Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 05:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe
-
Size
59KB
-
MD5
8001d797ffded5170aa8445dd1df1187
-
SHA1
09900abee3331c976ca07de9e2d0f4a6653efc0b
-
SHA256
77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09
-
SHA512
c8fd9d32a383da8e0c447885db288c94abba95bec1bf69e454c003118e5dcc51e334b51fc91b495aaa23b9d7ce58b658936577fd6a6ae2e545525497f92a2607
-
SSDEEP
1536:0mtgLLapeNDUdQQ1BQnRmTyXe91WIYNCyVso:lmakNY6cYg40eso
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciaefa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enlidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciddedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcppidk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iliebpfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbbgdjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcgnnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidfdofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbigpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famope32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhmfbim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdnhoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbflno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omklkkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biaign32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eobchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfdnihk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadfkhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpkpadnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pleofj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmejllia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peedka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqeqqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjcip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpkqonj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpalp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcigco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohccp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opihgfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbicoamh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkecij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbbjpgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qndkpmkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaimopli.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2328 Jgfcja32.exe 2032 Jjdofm32.exe 2196 Jlckbh32.exe 2776 Kfkpknkq.exe 2812 Knbhlkkc.exe 2668 Kcopdb32.exe 2624 Kjihalag.exe 2984 Klhemhpk.exe 2044 Kofaicon.exe 1748 Kfpifm32.exe 1980 Khoebi32.exe 536 Kljabgnh.exe 584 Kcdjoaee.exe 2012 Kfbfkmeh.exe 2192 Kllnhg32.exe 2608 Kkoncdcp.exe 1032 Kbigpn32.exe 560 Khcomhbi.exe 960 Kgfoie32.exe 2452 Lomgjb32.exe 2256 Lqncaj32.exe 1564 Ldjpbign.exe 1788 Lkdhoc32.exe 2948 Lnbdko32.exe 2252 Ldllgiek.exe 2988 Lcomce32.exe 2712 Lkfddc32.exe 2156 Lqcmmjko.exe 2828 Lcaiiejc.exe 2744 Lgmeid32.exe 2572 Lqejbiim.exe 2976 Lohjnf32.exe 2996 Lcdfnehp.exe 2312 Lfbbjpgd.exe 1900 Ljnnko32.exe 1808 Lqhfhigj.exe 1952 Lokgcf32.exe 1524 Lbicoamh.exe 2636 Mjpkqonj.exe 2664 Mkaghg32.exe 2972 Mchoid32.exe 1092 Mfglep32.exe 528 Miehak32.exe 1620 Mkddnf32.exe 2344 Mnbpjb32.exe 1692 Melifl32.exe 784 Mihdgkpp.exe 2952 Macilmnk.exe 2332 Mijamjnm.exe 2072 Mjkndb32.exe 3056 Mbbfep32.exe 2672 Meabakda.exe 2900 Nagbgl32.exe 2740 Ncfoch32.exe 2640 Nfdkoc32.exe 1972 Njpgpbpf.exe 1596 Nnkcpq32.exe 1076 Npmphinm.exe 2788 Nhdhif32.exe 2160 Njbdea32.exe 2208 Njbdea32.exe 848 Niedqnen.exe 988 Ndkhngdd.exe 2076 Njdqka32.exe -
Loads dropped DLL 64 IoCs
pid Process 2512 77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe 2512 77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe 2328 Jgfcja32.exe 2328 Jgfcja32.exe 2032 Jjdofm32.exe 2032 Jjdofm32.exe 2196 Jlckbh32.exe 2196 Jlckbh32.exe 2776 Kfkpknkq.exe 2776 Kfkpknkq.exe 2812 Knbhlkkc.exe 2812 Knbhlkkc.exe 2668 Kcopdb32.exe 2668 Kcopdb32.exe 2624 Kjihalag.exe 2624 Kjihalag.exe 2984 Klhemhpk.exe 2984 Klhemhpk.exe 2044 Kofaicon.exe 2044 Kofaicon.exe 1748 Kfpifm32.exe 1748 Kfpifm32.exe 1980 Khoebi32.exe 1980 Khoebi32.exe 536 Kljabgnh.exe 536 Kljabgnh.exe 584 Kcdjoaee.exe 584 Kcdjoaee.exe 2012 Kfbfkmeh.exe 2012 Kfbfkmeh.exe 2192 Kllnhg32.exe 2192 Kllnhg32.exe 2608 Kkoncdcp.exe 2608 Kkoncdcp.exe 1032 Kbigpn32.exe 1032 Kbigpn32.exe 560 Khcomhbi.exe 560 Khcomhbi.exe 960 Kgfoie32.exe 960 Kgfoie32.exe 2452 Lomgjb32.exe 2452 Lomgjb32.exe 2256 Lqncaj32.exe 2256 Lqncaj32.exe 1564 Ldjpbign.exe 1564 Ldjpbign.exe 1788 Lkdhoc32.exe 1788 Lkdhoc32.exe 2948 Lnbdko32.exe 2948 Lnbdko32.exe 2252 Ldllgiek.exe 2252 Ldllgiek.exe 2988 Lcomce32.exe 2988 Lcomce32.exe 2712 Lkfddc32.exe 2712 Lkfddc32.exe 2156 Lqcmmjko.exe 2156 Lqcmmjko.exe 2828 Lcaiiejc.exe 2828 Lcaiiejc.exe 2744 Lgmeid32.exe 2744 Lgmeid32.exe 2572 Lqejbiim.exe 2572 Lqejbiim.