Analysis
-
max time kernel
33s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20-01-2025 09:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe
-
Size
95KB
-
MD5
3f94f202b0f6e81c3a7b56c1e43d9bac
-
SHA1
d810429417d51d7c5e81586a1ac7cce18fbbf04d
-
SHA256
ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd
-
SHA512
505fa84f03de7e2d77a6111e6efc1bbcfb07eec01d3523069eeebba00e0a66fa83e8014bfef0554bf415f3c249dba975f2fdecb1d97ab5f2e399c47676fb701a
-
SSDEEP
1536:23ibQ01C6tlnToOIZPfVBlaFJhaqlkIOzujvOM6bOLXi8PmCofGV:pK6/kOgPihHlLjvDrLXfzoeV
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojijha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikcbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppceo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohhfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnglekch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Injlmcib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgnfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhghgie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbfalpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpdfph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djokgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdeonfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpafhpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhaboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meolcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeachphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ephihbnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcpgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgdflb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfpflenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdcahdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkcllmhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhcanahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nqlikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jjjohbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncbilimn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hemggm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndaaclac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qfbcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbdpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lepfoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coknmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mogqlgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Meiedg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegdinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocpakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnpfckmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgmaphdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclikp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfffmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlbooaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgcpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kgcbpemp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalchnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabihm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgkjji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cijkaehj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onkmhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjnje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Okomappb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdflhppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eckopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egaoldnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjlifjjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofmknifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Miekhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgnkkjgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnpkkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fpecddpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmglbgh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2328 Jkcllmhb.exe 2156 Jbmdig32.exe 2740 Jkeialfp.exe 2832 Jboanfmm.exe 2752 Jjjfbikh.exe 2620 Jbandfkj.exe 2428 Jgnflmia.exe 1032 Knhoig32.exe 1228 Kgqcam32.exe 3048 Knkkngol.exe 2296 Kgcpgl32.exe 2924 Kffpcilf.exe 2388 Kmphpc32.exe 868 Kbmahjbk.exe 2432 Kleeqp32.exe 2180 Kfkjnh32.exe 1244 Klgbfo32.exe 2544 Kofnbk32.exe 2424 Lepfoe32.exe 888 Lhnckp32.exe 1528 Lohkhjcj.exe 1268 