Analysis
-
max time kernel
39s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 15:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe
-
Size
80KB
-
MD5
d071d59713d501e44d2aab3c75f643c0
-
SHA1
ce13099b6b7e7724674277e55ab9313cd88e59c6
-
SHA256
8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262f
-
SHA512
a21f1fe4ecd733d81a144016f57029456c92aa85abf3d2743dfb88faa4fd82b8e75bbb5309a8d7aed096defc0eb6ac7d7b0fc2938f9aa53f73ba69f448c73ade
-
SSDEEP
1536:rRK2aerzLEMEggPxe2HLD2LCS5DUHRbPa9b6i+sIk:Bae4MEggPv8CS5DSCopsIk
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egfglocf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihooog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogpjmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbkffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dalfdjdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabicikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cancif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjfjalp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeccdila.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgiomabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjephakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haohel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klonqpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfldno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gppkkikh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpjfjalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khglkqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbilhkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeepjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmobin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghnfci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkoodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janihlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgogla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmlqimph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiimci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcankb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmejmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaliaphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgmjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmeecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caepdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgeopqfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gamkol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhihpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olioeoeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkiie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgoebmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdcgeejf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpkmehol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpmpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kccbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohppjpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phgfko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfgfack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdonjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaopcbga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 3004 Iainddpg.exe 2824 Igffmkno.exe 2872 Jpnkep32.exe 2916 Jkdoci32.exe 2852 Jlekja32.exe 2736 Jpqgkpcl.exe 2080 Jempcgad.exe 1040 Jndhddaf.exe 2372 Jpcdqpqj.exe 3052 Jfpmifoa.exe 3016 Jjkiie32.exe 1320 Jhniebne.exe 1956 Johaalea.exe 972 Jafmngde.exe 2388 Jllakpdk.exe 2156 Jojnglco.exe 1908 Jbijcgbc.exe 2484 Kdgfpbaf.exe 1092 Klonqpbi.exe 1692 Knpkhhhg.exe 1508 Kfgcieii.exe 2552 Kkckblgq.exe 980 Knbgnhfd.exe 2312 Kdlpkb32.exe 2368 Khglkqfj.exe 1572 Knddcg32.exe 2936 Kbppdfmk.exe 2068 Kkhdml32.exe 3024 Kjkehhjf.exe 2712 Kmjaddii.exe 2836 Kgoebmip.exe 1552 Lojjfo32.exe 2580 Lgabgl32.exe 976 Lqjfpbmm.exe 2704 Lomglo32.exe 3044 Lchclmla.exe 1496 Liekddkh.exe 2972 Lbmpnjai.exe 1696 Lelljepm.exe 2228 Lkfdfo32.exe 2072 Lndqbk32.exe 868 Lbplciof.exe 112 Lijepc32.exe 2256 Lkhalo32.exe 1076 Lnfmhj32.exe 1724 Laeidfdn.exe 2360 Milaecdp.exe 1084 Mjmnmk32.exe 1128 Mnijnjbh.exe 1568 Magfjebk.exe 2596 Mecbjd32.exe 3040 Mcfbfaao.exe 2716 Mlmjgnaa.exe 1292 Mjpkbk32.exe 2968 Mmngof32.exe 2272 Mhckloge.exe 1644 Mffkgl32.exe 304 Mnncii32.exe 2088 Malpee32.exe 2208 Mcjlap32.exe 2332 Mfihml32.exe 1588 Mjddnjdf.exe 1624 Mmcpjfcj.exe 1704 Mmcpjfcj.exe -