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cbehjc32.dll Djdgic32.exe File created C:\Windows\SysWOW64\Ghfcobil.dll Oekjjl32.exe File created C:\Windows\SysWOW64\Bnfddp32.exe Bkhhhd32.exe File opened for modification C:\Windows\SysWOW64\Oiljam32.exe Noffdd32.exe File created C:\Windows\SysWOW64\Cnfqccna.exe Ckhdggom.exe File created C:\Windows\SysWOW64\Lgmeid32.exe Lcaiiejc.exe File created C:\Windows\SysWOW64\Oioggmmc.exe Oeckfndj.exe File created C:\Windows\SysWOW64\Mmhadf32.dll Diaaeepi.exe File created C:\Windows\SysWOW64\Eddmlhaq.dll Lbcbjlmb.exe File created C:\Windows\SysWOW64\Qnghel32.exe Qjklenpa.exe File opened for modification C:\Windows\SysWOW64\Qhmcmk32.exe Qdaglmcb.exe File opened for modification C:\Windows\SysWOW64\Iahkpg32.exe Injndk32.exe File opened for modification C:\Windows\SysWOW64\Beackp32.exe Bcpgdhpp.exe File created C:\Windows\SysWOW64\Nnoiio32.exe Nlqmmd32.exe File opened for modification C:\Windows\SysWOW64\Hjacjifm.exe Hgbfnngi.exe File opened for modification C:\Windows\SysWOW64\Loqmba32.exe Llbqfe32.exe File opened for modification C:\Windows\SysWOW64\Lddlkg32.exe Lbfook32.exe File created C:\Windows\SysWOW64\Mkqqnq32.exe Mcjhmcok.exe File opened for modification C:\Windows\SysWOW64\Qndkpmkm.exe Qiioon32.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Ceebklai.exe File created C:\Windows\SysWOW64\Mhmdim32.dll Pcghof32.exe File opened for modification C:\Windows\SysWOW64\Eggndi32.exe Edibhmml.exe File opened for modification C:\Windows\SysWOW64\Mnmpdlac.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Liempneg.dll Cjonncab.exe File opened for modification C:\Windows\SysWOW64\Njdqka32.exe Ndkhngdd.exe File opened for modification C:\Windows\SysWOW64\Jlkngc32.exe Jeafjiop.exe File created C:\Windows\SysWOW64\Giackg32.dll Koaqcn32.exe File created C:\Windows\SysWOW64\Kpgffe32.exe Kadfkhkf.exe File created C:\Windows\SysWOW64\Bjdkjpkb.exe Bfioia32.exe File created C:\Windows\SysWOW64\Alacdcjm.dll Pckajebj.exe File opened for modification C:\Windows\SysWOW64\Bjbeofpp.exe Biaign32.exe File created C:\Windows\SysWOW64\Kodhamlk.dll Caaggpdh.exe File created C:\Windows\SysWOW64\Iihiphln.exe Ifjlcmmj.exe File created C:\Windows\SysWOW64\Coglpp32.dll Gepafc32.exe File created C:\Windows\SysWOW64\Jkchmo32.exe Jlphbbbg.exe File opened for modification C:\Windows\SysWOW64\Ngealejo.exe Nibqqh32.exe File created C:\Windows\SysWOW64\Enlidg32.exe Eknmhk32.exe File created C:\Windows\SysWOW64\Jclcfm32.dll Gdkgkcpq.exe File created C:\Windows\SysWOW64\Moohhbcf.dll Nnafnopi.exe File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe Nmfbpk32.exe File created C:\Windows\SysWOW64\Aqmamm32.exe Ajcipc32.exe File opened for modification C:\Windows\SysWOW64\Kekiphge.exe Kaompi32.exe File created C:\Windows\SysWOW64\Gbnbjo32.dll Bjbndpmd.exe File created C:\Windows\SysWOW64\Gqahqd32.exe Gbohehoj.exe File opened for modification C:\Windows\SysWOW64\Inhanl32.exe Iliebpfc.exe File created C:\Windows\SysWOW64\Ollopmbl.dll Ldbofgme.exe File created C:\Windows\SysWOW64\Kbfcnc32.dll Ppnnai32.exe File created C:\Windows\SysWOW64\Qkffng32.exe Phhjblpa.exe File created C:\Windows\SysWOW64\Dhmhhmlm.exe Ddblgn32.exe File created C:\Windows\SysWOW64\Fjlcglnk.dll Fdkklp32.exe File created C:\Windows\SysWOW64\Lfhhjklc.exe Lcjlnpmo.exe File opened for modification C:\Windows\SysWOW64\Locjhqpa.exe Lldmleam.exe File created C:\Windows\SysWOW64\Bniajoic.exe Bkjdndjo.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Bjdkjpkb.exe File created C:\Windows\SysWOW64\Kbigpn32.exe Kkoncdcp.exe File created C:\Windows\SysWOW64\Caaggpdh.exe Cnckjddd.exe File created C:\Windows\SysWOW64\Qfekkflj.dll Iedfqeka.exe File opened for modification C:\Windows\SysWOW64\Kdklfe32.exe Jampjian.exe File opened for modification C:\Windows\SysWOW64\Piicpk32.exe Obokcqhk.exe File created C:\Windows\SysWOW64\Hjjpmh32.dll Obdojcef.exe File created C:\Windows\SysWOW64\Mggljj32.dll Gbohehoj.exe File opened for modification C:\Windows\SysWOW64\Mmicfh32.exe Mimgeigj.exe File opened for modification C:\Windows\SysWOW64\Jgfcja32.exe 77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe File opened for modification C:\Windows\SysWOW64\Noffdd32.exe Nlhjhi32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7140 7092 WerFault.exe 638 