Analysis
-
max time kernel
115s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2024, 11:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363N.exe
-
Size
400KB
-
MD5
12ffb135457a104d6a1fed4bd9896870
-
SHA1
4ab64a166d2a2876eacc81e3083c8fc331a826c8
-
SHA256
ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363
-
SHA512
0d96022ac28b0b0b910c9eb581107225cb0389a81ec0bb78bf4adb527cd9c0ac1604bdfe8eb01038614cfeefff7229ad5fbedc9cf0765a004cb28579a5501f64
-
SSDEEP
6144:euBFuMvloZV4U/vlf0DrBqvl8ZV4U/vlfl+9DvlEZV4U/vlf0DrBqvl8ZV1:eSFlv86IveDVqvQ6IvYvc6IveDVqvQ/
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggklnnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cliefa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iakomfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpenppgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pijglkge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbblep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpkopajg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamkbfcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcgfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nobgqc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npomgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pelofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffcjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgobjhkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmmkhhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdeop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejpllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khhmfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onicccam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejbqmca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plfgbfhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijglkge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcgngmkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clplfqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfcoiak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oigapmgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpikap32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqfpnkkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkidcfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obpfhcnk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oloabgnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhiig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdcqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlohkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oijnem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbecapqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnqnaq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363N.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeaahi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biafcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eooajjdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmjmhiki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfqhnq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbcnbli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbcnbli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppofnebg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeaahi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcjjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbelhnbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhkah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifcnjn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelfoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbkmmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obglib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbiioafq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clplfqcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eghepgcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlmemae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgdphikd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npmqah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohkikke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejpllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enndbaoo.exe -