Loads dropped DLL 64 IoCs
pid Process 1768 8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe 1768 8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe 3004 Iainddpg.exe 3004 Iainddpg.exe 2824 Igffmkno.exe 2824 Igffmkno.exe 2872 Jpnkep32.exe 2872 Jpnkep32.exe 2916 Jkdoci32.exe 2916 Jkdoci32.exe 2852 Jlekja32.exe 2852 Jlekja32.exe 2736 Jpqgkpcl.exe 2736 Jpqgkpcl.exe 2080 Jempcgad.exe 2080 Jempcgad.exe 1040 Jndhddaf.exe 1040 Jndhddaf.exe 2372 Jpcdqpqj.exe 2372 Jpcdqpqj.exe 3052 Jfpmifoa.exe 3052 Jfpmifoa.exe 3016 Jjkiie32.exe 3016 Jjkiie32.exe 1320 Jhniebne.exe 1320 Jhniebne.exe 1956 Johaalea.exe 1956 Johaalea.exe 972 Jafmngde.exe 972 Jafmngde.exe 2388 Jllakpdk.exe 2388 Jllakpdk.exe 2156 Jojnglco.exe 2156 Jojnglco.exe 1908 Jbijcgbc.exe 1908 Jbijcgbc.exe 2484 Kdgfpbaf.exe 2484 Kdgfpbaf.exe 1092 Klonqpbi.exe 1092 Klonqpbi.exe 1692 Knpkhhhg.exe 1692 Knpkhhhg.exe 1508 Kfgcieii.exe 1508 Kfgcieii.exe 2552 Kkckblgq.exe 2552 Kkckblgq.exe 980 Knbgnhfd.exe 980 Knbgnhfd.exe 2312 Kdlpkb32.exe 2312 Kdlpkb32.exe 2368 Khglkqfj.exe 2368 Khglkqfj.exe 1572 Knddcg32.exe 1572 Knddcg32.exe 2936 Kbppdfmk.exe 2936 Kbppdfmk.exe 2068 Kkhdml32.exe 2068 Kkhdml32.exe 3024 Kjkehhjf.exe 3024 Kjkehhjf.exe 2712 Kmjaddii.exe 2712 Kmjaddii.exe 2836 Kgoebmip.exe 2836 Kgoebmip.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aomolh32.dll Adbmjbif.exe File created C:\Windows\SysWOW64\Ddcadd32.exe Dadehh32.exe File created C:\Windows\SysWOW64\Aaeiqf32.exe Process not Found File created C:\Windows\SysWOW64\Akbgdkgm.exe Process not Found File created C:\Windows\SysWOW64\Pbjkiamp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kplfmfmf.exe Process not Found File created C:\Windows\SysWOW64\Nkpbdj32.dll Dmecokhm.exe File created C:\Windows\SysWOW64\Pceqfl32.exe Pojdem32.exe File opened for modification C:\Windows\SysWOW64\Nmhlnngi.exe Njipabhe.exe File created C:\Windows\SysWOW64\Ojgokflc.exe Oldooi32.exe File opened for modification C:\Windows\SysWOW64\Bgihjl32.exe Process not Found File created C:\Windows\SysWOW64\Ioccpggm.dll Process not Found File created C:\Windows\SysWOW64\Jllakpdk.exe Jafmngde.exe File opened for modification C:\Windows\SysWOW64\Papank32.exe Pobeao32.exe File opened for modification C:\Windows\SysWOW64\Mfchgflg.exe Mcekkkmc.exe File created C:\Windows\SysWOW64\Lfjhaafh.dll Pglclk32.exe File created C:\Windows\SysWOW64\Incgfl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ggpmkgab.exe Gimmpj32.exe File created C:\Windows\SysWOW64\Dabicikf.exe Dodlfmlb.exe File created C:\Windows\SysWOW64\Egfglocf.exe Edhkpcdb.exe File opened for modification C:\Windows\SysWOW64\Qkbkfh32.exe Qggoeilh.exe File created C:\Windows\SysWOW64\Lginle32.dll Kgoebmip.exe File opened for modification C:\Windows\SysWOW64\Hdqcfdkh.dll Mmcpjfcj.exe File created C:\Windows\SysWOW64\Ihdpml32.dll Gednek32.exe File created C:\Windows\SysWOW64\Hgjieedg.exe Helmiiec.exe File opened for modification C:\Windows\SysWOW64\Ljejgp32.exe Lfingaaf.exe File opened for modification C:\Windows\SysWOW64\Lomglo32.exe Lqjfpbmm.exe File created C:\Windows\SysWOW64\Nmbjkm32.dll Pnllnk32.exe File opened for modification C:\Windows\SysWOW64\Ajaagi32.exe Agcekn32.exe File opened for modification C:\Windows\SysWOW64\Kgmkef32.exe Kdooij32.exe File created C:\Windows\SysWOW64\Igocej32.dll Gefjjk32.exe File created C:\Windows\SysWOW64\Ckkmkh32.dll Process not Found File created C:\Windows\SysWOW64\Onlooh32.exe Oipcnieb.exe File created C:\Windows\SysWOW64\Kcllfi32.exe Kpmpjm32.exe File opened for modification C:\Windows\SysWOW64\Bbapgknp.exe Bocckoom.exe File created C:\Windows\SysWOW64\Bbfhmqhk.dll Process not Found File created C:\Windows\SysWOW64\Mfdjpo32.exe Process not Found File created C:\Windows\SysWOW64\Caaelblj.dll Iflmlfcn.exe File created C:\Windows\SysWOW64\Joigkgel.dll Dhlapc32.exe File created C:\Windows\SysWOW64\Cggcja32.dll Jkdalb32.exe File created C:\Windows\SysWOW64\Dohjfpmp.dll Process not Found File created C:\Windows\SysWOW64\Kdgfpbaf.exe Jbijcgbc.exe File created C:\Windows\SysWOW64\Mfakbf32.exe Mgnkfjho.exe File created C:\Windows\SysWOW64\Niijdq32.exe Maabcc32.exe File created C:\Windows\SysWOW64\Oeoedmpg.dll Nepach32.exe File created C:\Windows\SysWOW64\Ejegcc32.dll Ollcee32.exe File opened for modification C:\Windows\SysWOW64\Aeccdila.exe Aofklbnj.exe File created C:\Windows\SysWOW64\Ggmjkapi.exe Gcankb32.exe File created C:\Windows\SysWOW64\Dedkbb32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nndhpqma.