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqncaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgibnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbcmaje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidfdofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqhfhigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgoelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdjoaee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bccmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbhlkkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caaggpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkiicmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompefj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkcpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilfpqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neknki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpgdhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjhmcok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjegog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcijf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbiiog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpadnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgjodmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokehhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhjhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmagpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkplgnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Melifl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckajebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogmcjef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpphhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldllgiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknlofim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphmloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflmjihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeafjiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcachc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfioia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmeon32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknedeoi.dll" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bggaoocn.dll" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmkeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goiebopf.dll" Iihiphln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djidckbd.dll" Ehpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ollopmbl.dll" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefdbdjo.dll" Oekjjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kllnhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbbfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmhbiaf.dll" Bkmhnjlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldpeabpb.dll" Kjihalag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnebjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfkpknkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giipab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfkeokjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ookpodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll" Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpoolael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdgeded.dll" Phfmllbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnhnji.dll" Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbkdn32.dll" Qjklenpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknlofim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbkkmi32.dll" Cacclpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abillbab.dll" Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loefnpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbfnngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqpflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lflhon32.dll" Opihgfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" Achjibcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcqombic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nipdkieg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgamdef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjckino.dll" Jpbalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlkngc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnbkfl32.dll" Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdbjqpda.dll" Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgfjhcge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofaicon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbefdnjd.dll" Cpdgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmmeon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcgnnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daacecfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nappechk.dll" Mqpflg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2512 