Lafgdfbm.exe 1768 Lojhmjag.exe 2108 Ledpjdid.exe 1656 Ldgpea32.exe 1580 Lmpdoffo.exe 2816 Lghigl32.exe 2212 Looahi32.exe 2084 Lpqnpacp.exe 2584 Lmdnjf32.exe 3060 Mikooghn.exe 2896 Mmgkoe32.exe 1648 Mdqclpgd.exe 1320 Mebpchmb.exe 1072 Mmigdend.exe 1740 Medligko.exe 2228 Miphjf32.exe 2028 Momqbm32.exe 1136 Makmnh32.exe 2572 Mheekb32.exe 2164 Mkcagn32.exe 2064 Meiedg32.exe 2484 Nkfnln32.exe 2996 Napfihmn.exe 1536 Ndnbeclb.exe 2880 Nkhkbmco.exe 904 Nnfgnibb.exe 1456 Npecjdaf.exe 2944 Nhlkkabh.exe 2736 Njmhcj32.exe 2624 Nadpdg32.exe 2748 Ndclpb32.exe 2592 Ncellpog.exe 2008 Nkmdmm32.exe 2308 Nnkqih32.exe 2516 Nqjmec32.exe 2916 Ndeifbfj.exe 1704 Nffenj32.exe 1132 Nnnmoh32.exe 2980 Nqlikc32.exe 1776 Ocjfgo32.exe 2200 Ofibcj32.exe 2020 Ombjpd32.exe 1980 Ocmbmnio.exe -
Loads dropped DLL 64 IoCs
pid Process 2528 ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe 2528 ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe 2328 Jkcllmhb.exe 2328 Jkcllmhb.exe 2156 Jbmdig32.exe 2156 Jbmdig32.exe 2740 Jkeialfp.exe 2740 Jkeialfp.exe 2832 Jboanfmm.exe 2832 Jboanfmm.exe 2752 Jjjfbikh.exe 2752 Jjjfbikh.exe 2620 Jbandfkj.exe 2620 Jbandfkj.exe 2428 Jgnflmia.exe 2428 Jgnflmia.exe 1032 Knhoig32.exe 1032 Knhoig32.exe 1228 Kgqcam32.exe 1228 Kgqcam32.exe 3048 Knkkngol.exe 3048 Knkkngol.exe 2296 Kgcpgl32.exe 2296 Kgcpgl32.exe 2924 Kffpcilf.exe 2924 Kffpcilf.exe 2388 Kmphpc32.exe 2388 Kmphpc32.exe 868 Kbmahjbk.exe 868 Kbmahjbk.exe 2432 Kleeqp32.exe 2432 Kleeqp32.exe 2180 Kfkjnh32.exe 2180 Kfkjnh32.exe 1244 Klgbfo32.exe 1244 Klgbfo32.exe 2544 Kofnbk32.exe 2544 Kofnbk32.exe 2424 Lepfoe32.exe 2424 Lepfoe32.exe 888 Lhnckp32.exe 888 Lhnckp32.exe 1528 Lohkhjcj.exe 1528 Lohkhjcj.exe 1268 Lafgdfbm.exe 1268 Lafgdfbm.exe 1768 Lojhmjag.exe 1768 Lojhmjag.exe 2108 Ledpjdid.exe 2108 Ledpjdid.exe 1656 Ldgpea32.exe 1656 Ldgpea32.exe 1580 Lmpdoffo.exe 1580 Lmpdoffo.exe 2816 Lghigl32.exe 2816 Lghigl32.exe 2212 Looahi32.exe 2212 Looahi32.exe 2084 Lpqnpacp.exe 2084 Lpqnpacp.exe 2584 Lmdnjf32.exe 2584 Lmdnjf32.exe 3060 Mikooghn.exe 3060 Mikooghn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oagkac32.exe Onkoadhm.exe File created C:\Windows\SysWOW64\Gealfddm.dll Pdlmnm32.exe File created C:\Windows\SysWOW64\Lkbcoi32.dll Bieegcid.exe File created C:\Windows\SysWOW64\Ckpdej32.exe Cdflhppk.exe File created C:\Windows\SysWOW64\Kknbenkh.dll Cdnicemo.exe File created C:\Windows\SysWOW64\Ippkni32.exe Iankbldh.exe File created C:\Windows\SysWOW64\Jcjffc32.exe Jkcoee32.exe File created C:\Windows\SysWOW64\Bdgbjm32.dll Oeidlc32.exe File created C:\Windows\SysWOW64\Bpdnjb32.exe Bmfamg32.exe File opened for modification C:\Windows\SysWOW64\Cpafhpaj.exe Cmcjldbf.exe File opened for modification C:\Windows\SysWOW64\Pcdnpp32.exe Pafacd32.exe File opened for modification C:\Windows\SysWOW64\Qpmbgaid.exe Qlaffbqk.exe File opened for modification C:\Windows\SysWOW64\Ppcoqbao.exe Pmecdgbk.exe File opened for modification C:\Windows\SysWOW64\Gljfeimi.exe Giljinne.exe File opened for modification C:\Windows\SysWOW64\Ghcdpjqj.exe Giaddm32.exe File created C:\Windows\SysWOW64\Abcngkmp.exe Apeakonl.exe File created C:\Windows\SysWOW64\Gipahplk.dll Jhgonj32.exe File created C:\Windows\SysWOW64\Kqgmnk32.exe Kniaap32.exe File opened for modification C:\Windows\SysWOW64\Pcmadj32.exe Pqodho32.exe File created C:\Windows\SysWOW64\Gjjlfjoo.exe Gbbdemnl.exe File created C:\Windows\SysWOW64\Clogijoi.dll Pbienj32.exe File opened for modification C:\Windows\SysWOW64\Ahomlb32.exe Amiioj32.exe File opened for modification C:\Windows\SysWOW64\Fjnkac32.exe Feqbilcq.exe File opened for modification C:\Windows\SysWOW64\Ikcbfb32.exe Ihefjg32.exe File created C:\Windows\SysWOW64\Jcbbnmjj.dll Koogdg32.exe File opened for modification C:\Windows\SysWOW64\Pfpflenm.exe Pofnok32.exe File created C:\Windows\SysWOW64\Jkeialfp.exe Jbmdig32.exe File created C:\Windows\SysWOW64\Bcbabodk.exe Blhifemo.exe File created C:\Windows\SysWOW64\Hgfpbe32.dll Gigano32.exe File opened for modification C:\Windows\SysWOW64\Coqaknog.exe Chghodgj.exe File opened for modification C:\Windows\SysWOW64\Fpecddpi.exe Fqbbig32.exe File created C:\Windows\SysWOW64\Indkgm32.exe Ikfokb32.exe File created C:\Windows\SysWOW64\Mcoioi32.exe Maplcm32.exe File opened for modification C:\Windows\SysWOW64\Lhnckp32.exe Lepfoe32.exe File created C:\Windows\SysWOW64\Jfplbaim.dll Dlgjie32.exe File opened for modification C:\Windows\SysWOW64\Hebqbl32.exe Hbcdfq32.exe File created C:\Windows\SysWOW64\Mkcdgd32.dll Iomaaa32.exe File created