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cfmhfm32.exe Cgjhkpbj.exe File opened for modification C:\Windows\SysWOW64\Pddinn32.exe Peaibajp.exe File created C:\Windows\SysWOW64\Ijhbkmbo.dll Process not Found File created C:\Windows\SysWOW64\Flmidkmn.exe Fnjiin32.exe File created C:\Windows\SysWOW64\Iljkofkg.exe Ihooog32.exe File created C:\Windows\SysWOW64\Paqdgcfl.exe Paqdgcfl.exe File created C:\Windows\SysWOW64\Jjhgdqef.exe Process not Found File created C:\Windows\SysWOW64\Nbbegl32.exe Ndoelpid.exe File opened for modification C:\Windows\SysWOW64\Dlfgehqk.exe Dmcgik32.exe File created C:\Windows\SysWOW64\Dqffpm32.dll Maabcc32.exe File created C:\Windows\SysWOW64\Iijbnkne.exe Ifkfap32.exe File opened for modification C:\Windows\SysWOW64\Qpocno32.exe Qlcgmpkp.exe File opened for modification C:\Windows\SysWOW64\Biakbc32.exe Process not Found File created C:\Windows\SysWOW64\Mjmnmk32.exe Milaecdp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2244 2536 Process not Found 1393 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcpjfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmfjdbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keehmobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hngngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcingdbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmgdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joenaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjchmclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppiapp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajoebigm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmnaaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biolckgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamkol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmiimlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpocno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjlap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cligkdlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonjpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nalnmahf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqngjcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfdim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olobcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahjgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifmoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhdfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobfqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enqfco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcgaill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcgik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doocln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfpjgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmkilbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaalom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcecpck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcikfhed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgboogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dendcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlapaapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acmbambf.dll" Qlbnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdcncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnomgnhj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcfbfaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modipl32.dll" Dgiomabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eopcmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeiggk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paghojip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Polcapil.dll" Caccnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfmegi32.dll" Mqdbjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilceog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepkfbia.dll" Jklnggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkgcloo.dll" Ckndmaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdodjlda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnjicba.dll" Hbjgbbpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mipgnbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadqllao.dll" Pceqfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjbbblb.dll" Gnphfppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhedee32.dll" Bcackdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlokefce.dll" Dicann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmdocf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cedbmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdggofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbilhkig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpaceg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fohbqpki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnagbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgiakjld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgdlpkc.dll" Eekdmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabdbh32.dll" Odmgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionqcpbl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paghojip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnagchpe.dll" Nifjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oemjbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andkbien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqkaef32.dll" Ododdlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ichlpm32.dll" Ppmkilbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pogaeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqjfpbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnjiin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnkmakbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bipaodah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mekmbk32.dll" Ogmngn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmoaoikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Menfel32.dll" Jaffca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pchdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaphh32.dll" Bphdpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciebdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgehmk32.dll" Nljcflbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cakfcfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegenopb.dll" Hbpmbndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhjfmb32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkloip32.dll" Jpigonhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pglclk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1768 wrote to memory of 3004 1768 8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe 30 PID 1768 wrote to memory of 3004 1768 8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe 30 PID 1768 wrote to memory of 3004 1768 8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe 30 PID 1768 wrote to memory of 3004 1768 8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe 30 PID 3004 wrote to memory of 2824 3004 Iainddpg.exe 31 PID 3004 wrote to memory of 2824 3004 Iainddpg.exe 31 PID 3004 wrote to memory of 2824 3004 Iainddpg.exe 31 PID 3004 wrote to memory of 2824 3004 Iainddpg.exe 31 PID 2824 wrote to memory of 2872 2824 Igffmkno.exe 32 PID 2824 wrote to memory of 2872 2824 Igffmkno.exe 32 PID 2824 wrote to memory of 2872 2824 Igffmkno.exe 32 PID 2824 wrote to memory of 2872 2824 Igffmkno.exe 32 PID 2872 wrote to memory of 2916 2872 Jpnkep32.exe 33 PID 2872 wrote to memory of 2916 2872 Jpnkep32.exe 33 PID 2872 wrote to memory of 2916 2872 Jpnkep32.exe 33 PID 2872 wrote to memory of 2916 2872 Jpnkep32.exe 33 PID 2916 wrote to memory of 2852 2916 Jkdoci32.exe 34 PID 2916 wrote to memory of 2852 2916 Jkdoci32.exe 34 PID 2916 wrote to memory of 2852 2916 Jkdoci32.exe 34 PID 2916 wrote to memory of 2852 2916 Jkdoci32.exe 34 PID 2852 wrote to memory of 2736 2852 Jlekja32.exe 35 PID 2852 wrote to memory of 2736 2852 Jlekja32.exe 35 PID 2852 wrote to memory of 2736 2852 Jlekja32.exe 35 PID 2852 wrote to memory of 2736 2852 Jlekja32.exe 35 PID 2736 wrote to memory of 2080 2736 Jpqgkpcl.exe 36 PID 2736 wrote to memory of 2080 2736 Jpqgkpcl.exe 36 PID 2736 wrote to memory of 2080 2736 Jpqgkpcl.exe 36 PID 2736 wrote to memory of 2080 2736 Jpqgkpcl.exe 36 PID 2080 wrote to memory of 1040 2080 Jempcgad.exe 37 PID 2080 wrote to memory of 1040 2080 Jempcgad.exe 37 PID 2080 wrote to memory of 1040 2080 Jempcgad.exe 37 PID 2080 wrote to memory of 1040 2080 Jempcgad.exe 37 PID 1040 wrote to memory of 2372 1040 Jndhddaf.exe 38 PID 1040 wrote to memory of 2372 1040 Jndhddaf.exe 38 PID 1040 wrote to memory of 2372 1040 Jndhddaf.exe 38 PID 1040 wrote to memory of 2372 1040 Jndhddaf.exe 38 PID 2372 wrote to memory of 3052 2372 Jpcdqpqj.exe 39 PID 2372 wrote to memory of 3052 2372 Jpcdqpqj.exe 39 PID 2372 wrote to memory of 