Executes dropped EXE 64 IoCs
pid Process 4964 Nbfcbdff.exe 212 Nlohkj32.exe 4148 Nfdlhb32.exe 2932 Negldocg.exe 1972 Nmndem32.exe 4476 Nladqijd.exe 2732 Npmqah32.exe 1392 Nbkmmc32.exe 1620 Nffinbjj.exe 1072 Neiijo32.exe 1220 Nmqakl32.exe 4064 Nlcafiha.exe 4088 Npomgh32.exe 4068 Onbnbdge.exe 4764 Ofiecbhg.exe 4892 Oelfoo32.exe 800 Oigapmgk.exe 4716 Omcnplpd.exe 2252 Opajlgog.exe 3756 Ondjhd32.exe 4220 Obpfhcnk.exe 3396 Ofkbia32.exe 4976 Oijnem32.exe 2088 Omejflna.exe 3336 Olhkah32.exe 1932 Onfgnd32.exe 3744 Obbcnbli.exe 1772 Ofnooa32.exe 3616 Oilkkm32.exe 3348 Opfcgg32.exe 4860 Onicccam.exe 924 Ofpldabo.exe 2848 Oeclpn32.exe 1088 Omjdak32.exe 668 Olmdmhpf.exe 3312 Ophpmf32.exe 4080 Obglib32.exe 1388 Ofbhjqpl.exe 5116 Oeehem32.exe 3916 Oiqdflop.exe 1584 Oloabgnd.exe 2056 Ppkmbffm.exe 4224 Pbiioafq.exe 2392 Pfdeop32.exe 688 Pegekmed.exe 5132 Pmomljef.exe 5172 Plangg32.exe 5212 Ppmihfdj.exe 5252 Popjdb32.exe 5292 Pfgaep32.exe 5332 Pejbqmca.exe 5372 Pmajajcd.exe 5412 Pldjmg32.exe 5452 Ppofnebg.exe 5492 Pobfib32.exe 5532 Pfinjpjd.exe 5572 Pelofl32.exe 5612 Pmcggj32.exe 5660 Plfgbfhl.exe 5692 Podcobgp.exe 5732 Pbpooq32.exe 5772 Pflkpoha.exe 5812 Pijglkge.exe 5860 Plhchffi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Odiaol32.dll Pmhpbiml.exe File created C:\Windows\SysWOW64\Dkhnhe32.dll Cffcjf32.exe File opened for modification C:\Windows\SysWOW64\Ifcnjn32.exe Ideanb32.exe File created C:\Windows\SysWOW64\Gojfidad.dll Jhnjpo32.exe File created C:\Windows\SysWOW64\Pbiioafq.exe Ppkmbffm.exe File opened for modification C:\Windows\SysWOW64\Ppofnebg.exe Pldjmg32.exe File opened for modification C:\Windows\SysWOW64\Kpqdep32.exe Jkdlmimk.exe File opened for modification C:\Windows\SysWOW64\Kgmjgjal.exe Kpcakp32.exe File created C:\Windows\SysWOW64\Plangg32.exe Pmomljef.exe File created C:\Windows\SysWOW64\Ijmkka32.dll Bgegml32.exe File created C:\Windows\SysWOW64\Nfmcjb32.dll Ppofnebg.exe File opened for modification C:\Windows\SysWOW64\Pmcggj32.exe Pelofl32.exe File created C:\Windows\SysWOW64\Acqhfnaf.exe Aoelfp32.exe File created C:\Windows\SysWOW64\Ifcnjn32.exe Ideanb32.exe File created C:\Windows\SysWOW64\Jglahfme.dll Nqfpnkkg.exe File created C:\Windows\SysWOW64\Nklbij32.dll Nladqijd.exe File created C:\Windows\SysWOW64\Nmhhpofn.dll Onicccam.exe File created C:\Windows\SysWOW64\Ghomci32.dll Aihcmi32.exe File opened for modification C:\Windows\SysWOW64\Fmcjjl32.exe Fnqjnoni.exe File created C:\Windows\SysWOW64\Jhnjpo32.exe Jpgboa32.exe File created C:\Windows\SysWOW64\Ldmcejgk.dll Kpqdep32.exe File created C:\Windows\SysWOW64\Dpajbl32.dll Pelofl32.exe File created C:\Windows\SysWOW64\Miohnlfp.dll Cjkijf32.exe File opened for modification C:\Windows\SysWOW64\Aggklnnd.exe Aopbkpmb.exe File opened for modification C:\Windows\SysWOW64\Fjbahq32.exe Fpmmkhhm.exe File created C:\Windows\SysWOW64\Nbkmmc32.exe Npmqah32.exe File created C:\Windows\SysWOW64\Iaofoffi.dll Pfdeop32.exe File opened for modification C:\Windows\SysWOW64\Cpikap32.exe Cnkoed32.exe File created C:\Windows\SysWOW64\Kgmjgjal.exe Kpcakp32.exe File created C:\Windows\SysWOW64\Oinnom32.dll Plangg32.exe File created C:\Windows\SysWOW64\Ilmbleci.dll Amofch32.exe File created C:\Windows\SysWOW64\Jgomflml.exe Igmqql32.exe File opened for modification C:\Windows\SysWOW64\Khhmfn32.exe Kpqdep32.exe File opened for modification C:\Windows\SysWOW64\Kniojdff.exe Kofnng32.exe File opened for modification C:\Windows\SysWOW64\Cohbbm32.exe Cliefa32.exe File created C:\Windows\SysWOW64\Nlihll32.dll Egfikgeo.exe File created C:\Windows\SysWOW64\Phmlhd32.dll Omejflna.exe File created C:\Windows\SysWOW64\Obglib32.exe Ophpmf32.exe File created C:\Windows\SysWOW64\Hjkmknjf.dll Pldjmg32.exe File opened for modification C:\Windows\SysWOW64\Pbblep32.exe Ppdpie32.exe File created C:\Windows\SysWOW64\Bgcjgl32.exe Bcgngmkn.exe File created C:\Windows\SysWOW64\Cnicik32.dll Gcmbffmq.exe File created C:\Windows\SysWOW64\Nffinbjj.exe Nbkmmc32.exe File created C:\Windows\SysWOW64\Obpfhcnk.exe Ondjhd32.exe File created C:\Windows\SysWOW64\Iiqedpim.dll Hmafkjid.exe File opened for modification C:\Windows\SysWOW64\Mbjmlp32.exe Mbecapqm.exe File created