Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 21:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe
-
Size
246KB
-
MD5
f84bfd729b2396e2029649d257a1125d
-
SHA1
688313bae60f434669560c4956829769225bd10a
-
SHA256
51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce
-
SHA512
04affca5e257af4d386c188d68e47b58606dac323efc03357b4deb37277d8c819522873f5ea16e686213e5811a9c51c2d0e9b384eb84b1d1c1ef3aaabcfccdb3
-
SSDEEP
6144:oIivLZFIm3qB2B1xBm102VQlterS9HrX:otImHpas99D
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haemloni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahchdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmalgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeoongd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomkfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nomkfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llpoohik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edcqjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpokjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokjkbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npkdnnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejfbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egcfdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqochjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdldknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beadgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lajkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndicnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oehicoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojeakfnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpdcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkilka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnpbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldbaopdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphooc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halcmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmbjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooggpiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehicoom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlelda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phaoppja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfngll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kamlhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aocbokia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnhjgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdphjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeaelok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lglmefcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaflgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnofgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqhfnifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaclfgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcadghnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhfjcff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felcbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkdioh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdojnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfilffm.exe -
Executes dropped EXE 64 IoCs
pid Process 2768 Inojhc32.exe 2808 Jnagmc32.exe 2824 Jpbcek32.exe 2552 Jmfcop32.exe 2244 Jfohgepi.exe 912 Jbfilffm.exe 2728 Jfaeme32.exe 2504 Jefbnacn.exe 1620 Jnofgg32.exe 1072 Klcgpkhh.exe 2156 Koaclfgl.exe 1904 Kablnadm.exe 2084 Kdphjm32.exe 2132 Kdbepm32.exe 1252 Kageia32.exe 1692 Kdeaelok.exe 1800 Libjncnc.exe 268 Llpfjomf.exe 2312 Lgfjggll.exe 1876 Lidgcclp.exe 1684 Loaokjjg.exe 296 Llepen32.exe 844 Loclai32.exe 1700 Liipnb32.exe 2700 Lcadghnk.exe 2276 Ldbaopdj.exe 2684 Lljipmdl.exe 1360 Mdendpbg.exe 2336 Mgcjpkak.exe 2148 Mainndaq.exe 2896 Mhcfjnhm.exe 2264 Mgegfk32.exe 1472 Makkcc32.exe 1136 Mdigoo32.exe 1916 Mkcplien.exe 2016 Mjfphf32.exe 2168 Mlelda32.exe 1928 Mdldeo32.exe 2328 Mgjpaj32.exe 1624 Mjilmejf.exe 1348 Mlgiiaij.exe 2124 Mqbejp32.exe 1388 Mcaafk32.exe 2628 Mhninb32.exe 2920 Mlieoqgg.exe 1748 Nohaklfk.exe 1724 Nfbjhf32.exe 2776 Nllbdp32.exe 2556 Nkobpmlo.exe 2936 Ncfjajma.exe 2668 Nbhkmg32.exe 680 Ndggib32.exe 2392 Nmnojp32.exe 2532 Nomkfk32.exe 2068 Nnokahip.exe 1344 Nbkgbg32.exe 2820 Ndicnb32.exe 2616 Nhepoaif.exe 1856 Nkclkl32.exe 2364 Nnahgh32.exe 280 Nqpdcc32.exe 904 Nigldq32.exe 1612 Ngjlpmnn.exe 2520 Nndemg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2196 51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe 2196 51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe 2768 Inojhc32.exe 2768 Inojhc32.exe 2808 Jnagmc32.exe 2808 Jnagmc32.exe 2824 Jpbcek32.exe 2824 Jpbcek32.exe 2552 Jmfcop32.exe 2552 Jmfcop32.exe 2244 Jfohgepi.exe 2244 Jfohgepi.exe 912 Jbfilffm.exe 912 Jbfilffm.exe 2728 Jfaeme32.exe 2728 Jfaeme32.exe 2504 Jefbnacn.exe 2504 Jefbnacn.exe 1620 Jnofgg32.exe 1620 Jnofgg32.exe 1072 Klcgpkhh.exe 1072 Klcgpkhh.exe 2156 Koaclfgl.exe 2156 Koaclfgl.exe 1904 Kablnadm.exe 1904 Kablnadm.exe 2084 Kdphjm32.exe 2084 Kdphjm32.exe 2132 Kdbepm32.exe 2132 Kdbepm32.exe 1252 Kageia32.exe 1252 Kageia32.exe 1692 Kdeaelok.exe 1692 Kdeaelok.exe 1800 Libjncnc.exe 1800 Libjncnc.exe 