⤵PID:1444
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe92⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe93⤵PID:2900
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe94⤵PID:2184
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe95⤵PID:2160
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe96⤵PID:2420
-
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe97⤵PID:2200
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe98⤵PID:2340
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe99⤵PID:2800
-
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe100⤵
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe101⤵PID:2724
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe103⤵
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe104⤵PID:1112
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2500 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe106⤵PID:1748
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe107⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe108⤵PID:2584
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe109⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe112⤵PID:2816
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe113⤵PID:2984
-
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe115⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe116⤵PID:3056
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe117⤵PID:2000
-
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe118⤵PID:904
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe119⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe120⤵PID:1316
-
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-