3052 2372 Jpcdqpqj.exe 39 PID 2372 wrote to memory of 3052 2372 Jpcdqpqj.exe 39 PID 3052 wrote to memory of 3016 3052 Jfpmifoa.exe 40 PID 3052 wrote to memory of 3016 3052 Jfpmifoa.exe 40 PID 3052 wrote to memory of 3016 3052 Jfpmifoa.exe 40 PID 3052 wrote to memory of 3016 3052 Jfpmifoa.exe 40 PID 3016 wrote to memory of 1320 3016 Jjkiie32.exe 41 PID 3016 wrote to memory of 1320 3016 Jjkiie32.exe 41 PID 3016 wrote to memory of 1320 3016 Jjkiie32.exe 41 PID 3016 wrote to memory of 1320 3016 Jjkiie32.exe 41 PID 1320 wrote to memory of 1956 1320 Jhniebne.exe 42 PID 1320 wrote to memory of 1956 1320 Jhniebne.exe 42 PID 1320 wrote to memory of 1956 1320 Jhniebne.exe 42 PID 1320 wrote to memory of 1956 1320 Jhniebne.exe 42 PID 1956 wrote to memory of 972 1956 Johaalea.exe 43 PID 1956 wrote to memory of 972 1956 Johaalea.exe 43 PID 1956 wrote to memory of 972 1956 Johaalea.exe 43 PID 1956 wrote to memory of 972 1956 Johaalea.exe 43 PID 972 wrote to memory of 2388 972 Jafmngde.exe 44 PID 972 wrote to memory of 2388 972 Jafmngde.exe 44 PID 972 wrote to memory of 2388 972 Jafmngde.exe 44 PID 972 wrote to memory of 2388 972 Jafmngde.exe 44 PID 2388 wrote to memory of 2156 2388 Jllakpdk.exe 45 PID 2388 wrote to memory of 2156 2388 Jllakpdk.exe 45 PID 2388 wrote to memory of 2156 2388 Jllakpdk.exe 45 PID 2388 wrote to memory of 2156 2388 Jllakpdk.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe"C:\Users\Admin\AppData\Local\Temp\8ae2136b8fc15fe4161a227fab5301b3f34b700317848e39e450f207156d262fN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Jpnkep32.exeC:\Windows\system32\Jpnkep32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Jlekja32.exeC:\Windows\system32\Jlekja32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Jpqgkpcl.exeC:\Windows\system32\Jpqgkpcl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Jjkiie32.exeC:\Windows\system32\Jjkiie32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Johaalea.exeC:\Windows\system32\Johaalea.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Jbijcgbc.exeC:\Windows\system32\Jbijcgbc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Klonqpbi.exeC:\Windows\system32\Klonqpbi.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Knpkhhhg.exeC:\Windows\system32\Knpkhhhg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Knbgnhfd.exeC:\Windows\system32\Knbgnhfd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Knddcg32.exeC:\Windows\system32\Knddcg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Kkhdml32.exeC:\Windows\system32\Kkhdml32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Kgoebmip.exeC:\Windows\system32\Kgoebmip.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Lojjfo32.exeC:\Windows\system32\Lojjfo32.exe33⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe34⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Lomglo32.exeC:\Windows\system32\Lomglo32.exe36⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Lchclmla.exeC:\Windows\system32\Lchclmla.exe37⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Liekddkh.exeC:\Windows\system32\Liekddkh.exe38⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Lbmpnjai.exeC:\Windows\system32\Lbmpnjai.exe39⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe40⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe41⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe42⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Lbplciof.exeC:\Windows\system32\Lbplciof.exe43⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:112 -
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe45⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Lnfmhj32.exeC:\Windows\system32\Lnfmhj32.exe46⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe47⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Milaecdp.exeC:\Windows\system32\Milaecdp.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Mjmnmk32.exeC:\Windows\system32\Mjmnmk32.exe49⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe50⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe51⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe52⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe54⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe55⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe56⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe57⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe58⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe59⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Malpee32.exeC:\Windows\system32\Malpee32.exe60⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Mcjlap32.exeC:\Windows\system32\Mcjlap32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Mfihml32.exeC:\Windows\system32\Mfihml32.exe62⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Mjddnjdf.exeC:\Windows\system32\Mjddnjdf.exe63⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe65⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe66⤵PID:1004