268 Llpfjomf.exe 268 Llpfjomf.exe 2312 Lgfjggll.exe 2312 Lgfjggll.exe 1876 Lidgcclp.exe 1876 Lidgcclp.exe 1684 Loaokjjg.exe 1684 Loaokjjg.exe 296 Llepen32.exe 296 Llepen32.exe 844 Loclai32.exe 844 Loclai32.exe 1700 Liipnb32.exe 1700 Liipnb32.exe 2700 Lcadghnk.exe 2700 Lcadghnk.exe 2276 Ldbaopdj.exe 2276 Ldbaopdj.exe 2684 Lljipmdl.exe 2684 Lljipmdl.exe 1360 Mdendpbg.exe 1360 Mdendpbg.exe 2336 Mgcjpkak.exe 2336 Mgcjpkak.exe 2148 Mainndaq.exe 2148 Mainndaq.exe 2896 Mhcfjnhm.exe 2896 Mhcfjnhm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lgfjggll.exe Llpfjomf.exe File created C:\Windows\SysWOW64\Galfie32.dll Mlelda32.exe File created C:\Windows\SysWOW64\Cdchneko.exe Cbdkbjkl.exe File opened for modification C:\Windows\SysWOW64\Mopdpg32.exe Mkdioh32.exe File created C:\Windows\SysWOW64\Ckhpejbf.exe Cglcek32.exe File created C:\Windows\SysWOW64\Koaclfgl.exe Klcgpkhh.exe File opened for modification C:\Windows\SysWOW64\Koaclfgl.exe Klcgpkhh.exe File opened for modification C:\Windows\SysWOW64\Ogofkm32.exe Oepjoa32.exe File created C:\Windows\SysWOW64\Bqfbdfga.dll Ojmbgh32.exe File opened for modification C:\Windows\SysWOW64\Abdbflnf.exe Apefjqob.exe File opened for modification C:\Windows\SysWOW64\Ahchdb32.exe Aedlhg32.exe File created C:\Windows\SysWOW64\Djdjalea.exe Dcjaeamd.exe File created C:\Windows\SysWOW64\Kbnlnmnm.dll Lgnjke32.exe File created C:\Windows\SysWOW64\Omfnnnhj.exe Njhbabif.exe File opened for modification C:\Windows\SysWOW64\Makkcc32.exe Mgegfk32.exe File created C:\Windows\SysWOW64\Pjahakgb.exe Pdhpdq32.exe File opened for modification C:\Windows\SysWOW64\Bknmok32.exe Bhpqcpkm.exe File opened for modification C:\Windows\SysWOW64\Phobjp32.exe Padjmfdg.exe File created C:\Windows\SysWOW64\Bedpgc32.dll Dghjkpck.exe File created C:\Windows\SysWOW64\Ooggpiek.exe Okkkoj32.exe File created C:\Windows\SysWOW64\Kbbinm32.dll Padccpal.exe File created C:\Windows\SysWOW64\Eaflfbko.dll Ajldkhjh.exe File created C:\Windows\SysWOW64\Fknbgb32.dll Allgoa32.exe File created C:\Windows\SysWOW64\Ckpmmabh.dll Cjmmffgn.exe File created C:\Windows\SysWOW64\Kmkkio32.dll Jefbnacn.exe File created C:\Windows\SysWOW64\Kdphjm32.exe Kablnadm.exe File opened for modification C:\Windows\SysWOW64\Nbhkmg32.exe Ncfjajma.exe File opened for modification C:\Windows\SysWOW64\Gncgbkki.exe Gigkbm32.exe File created C:\Windows\SysWOW64\Mkdioh32.exe Mhflcm32.exe File opened for modification C:\Windows\SysWOW64\Dglpdomh.exe Dhiphb32.exe File created C:\Windows\SysWOW64\Efjpkj32.exe Eclcon32.exe File created C:\Windows\SysWOW64\Pbkboega.dll Klcgpkhh.exe File opened for modification C:\Windows\SysWOW64\Ldbaopdj.exe Lcadghnk.exe File opened for modification C:\Windows\SysWOW64\Bphooc32.exe Bnicbh32.exe File opened for modification C:\Windows\SysWOW64\Miocmq32.exe Lgpfpe32.exe File created C:\Windows\SysWOW64\Meecaa32.exe Mokkegmm.exe File created C:\Windows\SysWOW64\Afcdpi32.exe Ahpddmia.exe File created C:\Windows\SysWOW64\Dnfhqi32.exe Dochelmj.exe File opened for modification C:\Windows\SysWOW64\Qpamoa32.exe Qmbqcf32.exe File created C:\Windows\SysWOW64\Eeomnifk.dll Bgahkngh.exe File created C:\Windows\SysWOW64\Decdmi32.exe Dbdham32.exe File opened for modification C:\Windows\SysWOW64\Hbnpbm32.exe Hjggap32.exe File created C:\Windows\SysWOW64\Obffbh32.dll Kbnhpdke.exe File opened for modification C:\Windows\SysWOW64\Pjjkfe32.exe Pglojj32.exe File opened for modification C:\Windows\SysWOW64\Dnfhqi32.exe Dochelmj.exe File created C:\Windows\SysWOW64\Enoinika.dll Djmiejji.exe File created C:\Windows\SysWOW64\Feembf32.dll Nomkfk32.exe File created C:\Windows\SysWOW64\Allapi32.dll Pmpdmfff.exe File created C:\Windows\SysWOW64\Bchhqo32.exe Bomlppdb.exe File created C:\Windows\SysWOW64\Inipeafi.dll Fhmldfdm.exe File created C:\Windows\SysWOW64\Cblgff32.dll Imacijjb.exe File created C:\Windows\SysWOW64\Nhmbdl32.exe Macjgadf.exe File created C:\Windows\SysWOW64\Eifobe32.exe Egebjmdn.exe File created C:\Windows\SysWOW64\Embkbdce.exe Eifobe32.exe File created C:\Windows\SysWOW64\Pccohd32.dll Jpbcek32.exe File created C:\Windows\SysWOW64\Eehhiell.dll Cfknhi32.exe File created C:\Windows\SysWOW64\Pimkbbpi.exe Pjjkfe32.exe File created C:\Windows\SysWOW64\Ojkeah32.exe Ogliemkk.exe File opened for modification C:\Windows\SysWOW64\Ocjpkm32.exe Olchjp32.exe File created C:\Windows\SysWOW64\Pdnpjc32.dll Eaednh32.exe File created C:\Windows\SysWOW64\Oiaapj32.dll Felcbk32.exe File created C:\Windows\SysWOW64\Gckjke32.dll Gaeqmk32.exe File created C:\Windows\SysWOW64\Kijmbnpo.exe Keoabo32.exe File opened for modification C:\Windows\SysWOW64\Klmbjh32.exe Kiofnm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5928 5820 WerFault.exe 569 