C:\Windows\SysWOW64\Ogiqffhl.exe Opohil32.exe File created C:\Windows\SysWOW64\Dcjpihcg.dll Bchmolkm.exe File created C:\Windows\SysWOW64\Belecp32.dll Lejbhbpn.exe File opened for modification C:\Windows\SysWOW64\Nahemf32.exe Nceeaikk.exe File opened for modification C:\Windows\SysWOW64\Dddodd32.exe Dafchi32.exe File opened for modification C:\Windows\SysWOW64\Gmflmfpe.exe Gijplg32.exe File created C:\Windows\SysWOW64\Iklhaimi.dll Biecoj32.exe File created C:\Windows\SysWOW64\Ckdlgq32.exe Cdjckfda.exe File created C:\Windows\SysWOW64\Lbkmanki.dll Aimfcedl.exe File created C:\Windows\SysWOW64\Pghklq32.exe Pclolakk.exe File created C:\Windows\SysWOW64\Babdhlmh.exe Bodhlane.exe File opened for modification C:\Windows\SysWOW64\Hdmajkdl.exe Hanenoeh.exe File opened for modification C:\Windows\SysWOW64\Ojjqbg32.exe Okgpfjbo.exe File created C:\Windows\SysWOW64\Acafnm32.exe Aeofcpjj.exe File created C:\Windows\SysWOW64\Pcmqnddq.dll Dopfpkng.exe File opened for modification C:\Windows\SysWOW64\Eqmbca32.exe Elafbcao.exe File created C:\Windows\SysWOW64\Lmdnjf32.exe Lpqnpacp.exe File created C:\Windows\SysWOW64\Hpiaec32.dll Pclolakk.exe File created C:\Windows\SysWOW64\Qjofljho.exe Qklfqm32.exe File created C:\Windows\SysWOW64\Jahnpd32.dll Kchfpf32.exe File created C:\Windows\SysWOW64\Olnlgjof.dll Ehhghdgc.exe File created C:\Windows\SysWOW64\Kbmahjbk.exe Kmphpc32.exe File created C:\Windows\SysWOW64\Cgmiba32.exe Cofaad32.exe File created C:\Windows\SysWOW64\Bmggemgf.dll Kaojiqej.exe File created C:\Windows\SysWOW64\Lopjlh32.exe Llbnpm32.exe File opened for modification C:\Windows\SysWOW64\Hmbbcjic.exe Hjdfgojp.exe File created C:\Windows\SysWOW64\Ccqnmgpk.dll Kjdkap32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10192 10168 WerFault.exe 988 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbgnpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmmbhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickaaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejmha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkgdmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efgnfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmfamg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjldiln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amiioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhfnca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pemdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oofbph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoflpbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbplepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeommfnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpnekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdedoegh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcdgei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmcogf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgjgapaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbdmbmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egchocif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqejjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfgoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anigaeoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbmdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgnie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkpjfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgjob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhebij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeeadi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adadedjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopeagip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpajmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjboi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjohoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgpjdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Endmgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbglgcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkkdqmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdlpnnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andnff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephihbnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmlief32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljfeimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heedbbdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgdcapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefncd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mibgho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcnik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belfldoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgpfjbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cclmlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklkkoqf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jofhqiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pneiaidn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppdpkopc.dll" Fbjeao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Glgcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmphpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajmihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojinqngj.dll" Boiagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boiagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcognhco.dll" Feqbilcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghlgdecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbchbqk.dll" Kjpafanf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Onkmhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fflehp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kecpipck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnogai32.dll" Mdibpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odkkdqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehnknfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dmhcgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepjboco.dll" Hpcbol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkeppngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdcinjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmflmfpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meiedg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppgjl32.dll" Adohpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fajpdmgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ogpnakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnjbig32.dll" Ioonfaed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lanpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldgpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oncpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceidfi32.dll" Pjlifjjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbmdcf32.dll" Bpgjob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fnoiqpqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mdcbjhme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bioecdad.dll" Ngajeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ajfcgoec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djokgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpgin32.dll" Ihcidgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jehmda32.dll" Iebmaoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Penioo32.dll" Lphjkfbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lalchnfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbandfkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oohmmojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kicednho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndcnik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Blkgdmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jflfbdqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcmfeldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lldkem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Flqmddah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjpehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgodiaaa.dll" Mfdklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dhcanahm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nhlkkabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pclolakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Blhifemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Djahmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmpbkmo.dll" Endmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpoleilj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdmajkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Injlmcib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Agkfil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chdeonfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elcpkl32.dll" Nqlikc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2328 2528 ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe 29 PID 2528 wrote to memory of 2328 2528 ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe 29 PID 2528 wrote to memory of 2328 2528 ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe 29 PID 2528 wrote to memory of 2328 2528 ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe 29 PID 2328 wrote to memory of 2156 2328 Jkcllmhb.exe 30 PID 2328 wrote to memory of 2156 2328 Jkcllmhb.exe 30 PID 2328 wrote to memory of 2156 2328 Jkcllmhb.exe 30 PID 2328 wrote to memory of 2156 2328 Jkcllmhb.exe 30 PID 2156 wrote to memory of 2740 2156 Jbmdig32.exe 31 PID 2156 wrote to memory of 2740 2156 Jbmdig32.exe 31 PID 2156 wrote to memory of 2740 2156 Jbmdig32.exe 31 PID 2156 wrote to memory of 2740 2156 Jbmdig32.exe 31 PID 2740 wrote to memory of 2832 2740 Jkeialfp.exe 32 PID 2740 wrote to memory of 2832 2740 Jkeialfp.exe 32 PID 2740 wrote to memory of 2832 2740 Jkeialfp.exe 32 PID 2740 wrote to memory of 2832 2740 Jkeialfp.exe 32 PID 2832 wrote to memory of 2752 2832 Jboanfmm.exe 33 PID 2832 wrote to memory of 2752 2832 Jboanfmm.exe 33 PID 2832 wrote to memory of 2752 2832 Jboanfmm.exe 33 PID 2832 wrote to memory of 2752 2832 Jboanfmm.exe 33 PID 2752 wrote to memory of 2620 2752 Jjjfbikh.exe 34 PID 2752 wrote to memory of 2620 2752 Jjjfbikh.exe 34 PID 2752 wrote to memory of 2620 2752 Jjjfbikh.exe 34 PID 2752 wrote to memory of 2620 2752 Jjjfbikh.exe 34 PID 2620 wrote to memory of 2428 2620 Jbandfkj.exe 35 PID 2620 wrote to memory of 2428 2620 Jbandfkj.exe 35 PID 2620 wrote to memory of 2428 2620 Jbandfkj.exe 35 PID 2620 wrote to memory of 2428 2620 Jbandfkj.exe 35 PID 2428 wrote to memory of 1032 2428 Jgnflmia.exe 36 PID 2428 wrote to memory of 1032 2428 Jgnflmia.exe 36 PID 2428 wrote to memory of 1032 2428 Jgnflmia.exe 36 PID 2428 wrote to memory of 1032 2428 Jgnflmia.exe 36 PID 1032 wrote to memory of 1228 1032 Knhoig32.exe 37 PID 1032 wrote to memory of 1228 1032 Knhoig32.exe 37 PID 1032 wrote to memory of 1228 1032 Knhoig32.exe 37 PID 1032 wrote to memory of 1228 1032 Knhoig32.exe 37 PID 1228 wrote to memory of 3048 1228 Kgqcam32.exe 38 PID 1228 wrote to memory of 3048 1228 Kgqcam32.exe 38 PID 1228 wrote to memory of 3048 1228 Kgqcam32.exe 38 PID 1228 wrote to memory of 3048 1228 Kgqcam32.exe 38 PID 3048 wrote to memory of 2296 3048 Knkkngol.exe 39 PID 3048 wrote to memory of 2296 3048 Knkkngol.exe 39 PID 3048 wrote to memory of 2296 3048 Knkkngol.exe 39 PID 3048 wrote to memory of 2296 3048 Knkkngol.exe 39 PID 2296 wrote to memory of 2924 2296 Kgcpgl32.exe 40 PID 2296 wrote to memory of 2924 2296 Kgcpgl32.exe 40 PID 2296 wrote to memory of 2924 2296 Kgcpgl32.exe 40 PID 2296 wrote to memory of 2924 2296 Kgcpgl32.exe 40 PID 2924 wrote to memory of 2388 2924 Kffpcilf.exe 41 PID 2924 wrote to memory of 2388 2924 Kffpcilf.exe 41 PID 2924 wrote to memory of 2388 2924 Kffpcilf.exe 41 PID 2924 wrote to memory of 2388 2924 Kffpcilf.exe 41 PID 2388 wrote to memory of 868 2388 Kmphpc32.exe 42 PID 2388 wrote to memory of 868 2388 Kmphpc32.exe 42 PID 2388 wrote to memory of 868 2388 Kmphpc32.exe 42 PID 2388 wrote to memory of 868 2388 Kmphpc32.exe 42 PID 868 wrote to memory of 2432 868 Kbmahjbk.exe 43 PID 868 wrote to memory of 2432 868 Kbmahjbk.exe 43 PID 868 wrote to memory of 2432 868 Kbmahjbk.exe 43 PID 868 wrote to memory of 2432 868 Kbmahjbk.exe 43 PID 2432 wrote to memory of 2180 2432 Kleeqp32.exe 44 PID 2432 wrote to memory of 2180 2432 Kleeqp32.exe 44 PID 2432 wrote to memory of 2180 2432 Kleeqp32.exe 44 PID 2432 wrote to memory of 2180 2432 Kleeqp32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe"C:\Users\Admin\AppData\Local\Temp\ad14282e011d001eaefbba4c8951802acb0cfa979a5ead4955848792a0a0dcfd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Jkcllmhb.exeC:\Windows\system32\Jkcllmhb.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Jjjfbikh.exeC:\Windows\system32\Jjjfbikh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Jbandfkj.exeC:\Windows\system32\Jbandfkj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Jgnflmia.exeC:\Windows\system32\Jgnflmia.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Knhoig32.exeC:\Windows\system32\Knhoig32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Kgqcam32.exeC:\Windows\system32\Kgqcam32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Knkkngol.exeC:\Windows\system32\Knkkngol.