C:\Windows\SysWOW64\Pbblep32.exe Ppdpie32.exe File opened for modification C:\Windows\SysWOW64\Bnoojfia.exe Behgihho.exe File opened for modification C:\Windows\SysWOW64\Cjkijf32.exe Cglmnk32.exe File opened for modification C:\Windows\SysWOW64\Kkfibi32.exe Khhmfn32.exe File opened for modification C:\Windows\SysWOW64\Nladqijd.exe Nmndem32.exe File opened for modification C:\Windows\SysWOW64\Ondjhd32.exe Opajlgog.exe File opened for modification C:\Windows\SysWOW64\Iakomfem.exe Ikafql32.exe File created C:\Windows\SysWOW64\Ppmihfdj.exe Plangg32.exe File created C:\Windows\SysWOW64\Hebiilfd.dll Cjhmdfmc.exe File opened for modification C:\Windows\SysWOW64\Bgjphkno.exe Bochgnmm.exe File created C:\Windows\SysWOW64\Dcmqijif.exe Dnphqcko.exe File created C:\Windows\SysWOW64\Jefbmd32.dll Dnphqcko.exe File opened for modification C:\Windows\SysWOW64\Dqggcnbg.exe Dnikgbbd.exe File created C:\Windows\SysWOW64\Gmfgpkca.exe Gcmbffmq.exe File created C:\Windows\SysWOW64\Fdocio32.dll Gmojfjkf.exe File created C:\Windows\SysWOW64\Negldocg.exe Nfdlhb32.exe File created C:\Windows\SysWOW64\Apdhpb32.exe Amflcg32.exe File opened for modification C:\Windows\SysWOW64\Jplkjapg.exe Jmnoneqd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7384 8144 WerFault.exe 330 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkoed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fckfafoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofnng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdlhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbpooq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehnak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifghi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgofmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlohkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfcgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloabgnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clplfqcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmbffmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcblae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmojfjkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondjhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflkpoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldlkbni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdgdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmomljef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcajdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamkbfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npomgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amachhea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnkqoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojohm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afenfnpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcgngmkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnoojfia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglmnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcnplpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkfid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cliefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfodooko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbgeppiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnphqcko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanmpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchgnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgboa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegekmed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbefcil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnikgbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlmemae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeaahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohbbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eooajjdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnelplla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjmlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhnjpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opajlgog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobfib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlmmce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emnhho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeealk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejgblbbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdeop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpibkblj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgncbfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhjbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363N.