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeiecfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjcjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meecaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbaopdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felcbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdeee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammmlcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahimb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phobjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpfkeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeaelok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkilka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgfjggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibohdmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nddcimag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmfjmake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apilcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglpdomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dochelmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhninb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbmfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlecinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngilalk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojeomee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plhaeofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmidlmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmooind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppipdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgiiaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekehomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beadgdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkclkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkelkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkelpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngbpehpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekghcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abhlak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfpjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaofgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqfabdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padjmfdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhfjcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nladco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajamfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbafalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halcmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknhdjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehebbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbna32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jenndm32.dll" Ojeakfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmnghfhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apenjhfe.dll" Mhflcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhflcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" Inojhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocjpkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoomflpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgmmkof.dll" Nnlhab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Camnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcphaglh.dll" Dnckki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdldeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjkjk32.dll" Nfbjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecadddjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnnjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqjjfh32.dll" Njmfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplnpkga.dll" Ehhfjcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogdhik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnckki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqinhcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebappk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ombddbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkpakq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlecinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cplffidh.dll" Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppjedf32.dll" Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnokee32.dll" Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfjajma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkhdcccf.dll" Ffbmfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkfpjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bahelebm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bphooc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgdde32.dll" Jcdadhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeelon32.dll" Bikcbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fedfgejh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebknblho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjggap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coafko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedkomok.dll" Fmlecinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbngfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnabffeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnofgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppopja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlpfci32.dll" Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anjaagnc.dll" Emgkhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omgipo32.dll" Iickckcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhimji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebcmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckmhkeef.dll" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjjpeiak.dll" Oibohdmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdkbjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjabpb.dll" Cqleifna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifgklp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2768 