wrote to memory of 2328 2512 77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe 30 PID 2512 wrote to memory of 2328 2512 77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe 30 PID 2512 wrote to memory of 2328 2512 77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe 30 PID 2512 wrote to memory of 2328 2512 77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe 30 PID 2328 wrote to memory of 2032 2328 Jgfcja32.exe 31 PID 2328 wrote to memory of 2032 2328 Jgfcja32.exe 31 PID 2328 wrote to memory of 2032 2328 Jgfcja32.exe 31 PID 2328 wrote to memory of 2032 2328 Jgfcja32.exe 31 PID 2032 wrote to memory of 2196 2032 Jjdofm32.exe 32 PID 2032 wrote to memory of 2196 2032 Jjdofm32.exe 32 PID 2032 wrote to memory of 2196 2032 Jjdofm32.exe 32 PID 2032 wrote to memory of 2196 2032 Jjdofm32.exe 32 PID 2196 wrote to memory of 2776 2196 Jlckbh32.exe 33 PID 2196 wrote to memory of 2776 2196 Jlckbh32.exe 33 PID 2196 wrote to memory of 2776 2196 Jlckbh32.exe 33 PID 2196 wrote to memory of 2776 2196 Jlckbh32.exe 33 PID 2776 wrote to memory of 2812 2776 Kfkpknkq.exe 34 PID 2776 wrote to memory of 2812 2776 Kfkpknkq.exe 34 PID 2776 wrote to memory of 2812 2776 Kfkpknkq.exe 34 PID 2776 wrote to memory of 2812 2776 Kfkpknkq.exe 34 PID 2812 wrote to memory of 2668 2812 Knbhlkkc.exe 35 PID 2812 wrote to memory of 2668 2812 Knbhlkkc.exe 35 PID 2812 wrote to memory of 2668 2812 Knbhlkkc.exe 35 PID 2812 wrote to memory of 2668 2812 Knbhlkkc.exe 35 PID 2668 wrote to memory of 2624 2668 Kcopdb32.exe 36 PID 2668 wrote to memory of 2624 2668 Kcopdb32.exe 36 PID 2668 wrote to memory of 2624 2668 Kcopdb32.exe 36 PID 2668 wrote to memory of 2624 2668 Kcopdb32.exe 36 PID 2624 wrote to memory of 2984 2624 Kjihalag.exe 37 PID 2624 wrote to memory of 2984 2624 Kjihalag.exe 37 PID 2624 wrote to memory of 2984 2624 Kjihalag.exe 37 PID 2624 wrote to memory of 2984 2624 Kjihalag.exe 37 PID 2984 wrote to memory of 2044 2984 Klhemhpk.exe 38 PID 2984 wrote to memory of 2044 2984 Klhemhpk.exe 38 PID 2984 wrote to memory of 2044 2984 Klhemhpk.exe 38 PID 2984 wrote to memory of 2044 2984 Klhemhpk.exe 38 PID 2044 wrote to memory of 1748 2044 Kofaicon.exe 39 PID 2044 wrote to memory of 1748 2044 Kofaicon.exe 39 PID 2044 wrote to memory of 1748 2044 Kofaicon.exe 39 PID 2044 wrote to memory of 1748 2044 Kofaicon.exe 39 PID 1748 wrote to memory of 1980 1748 Kfpifm32.exe 40 PID 1748 wrote to memory of 1980 1748 Kfpifm32.exe 40 PID 1748 wrote to memory of 1980 1748 Kfpifm32.exe 40 PID 1748 wrote to memory of 1980 1748 Kfpifm32.exe 40 PID 1980 wrote to memory of 536 1980 Khoebi32.exe 41 PID 1980 wrote to memory of 536 1980 Khoebi32.exe 41 PID 1980 wrote to memory of 536 1980 Khoebi32.exe 41 PID 1980 wrote to memory of 536 1980 Khoebi32.exe 41 PID 536 wrote to memory of 584 536 Kljabgnh.exe 42 PID 536 wrote to memory of 584 536 Kljabgnh.exe 42 PID 536 wrote to memory of 584 536 Kljabgnh.exe 42 PID 536 wrote to memory of 584 536 Kljabgnh.exe 42 PID 584 wrote to memory of 2012 584 Kcdjoaee.exe 43 PID 584 wrote to memory of 2012 584 Kcdjoaee.exe 43 PID 584 wrote to memory of 2012 584 Kcdjoaee.exe 43 PID 584 wrote to memory of 2012 584 Kcdjoaee.exe 43 PID 2012 wrote to memory of 2192 2012 Kfbfkmeh.exe 44 PID 2012 wrote to memory of 2192 2012 Kfbfkmeh.exe 44 PID 2012 wrote to memory of 2192 2012 Kfbfkmeh.exe 44 PID 2012 wrote to memory of 2192 2012 Kfbfkmeh.exe 44 PID 2192 wrote to memory of 2608 2192 Kllnhg32.exe 45 PID 2192 wrote to memory of 2608 2192 Kllnhg32.exe 45 PID 2192 wrote to memory of 2608 2192 Kllnhg32.exe 45 PID 2192 wrote to memory of 2608 2192 Kllnhg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe"C:\Users\Admin\AppData\Local\Temp\77f9c82068a1da4648bd28edfb8a4422600cbc7cf98f53bd226b1585a370eb09.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:560 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:960 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1564 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Lcomce32.exeC:\Windows\system32\Lcomce32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe33⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe34⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe36⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Lqhfhigj.exeC:\Windows\system32\Lqhfhigj.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe41⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe42⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Mfglep32.exeC:\Windows\system32\Mfglep32.exe43⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe44⤵