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpcakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbfcbdff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nffinbjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Popjdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcmqijif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqggcnbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdcqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppkmbffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pildaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onbnbdge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baipkmge.dll" Oloabgnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aehnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agnalmhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfodooko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgofmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplehglo.dll" Opfcgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfeei32.dll" Amflcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkidcfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coohclcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edjnhfjm.dll" Dcfcoiak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emcacncf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igmqql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbgoc32.dll" Kpcakp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhqfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpkpig32.dll" Kgmjgjal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nladqijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pobfib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfinjpjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpajbl32.dll" Pelofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgegml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idikiadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfbcdjpn.dll" Nbelhnbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjdak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pelofl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpflndlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnoojfia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmppbdg.dll" Pbiioafq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbnnnnhd.dll" Qbgeppiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkpcjo32.dll" Kniojdff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjlngpg.dll" Neiijo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfgaep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjeehmmo.dll" Aemhmjbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egfikgeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbbpjb32.dll" Ideanb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hadilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcdkabmn.dll" Jkdlmimk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oigapmgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinnom32.dll" Plangg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgnbk32.dll" Qecegkkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biafcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcmqijif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoanoibj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkdlmimk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldmcejgk.dll" Kpqdep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onfgnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onfgnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qolipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afenfnpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbmmoa32.dll" Enndbaoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfodooko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acqhfnaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoanoibj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kodahgao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khlfamho.