2196 51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe 30 PID 2196 wrote to memory of 2768 2196 51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe 30 PID 2196 wrote to memory of 2768 2196 51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe 30 PID 2196 wrote to memory of 2768 2196 51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe 30 PID 2768 wrote to memory of 2808 2768 Inojhc32.exe 31 PID 2768 wrote to memory of 2808 2768 Inojhc32.exe 31 PID 2768 wrote to memory of 2808 2768 Inojhc32.exe 31 PID 2768 wrote to memory of 2808 2768 Inojhc32.exe 31 PID 2808 wrote to memory of 2824 2808 Jnagmc32.exe 32 PID 2808 wrote to memory of 2824 2808 Jnagmc32.exe 32 PID 2808 wrote to memory of 2824 2808 Jnagmc32.exe 32 PID 2808 wrote to memory of 2824 2808 Jnagmc32.exe 32 PID 2824 wrote to memory of 2552 2824 Jpbcek32.exe 33 PID 2824 wrote to memory of 2552 2824 Jpbcek32.exe 33 PID 2824 wrote to memory of 2552 2824 Jpbcek32.exe 33 PID 2824 wrote to memory of 2552 2824 Jpbcek32.exe 33 PID 2552 wrote to memory of 2244 2552 Jmfcop32.exe 34 PID 2552 wrote to memory of 2244 2552 Jmfcop32.exe 34 PID 2552 wrote to memory of 2244 2552 Jmfcop32.exe 34 PID 2552 wrote to memory of 2244 2552 Jmfcop32.exe 34 PID 2244 wrote to memory of 912 2244 Jfohgepi.exe 35 PID 2244 wrote to memory of 912 2244 Jfohgepi.exe 35 PID 2244 wrote to memory of 912 2244 Jfohgepi.exe 35 PID 2244 wrote to memory of 912 2244 Jfohgepi.exe 35 PID 912 wrote to memory of 2728 912 Jbfilffm.exe 36 PID 912 wrote to memory of 2728 912 Jbfilffm.exe 36 PID 912 wrote to memory of 2728 912 Jbfilffm.exe 36 PID 912 wrote to memory of 2728 912 Jbfilffm.exe 36 PID 2728 wrote to memory of 2504 2728 Jfaeme32.exe 37 PID 2728 wrote to memory of 2504 2728 Jfaeme32.exe 37 PID 2728 wrote to memory of 2504 2728 Jfaeme32.exe 37 PID 2728 wrote to memory of 2504 2728 Jfaeme32.exe 37 PID 2504 wrote to memory of 1620 2504 Jefbnacn.exe 38 PID 2504 wrote to memory of 1620 2504 Jefbnacn.exe 38 PID 2504 wrote to memory of 1620 2504 Jefbnacn.exe 38 PID 2504 wrote to memory of 1620 2504 Jefbnacn.exe 38 PID 1620 wrote to memory of 1072 1620 Jnofgg32.exe 39 PID 1620 wrote to memory of 1072 1620 Jnofgg32.exe 39 PID 1620 wrote to memory of 1072 1620 Jnofgg32.exe 39 PID 1620 wrote to memory of 1072 1620 Jnofgg32.exe 39 PID 1072 wrote to memory of 2156 1072 Klcgpkhh.exe 40 PID 1072 wrote to memory of 2156 1072 Klcgpkhh.exe 40 PID 1072 wrote to memory of 2156 1072 Klcgpkhh.exe 40 PID 1072 wrote to memory of 2156 1072 Klcgpkhh.exe 40 PID 2156 wrote to memory of 1904 2156 Koaclfgl.exe 41 PID 2156 wrote to memory of 1904 2156 Koaclfgl.exe 41 PID 2156 wrote to memory of 1904 2156 Koaclfgl.exe 41 PID 2156 wrote to memory of 1904 2156 Koaclfgl.exe 41 PID 1904 wrote to memory of 2084 1904 Kablnadm.exe 42 PID 1904 wrote to memory of 2084 1904 Kablnadm.exe 42 PID 1904 wrote to memory of 2084 1904 Kablnadm.exe 42 PID 1904 wrote to memory of 2084 1904 Kablnadm.exe 42 PID 2084 wrote to memory of 2132 2084 Kdphjm32.exe 43 PID 2084 wrote to memory of 2132 2084 Kdphjm32.exe 43 PID 2084 wrote to memory of 2132 2084 Kdphjm32.exe 43 PID 2084 wrote to memory of 2132 2084 Kdphjm32.exe 43 PID 2132 wrote to memory of 1252 2132 Kdbepm32.exe 44 PID 2132 wrote to memory of 1252 2132 Kdbepm32.exe 44 PID 2132 wrote to memory of 1252 2132 Kdbepm32.exe 44 PID 2132 wrote to memory of 1252 2132 Kdbepm32.exe 44 PID 1252 wrote to memory of 1692 1252 Kageia32.exe 45 PID 1252 wrote to memory of 1692 1252 Kageia32.exe 45 PID 1252 wrote to memory of 1692 1252 Kageia32.exe 45 PID 1252 wrote to memory of 1692 1252 Kageia32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe"C:\Users\Admin\AppData\Local\Temp\51036c5f841ae1f17a128cf09496a2a671c7f8db0c2599f98fda37bf43bf74ce.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Inojhc32.exeC:\Windows\system32\Inojhc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Jnagmc32.exeC:\Windows\system32\Jnagmc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Jpbcek32.exeC:\Windows\system32\Jpbcek32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Jfohgepi.exeC:\Windows\system32\Jfohgepi.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Jbfilffm.exeC:\Windows\system32\Jbfilffm.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Jfaeme32.exeC:\Windows\system32\Jfaeme32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Jefbnacn.exeC:\Windows\system32\Jefbnacn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Klcgpkhh.exeC:\Windows\system32\Klcgpkhh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Kablnadm.exeC:\Windows\system32\Kablnadm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Kdphjm32.exeC:\Windows\system32\Kdphjm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Kageia32.exeC:\Windows\system32\Kageia32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Kdeaelok.exeC:\Windows\system32\Kdeaelok.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Lgfjggll.exeC:\Windows\system32\Lgfjggll.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1876 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:296 -