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Kgcpgl32.exeC:\Windows\system32\Kgcpgl32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Kffpcilf.exeC:\Windows\system32\Kffpcilf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Kmphpc32.exeC:\Windows\system32\Kmphpc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Kbmahjbk.exeC:\Windows\system32\Kbmahjbk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Kfkjnh32.exeC:\Windows\system32\Kfkjnh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Klgbfo32.exeC:\Windows\system32\Klgbfo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Kofnbk32.exeC:\Windows\system32\Kofnbk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Lepfoe32.exeC:\Windows\system32\Lepfoe32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Lhnckp32.exeC:\Windows\system32\Lhnckp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Lohkhjcj.exeC:\Windows\system32\Lohkhjcj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Lafgdfbm.exeC:\Windows\system32\Lafgdfbm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Lojhmjag.exeC:\Windows\system32\Lojhmjag.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Ledpjdid.exeC:\Windows\system32\Ledpjdid.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Ldgpea32.exeC:\Windows\system32\Ldgpea32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Lmpdoffo.exeC:\Windows\system32\Lmpdoffo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1580 -
C:\Windows\SysWOW64\Lghigl32.exeC:\Windows\system32\Lghigl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Looahi32.exeC:\Windows\system32\Looahi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Lpqnpacp.exeC:\Windows\system32\Lpqnpacp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Lmdnjf32.exeC:\Windows\system32\Lmdnjf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Mikooghn.exeC:\Windows\system32\Mikooghn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Mmgkoe32.exeC:\Windows\system32\Mmgkoe32.exe33⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mdqclpgd.exeC:\Windows\system32\Mdqclpgd.exe34⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Mebpchmb.exeC:\Windows\system32\Mebpchmb.exe35⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe36⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Medligko.exeC:\Windows\system32\Medligko.exe37⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Miphjf32.exeC:\Windows\system32\Miphjf32.exe38⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Momqbm32.exeC:\Windows\system32\Momqbm32.exe39⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Makmnh32.exeC:\Windows\system32\Makmnh32.exe40⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Mheekb32.exeC:\Windows\system32\Mheekb32.exe41⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Mkcagn32.exeC:\Windows\system32\Mkcagn32.exe42⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Meiedg32.exeC:\Windows\system32\Meiedg32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Nkfnln32.exeC:\Windows\system32\Nkfnln32.exe44⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe45⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ndnbeclb.exeC:\Windows\system32\Ndnbeclb.exe46⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe47⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Nnfgnibb.exeC:\Windows\system32\Nnfgnibb.exe48⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Npecjdaf.exeC:\Windows\system32\Npecjdaf.exe49⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Nhlkkabh.exeC:\Windows\system32\Nhlkkabh.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Njmhcj32.exeC:\Windows\system32\Njmhcj32.exe51⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Nadpdg32.exeC:\Windows\system32\Nadpdg32.exe52⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ndclpb32.exeC:\Windows\system32\Ndclpb32.exe53⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ncellpog.exeC:\Windows\system32\Ncellpog.exe54⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Nkmdmm32.exeC:\Windows\system32\Nkmdmm32.exe55⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nnkqih32.exeC:\Windows\system32\Nnkqih32.exe56⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe57⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Ndeifbfj.exeC:\Windows\system32\Ndeifbfj.exe58⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Nffenj32.exeC:\Windows\system32\Nffenj32.exe59⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Nnnmoh32.exeC:\Windows\system32\Nnnmoh32.exe60⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Nqlikc32.exeC:\Windows\system32\Nqlikc32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe62⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe63⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Ombjpd32.exeC:\Windows\system32\Ombjpd32.exe64⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Ocmbmnio.exeC:\Windows\system32\Ocmbmnio.exe65⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe66⤵PID:276