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1448 wrote to memory of 4964 1448 ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363N.exe 89 PID 1448 wrote to memory of 4964 1448 ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363N.exe 89 PID 1448 wrote to memory of 4964 1448 ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363N.exe 89 PID 4964 wrote to memory of 212 4964 Nbfcbdff.exe 90 PID 4964 wrote to memory of 212 4964 Nbfcbdff.exe 90 PID 4964 wrote to memory of 212 4964 Nbfcbdff.exe 90 PID 212 wrote to memory of 4148 212 Nlohkj32.exe 91 PID 212 wrote to memory of 4148 212 Nlohkj32.exe 91 PID 212 wrote to memory of 4148 212 Nlohkj32.exe 91 PID 4148 wrote to memory of 2932 4148 Nfdlhb32.exe 92 PID 4148 wrote to memory of 2932 4148 Nfdlhb32.exe 92 PID 4148 wrote to memory of 2932 4148 Nfdlhb32.exe 92 PID 2932 wrote to memory of 1972 2932 Negldocg.exe 93 PID 2932 wrote to memory of 1972 2932 Negldocg.exe 93 PID 2932 wrote to memory of 1972 2932 Negldocg.exe 93 PID 1972 wrote to memory of 4476 1972 Nmndem32.exe 94 PID 1972 wrote to memory of 4476 1972 Nmndem32.exe 94 PID 1972 wrote to memory of 4476 1972 Nmndem32.exe 94 PID 4476 wrote to memory of 2732 4476 Nladqijd.exe 95 PID 4476 wrote to memory of 2732 4476 Nladqijd.exe 95 PID 4476 wrote to memory of 2732 4476 Nladqijd.exe 95 PID 2732 wrote to memory of 1392 2732 Npmqah32.exe 96 PID 2732 wrote to memory of 1392 2732 Npmqah32.exe 96 PID 2732 wrote to memory of 1392 2732 Npmqah32.exe 96 PID 1392 wrote to memory of 1620 1392 Nbkmmc32.exe 97 PID 1392 wrote to memory of 1620 1392 Nbkmmc32.exe 97 PID 1392 wrote to memory of 1620 1392 Nbkmmc32.exe 97 PID 1620 wrote to memory of 1072 1620 Nffinbjj.exe 98 PID 1620 wrote to memory of 1072 1620 Nffinbjj.exe 98 PID 1620 wrote to memory of 1072 1620 Nffinbjj.exe 98 PID 1072 wrote to memory of 1220 1072 Neiijo32.exe 99 PID 1072 wrote to memory of 1220 1072 Neiijo32.exe 99 PID 1072 wrote to memory of 1220 1072 Neiijo32.exe 99 PID 1220 wrote to memory of 4064 1220 Nmqakl32.exe 100 PID 1220 wrote to memory of 4064 1220 Nmqakl32.exe 100 PID 1220 wrote to memory of 4064 1220 Nmqakl32.exe 100 PID 4064 wrote to memory of 4088 4064 Nlcafiha.exe 101 PID 4064 wrote to memory of 4088 4064 Nlcafiha.exe 101 PID 4064 wrote to memory of 4088 4064 Nlcafiha.exe 101 PID 4088 wrote to memory of 4068 4088 Npomgh32.exe 102 PID 4088 wrote to memory of 4068 4088 Npomgh32.exe 102 PID 4088 wrote to memory of 4068 4088 Npomgh32.exe 102 PID 4068 wrote to memory of 4764 4068 Onbnbdge.exe 103 PID 4068 wrote to memory of 4764 4068 Onbnbdge.exe 103 PID 4068 wrote to memory of 4764 4068 Onbnbdge.exe 103 PID 4764 wrote to memory of 4892 4764 Ofiecbhg.exe 104 PID 4764 wrote to memory of 4892 4764 Ofiecbhg.exe 104 PID 4764 wrote to memory of 4892 4764 Ofiecbhg.exe 104 PID 4892 wrote to memory of 800 4892 Oelfoo32.exe 105 PID 4892 wrote to memory of 800 4892 Oelfoo32.exe 105 PID 4892 wrote to memory of 800 4892 Oelfoo32.exe 105 PID 800 wrote to memory of 4716 800 Oigapmgk.exe 106 PID 800 wrote to memory of 4716 800 Oigapmgk.exe 106 PID 800 wrote to memory of 4716 800 Oigapmgk.exe 106 PID 4716 wrote to memory of 2252 4716 Omcnplpd.exe 107 PID 4716 wrote to memory of 2252 4716 Omcnplpd.exe 107 PID 4716 wrote to memory of 2252 4716 Omcnplpd.exe 107 PID 2252 wrote to memory of 3756 2252 Opajlgog.exe 108 PID 2252 wrote to memory of 3756 2252 Opajlgog.exe 108 PID 2252 wrote to memory of 3756 2252 Opajlgog.exe 108 PID 3756 wrote to memory of 4220 3756 Ondjhd32.exe 109 PID 3756 wrote to memory of 4220 3756 Ondjhd32.exe 109 PID 3756 wrote to memory of 4220 3756 Ondjhd32.exe 109 PID 4220 wrote to memory of 3396 4220 Obpfhcnk.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363N.exe"C:\Users\Admin\AppData\Local\Temp\ad012e5b2fd1a47f4229686bad290c89487bc253aec4d28be035c7cfa811b363N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Nbfcbdff.exeC:\Windows\system32\Nbfcbdff.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Nlohkj32.exeC:\Windows\system32\Nlohkj32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Nfdlhb32.exeC:\Windows\system32\Nfdlhb32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4148 -