C:\Windows\SysWOW64\Loclai32.exeC:\Windows\system32\Loclai32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Lljipmdl.exeC:\Windows\system32\Lljipmdl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Mainndaq.exeC:\Windows\system32\Mainndaq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Makkcc32.exeC:\Windows\system32\Makkcc32.exe34⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Mdigoo32.exeC:\Windows\system32\Mdigoo32.exe35⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe36⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe37⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Mlelda32.exeC:\Windows\system32\Mlelda32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe40⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe41⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe43⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe44⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe46⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe47⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Nfbjhf32.exeC:\Windows\system32\Nfbjhf32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe49⤵
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe50⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe51⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe53⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe54⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe57⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe58⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe60⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe62⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe64⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe65⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe66⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe68⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe69⤵PID:1736
-
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe70⤵PID:2640
-
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe71⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe72⤵PID:2584
-
C:\Windows\SysWOW64\Ojmbgh32.exeC:\Windows\system32\Ojmbgh32.exe73⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe74⤵PID:1468
-
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe75⤵PID:2368
-
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe76⤵PID:632
-
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe78⤵PID:2020
-
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe79⤵PID:1948
-
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe80⤵PID:2236
-
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe81⤵PID:1500
-
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe82⤵PID:928
-
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe83⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe84⤵
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe85⤵PID:2180
-
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe86⤵PID:2452
-
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe87⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe88⤵PID:2772
-
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe89⤵PID:1888
-
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe90⤵PID:3036
-
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe91⤵PID:656
-
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe92⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe93⤵PID:2440
-
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe96⤵PID:1560
-
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe98⤵PID:2100
-
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe99⤵PID:872
-
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe101⤵PID:996
-
C:\Windows\SysWOW64\Pmnghfhi.exeC:\Windows\system32\Pmnghfhi.exe102⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe103⤵PID:2572
-
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe104⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe105⤵PID:2964
-
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe106⤵
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe107⤵
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe108⤵PID:2788
-
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe109⤵PID:316
-
C:\Windows\SysWOW64\Qmbqcf32.exeC:\Windows\system32\Qmbqcf32.exe110⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe111⤵PID:1404
-
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe112⤵PID:2644
-
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe113⤵
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe114⤵PID:2512
-
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe115⤵PID:2692
-
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe116⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe117⤵PID:1972
-
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe118⤵PID:2376
-
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe119⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe120⤵PID:536
-
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe121⤵PID:320
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-