-
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe67⤵PID:376
-
C:\Windows\SysWOW64\Omeged32.exeC:\Windows\system32\Omeged32.exe68⤵PID:2852
-
C:\Windows\SysWOW64\Ocoobngl.exeC:\Windows\system32\Ocoobngl.exe69⤵PID:2848
-
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Okjdfq32.exeC:\Windows\system32\Okjdfq32.exe71⤵PID:2640
-
C:\Windows\SysWOW64\Oofpgolq.exeC:\Windows\system32\Oofpgolq.exe72⤵PID:2000
-
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe73⤵PID:880
-
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe74⤵PID:1632
-
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe75⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Oqiidg32.exeC:\Windows\system32\Oqiidg32.exe77⤵PID:2488
-
C:\Windows\SysWOW64\Oiqaed32.exeC:\Windows\system32\Oiqaed32.exe78⤵PID:2976
-
C:\Windows\SysWOW64\Okomappb.exeC:\Windows\system32\Okomappb.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Pbienj32.exeC:\Windows\system32\Pbienj32.exe80⤵
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe81⤵PID:1616
-
C:\Windows\SysWOW64\Pgfnfq32.exeC:\Windows\system32\Pgfnfq32.exe82⤵PID:1760
-
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1924 -
C:\Windows\SysWOW64\Pmbfoh32.exeC:\Windows\system32\Pmbfoh32.exe84⤵PID:1712
-
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe85⤵
- Drops file in System32 directory
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Pghklq32.exeC:\Windows\system32\Pghklq32.exe86⤵PID:2604
-
C:\Windows\SysWOW64\Pjfghl32.exeC:\Windows\system32\Pjfghl32.exe87⤵PID:2856
-
C:\Windows\SysWOW64\Pmecdgbk.exeC:\Windows\system32\Pmecdgbk.exe88⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Ppcoqbao.exeC:\Windows\system32\Ppcoqbao.exe89⤵PID:2688
-
C:\Windows\SysWOW64\Pgjgapaa.exeC:\Windows\system32\Pgjgapaa.exe90⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Pjicnlqe.exeC:\Windows\system32\Pjicnlqe.exe91⤵PID:988
-
C:\Windows\SysWOW64\Paclje32.exeC:\Windows\system32\Paclje32.exe92⤵PID:2208
-
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe93⤵PID:2480
-
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe94⤵PID:1828
-
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe95⤵PID:1872
-
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe96⤵PID:492
-
C:\Windows\SysWOW64\Pbfehn32.exeC:\Windows\system32\Pbfehn32.exe97⤵PID:2972
-
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe100⤵PID:1820
-
C:\Windows\SysWOW64\Qfdnnlbc.exeC:\Windows\system32\Qfdnnlbc.exe101⤵PID:3044
-
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe102⤵PID:2936
-
C:\Windows\SysWOW64\Qlaffbqk.exeC:\Windows\system32\Qlaffbqk.exe103⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe104⤵PID:2372
-
C:\Windows\SysWOW64\Abkncmhh.exeC:\Windows\system32\Abkncmhh.exe105⤵PID:1204
-
C:\Windows\SysWOW64\Aeikohgk.exeC:\Windows\system32\Aeikohgk.exe106⤵PID:976
-
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe107⤵
- Modifies registry class
PID:1436 -
C:\Windows\SysWOW64\Abmkhmfe.exeC:\Windows\system32\Abmkhmfe.exe108⤵PID:772
-
C:\Windows\SysWOW64\Adohpe32.exeC:\Windows\system32\Adohpe32.exe109⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Alfpab32.exeC:\Windows\system32\Alfpab32.exe110⤵PID:2960
-
C:\Windows\SysWOW64\Aabhiikm.exeC:\Windows\system32\Aabhiikm.exe111⤵PID:2664
-
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe112⤵
- System Location Discovery: System Language Discovery
PID:1128 -
C:\Windows\SysWOW64\Afoqbpid.exeC:\Windows\system32\Afoqbpid.exe113⤵PID:1812
-
C:\Windows\SysWOW64\Amiioj32.exeC:\Windows\system32\Amiioj32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Ahomlb32.exeC:\Windows\system32\Ahomlb32.exe115⤵PID:1684
-
C:\Windows\SysWOW64\Ajmihn32.exeC:\Windows\system32\Ajmihn32.exe116⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Amledj32.exeC:\Windows\system32\Amledj32.exe117⤵PID:2380
-
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe118⤵PID:2140
-
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe119⤵PID:1504
-
C:\Windows\SysWOW64\Blabef32.exeC:\Windows\system32\Blabef32.exe120⤵PID:1792
-
C:\Windows\SysWOW64\Bdhjfc32.exeC:\Windows\system32\Bdhjfc32.exe121⤵PID:1372
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-