C:\Windows\SysWOW64\Negldocg.exeC:\Windows\system32\Negldocg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Nmndem32.exeC:\Windows\system32\Nmndem32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Nladqijd.exeC:\Windows\system32\Nladqijd.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Npmqah32.exeC:\Windows\system32\Npmqah32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Nbkmmc32.exeC:\Windows\system32\Nbkmmc32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Nffinbjj.exeC:\Windows\system32\Nffinbjj.exe10⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Neiijo32.exeC:\Windows\system32\Neiijo32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Nmqakl32.exeC:\Windows\system32\Nmqakl32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1220 -
C:\Windows\SysWOW64\Nlcafiha.exeC:\Windows\system32\Nlcafiha.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Npomgh32.exeC:\Windows\system32\Npomgh32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\SysWOW64\Onbnbdge.exeC:\Windows\system32\Onbnbdge.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Ofiecbhg.exeC:\Windows\system32\Ofiecbhg.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\Windows\SysWOW64\Oelfoo32.exeC:\Windows\system32\Oelfoo32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Oigapmgk.exeC:\Windows\system32\Oigapmgk.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:800 -
C:\Windows\SysWOW64\Omcnplpd.exeC:\Windows\system32\Omcnplpd.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Opajlgog.exeC:\Windows\system32\Opajlgog.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Ondjhd32.exeC:\Windows\system32\Ondjhd32.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\Obpfhcnk.exeC:\Windows\system32\Obpfhcnk.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\Ofkbia32.exeC:\Windows\system32\Ofkbia32.exe23⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Oijnem32.exeC:\Windows\system32\Oijnem32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Omejflna.exeC:\Windows\system32\Omejflna.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Olhkah32.exeC:\Windows\system32\Olhkah32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Onfgnd32.exeC:\Windows\system32\Onfgnd32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Obbcnbli.exeC:\Windows\system32\Obbcnbli.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3744 -
C:\Windows\SysWOW64\Ofnooa32.exeC:\Windows\system32\Ofnooa32.exe29⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Oilkkm32.exeC:\Windows\system32\Oilkkm32.exe30⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Oljgghbi.exeC:\Windows\system32\Oljgghbi.exe31⤵PID:3032
-
C:\Windows\SysWOW64\Opfcgg32.exeC:\Windows\system32\Opfcgg32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3348 -
C:\Windows\SysWOW64\Onicccam.exeC:\Windows\system32\Onicccam.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4860 -
C:\Windows\SysWOW64\Ofpldabo.exeC:\Windows\system32\Ofpldabo.exe34⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Oeclpn32.exeC:\Windows\system32\Oeclpn32.exe35⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Omjdak32.exeC:\Windows\system32\Omjdak32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1088 -
C:\Windows\SysWOW64\Olmdmhpf.exeC:\Windows\system32\Olmdmhpf.exe37⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Ophpmf32.exeC:\Windows\system32\Ophpmf32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3312 -
C:\Windows\SysWOW64\Obglib32.exeC:\Windows\system32\Obglib32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4080 -
C:\Windows\SysWOW64\Ofbhjqpl.exeC:\Windows\system32\Ofbhjqpl.exe40⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Oeehem32.exeC:\Windows\system32\Oeehem32.exe41⤵
- Executes dropped EXE
PID:5116 -
C:\Windows\SysWOW64\Oiqdflop.exeC:\Windows\system32\Oiqdflop.exe42⤵