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Mkddnf32.exeC:\Windows\system32\Mkddnf32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe46⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe48⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe49⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe50⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe51⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe53⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe54⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe55⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe56⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1972 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe59⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe60⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe61⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe62⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe63⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:988 -
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe65⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe66⤵PID:888
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe67⤵PID:2820
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe68⤵PID:552
-
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe69⤵PID:2284
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe70⤵PID:2720
-
C:\Windows\SysWOW64\Nenakoho.exeC:\Windows\system32\Nenakoho.exe71⤵PID:2220
-
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe74⤵
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe75⤵PID:1932
-
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe76⤵PID:2104
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe77⤵PID:2476
-
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe78⤵PID:2424
-
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe79⤵PID:2136
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe80⤵
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe81⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe82⤵PID:2920
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe83⤵PID:1376
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe84⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe85⤵PID:1804
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe86⤵PID:2696
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe87⤵PID:2692
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe88⤵PID:2620
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe89⤵PID:484
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe90⤵PID:2000
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe91⤵PID:2556
-
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe92⤵PID:1588
-
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe93⤵PID:1208
-
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe94⤵PID:1712
-
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe95⤵PID:792
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe96⤵PID:1512
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe97⤵PID:2768
-
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe98⤵
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe99⤵PID:2580
-
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe100⤵PID:1956
-
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe101⤵PID:1248
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe102⤵PID:1476
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe103⤵
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe104⤵PID:1516
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe105⤵PID:1272
-
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe106⤵PID:2016
-
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe107⤵PID:2360
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe108⤵PID:2380
-
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe109⤵PID:2676
-
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe110⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe112⤵PID:1296
-
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe113⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe114⤵PID:1424
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe116⤵PID:1552
-
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe117⤵
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe119⤵PID:2564
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe120⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe121⤵PID:1340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-