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Oloabgnd.exeC:\Windows\system32\Oloabgnd.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Ppkmbffm.exeC:\Windows\system32\Ppkmbffm.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Pbiioafq.exeC:\Windows\system32\Pbiioafq.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Pfdeop32.exeC:\Windows\system32\Pfdeop32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Pegekmed.exeC:\Windows\system32\Pegekmed.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Pmomljef.exeC:\Windows\system32\Pmomljef.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5132 -
C:\Windows\SysWOW64\Plangg32.exeC:\Windows\system32\Plangg32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5172 -
C:\Windows\SysWOW64\Ppmihfdj.exeC:\Windows\system32\Ppmihfdj.exe50⤵
- Executes dropped EXE
PID:5212 -
C:\Windows\SysWOW64\Popjdb32.exeC:\Windows\system32\Popjdb32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:5252 -
C:\Windows\SysWOW64\Pfgaep32.exeC:\Windows\system32\Pfgaep32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:5292 -
C:\Windows\SysWOW64\Pejbqmca.exeC:\Windows\system32\Pejbqmca.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5332 -
C:\Windows\SysWOW64\Pmajajcd.exeC:\Windows\system32\Pmajajcd.exe54⤵
- Executes dropped EXE
PID:5372 -
C:\Windows\SysWOW64\Pldjmg32.exeC:\Windows\system32\Pldjmg32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5412 -
C:\Windows\SysWOW64\Ppofnebg.exeC:\Windows\system32\Ppofnebg.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:5452 -
C:\Windows\SysWOW64\Pobfib32.exeC:\Windows\system32\Pobfib32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5492 -
C:\Windows\SysWOW64\Pfinjpjd.exeC:\Windows\system32\Pfinjpjd.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:5532 -
C:\Windows\SysWOW64\Pelofl32.exeC:\Windows\system32\Pelofl32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:5572 -
C:\Windows\SysWOW64\Pmcggj32.exeC:\Windows\system32\Pmcggj32.exe60⤵
- Executes dropped EXE
PID:5612 -
C:\Windows\SysWOW64\Plfgbfhl.exeC:\Windows\system32\Plfgbfhl.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5660 -
C:\Windows\SysWOW64\Podcobgp.exeC:\Windows\system32\Podcobgp.exe62⤵
- Executes dropped EXE
PID:5692 -
C:\Windows\SysWOW64\Pbpooq32.exeC:\Windows\system32\Pbpooq32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5732 -
C:\Windows\SysWOW64\Pflkpoha.exeC:\Windows\system32\Pflkpoha.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\Pijglkge.exeC:\Windows\system32\Pijglkge.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5812 -
C:\Windows\SysWOW64\Plhchffi.exeC:\Windows\system32\Plhchffi.exe66⤵
- Executes dropped EXE
PID:5860 -
C:\Windows\SysWOW64\Ppdpie32.exeC:\Windows\system32\Ppdpie32.exe67⤵
- Drops file in System32 directory
PID:5892 -
C:\Windows\SysWOW64\Pbblep32.exeC:\Windows\system32\Pbblep32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5932 -
C:\Windows\SysWOW64\Pfnheo32.exeC:\Windows\system32\Pfnheo32.exe69⤵PID:5972
-
C:\Windows\SysWOW64\Pildaj32.exeC:\Windows\system32\Pildaj32.exe70⤵
- Modifies registry class
PID:6012 -
C:\Windows\SysWOW64\Pmhpbiml.exeC:\Windows\system32\Pmhpbiml.exe71⤵
- Drops file in System32 directory
PID:6056 -
C:\Windows\SysWOW64\Qpflndlp.exeC:\Windows\system32\Qpflndlp.exe72⤵
- Modifies registry class
PID:6096 -
C:\Windows\SysWOW64\Qoimja32.exeC:\Windows\system32\Qoimja32.exe73⤵PID:5096
-
C:\Windows\SysWOW64\Qfpdko32.exeC:\Windows\system32\Qfpdko32.exe74⤵PID:1116
-
C:\Windows\SysWOW64\Qecegkkg.exeC:\Windows\system32\Qecegkkg.exe75⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Qmjmhiki.exeC:\Windows\system32\Qmjmhiki.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1180 -
C:\Windows\SysWOW64\Qlmmce32.exeC:\Windows\system32\Qlmmce32.exe77⤵
- System Location Discovery: System Language Discovery
PID:3924 -
C:\Windows\SysWOW64\Qolipa32.exeC:\Windows\system32\Qolipa32.exe78⤵
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Qbgeppiq.exeC:\Windows\system32\Qbgeppiq.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Qeealk32.exeC:\Windows\system32\Qeealk32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Qmmimh32.exeC:\Windows\system32\Qmmimh32.exe81⤵PID:5164
-
C:\Windows\SysWOW64\Apkfid32.exeC:\Windows\system32\Apkfid32.exe82⤵
- System Location Discovery: System Language Discovery
PID:5240 -
C:\Windows\SysWOW64\Aonfeqoe.exeC:\Windows\system32\Aonfeqoe.exe83⤵PID:4544
-
C:\Windows\SysWOW64\Afenfnpg.exeC:\Windows\system32\Afenfnpg.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Aehnak32.exeC:\Windows\system32\Aehnak32.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5444 -
C:\Windows\SysWOW64\Amofch32.exeC:\Windows\system32\Amofch32.exe86⤵
- Drops file in System32 directory
PID:5540 -
C:\Windows\SysWOW64\Albfoeno.exeC:\Windows\system32\Albfoeno.exe87⤵PID:5620
-
C:\Windows\SysWOW64\Aopbkpmb.exeC:\Windows\system32\Aopbkpmb.exe88⤵
- Drops file in System32 directory
PID:5700 -
C:\Windows\SysWOW64\Aggklnnd.exeC:\Windows\system32\Aggklnnd.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5768 -
C:\Windows\SysWOW64\Aifghi32.exeC:\Windows\system32\Aifghi32.exe90⤵
- System Location Discovery: System Language Discovery
PID:5840 -
C:\Windows\SysWOW64\Amachhea.exeC:\Windows\system32\Amachhea.exe91⤵
- System Location Discovery: System Language Discovery
PID:5920 -
C:\Windows\SysWOW64\Aobopp32.exeC:\Windows\system32\Aobopp32.exe92⤵
- System Location Discovery: System Language Discovery
PID:5968 -
C:\Windows\SysWOW64\Abnkqoci.exeC:\Windows\system32\Abnkqoci.exe93⤵
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Windows\SysWOW64\Aemhmjbl.exeC:\Windows\system32\Aemhmjbl.exe94⤵
- Modifies registry class
PID:6132 -
C:\Windows\SysWOW64\Aihcmi32.exeC:\Windows\system32\Aihcmi32.exe95⤵
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Alfpjd32.exeC:\Windows\system32\Alfpjd32.exe96⤵PID:336
-
C:\Windows\SysWOW64\Aoelfp32.exeC:\Windows\system32\Aoelfp32.exe97⤵
- Drops file in System32 directory
PID:6152 -
C:\Windows\SysWOW64\Acqhfnaf.exeC:\Windows\system32\Acqhfnaf.exe98⤵
- Modifies registry class
PID:6192 -
C:\Windows\SysWOW64\Agldgm32.exeC:\Windows\system32\Agldgm32.exe99⤵PID:6232
-
C:\Windows\SysWOW64\Aijpch32.exeC:\Windows\system32\Aijpch32.exe100⤵
- System Location Discovery: System Language Discovery
PID:6272 -
C:\Windows\SysWOW64\Amflcg32.exeC:\Windows\system32\Amflcg32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:6312 -
C:\Windows\SysWOW64\Apdhpb32.exeC:\Windows\system32\Apdhpb32.exe102⤵PID:6352
-
C:\Windows\SysWOW64\Aogikogj.exeC:\Windows\system32\Aogikogj.exe103⤵PID:6392
-
C:\Windows\SysWOW64\Agnalmhl.exeC:\Windows\system32\Agnalmhl.exe104⤵
- Modifies registry class
PID:6432 -
C:\Windows\SysWOW64\Aeaahi32.exeC:\Windows\system32\Aeaahi32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:6472 -
C:\Windows\SysWOW64\Bmhiig32.exeC:\Windows\system32\Bmhiig32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6512 -
C:\Windows\SysWOW64\Blkidcfd.exeC:\Windows\system32\Blkidcfd.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6560 -
C:\Windows\SysWOW64\Bmkfof32.exeC:\Windows\system32\Bmkfof32.exe108⤵PID:6592
-
C:\Windows\SysWOW64\Bpibkblj.exeC:\Windows\system32\Bpibkblj.exe109⤵
- System Location Discovery: System Language Discovery
PID:6632 -
C:\Windows\SysWOW64\Bcgngmkn.exeC:\Windows\system32\Bcgngmkn.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:6672 -
C:\Windows\SysWOW64\Bgcjgl32.exeC:\Windows\system32\Bgcjgl32.exe111⤵PID:6712
-
C:\Windows\SysWOW64\Biafcg32.exeC:\Windows\system32\Biafcg32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:6752 -
C:\Windows\SysWOW64\Bnmbdfkd.exeC:\Windows\system32\Bnmbdfkd.exe113⤵PID:6792
-
C:\Windows\SysWOW64\Bpkopajg.exeC:\Windows\system32\Bpkopajg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6832 -
C:\Windows\SysWOW64\Bonoln32.exeC:\Windows\system32\Bonoln32.exe115⤵PID:6872
-
C:\Windows\SysWOW64\Bgegml32.exeC:\Windows\system32\Bgegml32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:6912 -
C:\Windows\SysWOW64\Behgihho.exeC:\Windows\system32\Behgihho.exe117⤵
- Drops file in System32 directory
PID:6952 -
C:\Windows\SysWOW64\Bnoojfia.exeC:\Windows\system32\Bnoojfia.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6992 -
C:\Windows\SysWOW64\Bpnkfa32.exeC:\Windows\system32\Bpnkfa32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:7032 -
C:\Windows\SysWOW64\Boqlanop.exeC:\Windows\system32\Boqlanop.exe120⤵PID:7072
-
C:\Windows\SysWOW64\Bghcbkpa.exeC:\Windows\system32\Bghcbkpa.exe121⤵PID:7112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-