-
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe67⤵PID:2196
-
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe68⤵PID:2896
-
C:\Windows\SysWOW64\Mjgqcj32.exeC:\Windows\system32\Mjgqcj32.exe69⤵PID:2060
-
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe70⤵PID:2928
-
C:\Windows\SysWOW64\Mlhmkbhb.exeC:\Windows\system32\Mlhmkbhb.exe71⤵PID:2884
-
C:\Windows\SysWOW64\Ndoelpid.exeC:\Windows\system32\Ndoelpid.exe72⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Nbbegl32.exeC:\Windows\system32\Nbbegl32.exe73⤵PID:2620
-
C:\Windows\SysWOW64\Nepach32.exeC:\Windows\system32\Nepach32.exe74⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe75⤵PID:2784
-
C:\Windows\SysWOW64\Nmgjee32.exeC:\Windows\system32\Nmgjee32.exe76⤵PID:2616
-
C:\Windows\SysWOW64\Nljjqbfp.exeC:\Windows\system32\Nljjqbfp.exe77⤵PID:2220
-
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe78⤵PID:1096
-
C:\Windows\SysWOW64\Nfpnnk32.exeC:\Windows\system32\Nfpnnk32.exe79⤵PID:2392
-
C:\Windows\SysWOW64\Ninjjf32.exeC:\Windows\system32\Ninjjf32.exe80⤵PID:2548
-
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe81⤵PID:1492
-
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe82⤵PID:1756
-
C:\Windows\SysWOW64\Nphbfplf.exeC:\Windows\system32\Nphbfplf.exe83⤵PID:2012
-
C:\Windows\SysWOW64\Naionh32.exeC:\Windows\system32\Naionh32.exe84⤵PID:1720
-
C:\Windows\SysWOW64\Neekogkm.exeC:\Windows\system32\Neekogkm.exe85⤵PID:2164
-
C:\Windows\SysWOW64\Nhcgkbja.exeC:\Windows\system32\Nhcgkbja.exe86⤵PID:2732
-
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe87⤵PID:1948
-
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Neghdg32.exeC:\Windows\system32\Neghdg32.exe89⤵PID:2700
-
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe90⤵PID:2756
-
C:\Windows\SysWOW64\Nlapaapg.exeC:\Windows\system32\Nlapaapg.exe91⤵
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Noplmlok.exeC:\Windows\system32\Noplmlok.exe92⤵PID:2260
-
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe93⤵PID:1604
-
C:\Windows\SysWOW64\Ndmeecmb.exeC:\Windows\system32\Ndmeecmb.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Nhhqfb32.exeC:\Windows\system32\Nhhqfb32.exe95⤵PID:1512
-
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe96⤵PID:760
-
C:\Windows\SysWOW64\Oobiclmh.exeC:\Windows\system32\Oobiclmh.exe97⤵PID:2052
-
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe98⤵PID:2724
-
C:\Windows\SysWOW64\Odoakckp.exeC:\Windows\system32\Odoakckp.exe99⤵PID:2744
-
C:\Windows\SysWOW64\Ogmngn32.exeC:\Windows\system32\Ogmngn32.exe100⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Okijhmcm.exeC:\Windows\system32\Okijhmcm.exe101⤵PID:1080
-
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe102⤵PID:3060
-
C:\Windows\SysWOW64\Oacbdg32.exeC:\Windows\system32\Oacbdg32.exe103⤵PID:1120
-
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe104⤵PID:2064
-
C:\Windows\SysWOW64\Ogpjmn32.exeC:\Windows\system32\Ogpjmn32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Okkfmmqj.exeC:\Windows\system32\Okkfmmqj.exe106⤵PID:1880
-
C:\Windows\SysWOW64\Oingii32.exeC:\Windows\system32\Oingii32.exe107⤵PID:2008
-
C:\Windows\SysWOW64\Ollcee32.exeC:\Windows\system32\Ollcee32.exe108⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe109⤵PID:2420
-
C:\Windows\SysWOW64\Ocfkaone.exeC:\Windows\system32\Ocfkaone.exe110⤵PID:812
-
C:\Windows\SysWOW64\Oeegnj32.exeC:\Windows\system32\Oeegnj32.exe111⤵PID:3048
-
C:\Windows\SysWOW64\Oipcnieb.exeC:\Windows\system32\Oipcnieb.exe112⤵
- Drops file in System32 directory
PID:1900 -
C:\Windows\SysWOW64\Onlooh32.exeC:\Windows\system32\Onlooh32.exe113⤵PID:1052
-
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe114⤵PID:656
-
C:\Windows\SysWOW64\Oomlfpdi.exeC:\Windows\system32\Oomlfpdi.exe115⤵PID:2100
-
C:\Windows\SysWOW64\Ogddhmdl.exeC:\Windows\system32\Ogddhmdl.exe116⤵PID:884
-
C:\Windows\SysWOW64\Oibpdico.exeC:\Windows\system32\Oibpdico.exe117⤵PID:444
-
C:\Windows\SysWOW64\Olalpdbc.exeC:\Windows\system32\Olalpdbc.exe118⤵PID:1156
-
C:\Windows\SysWOW64\Opmhqc32.exeC:\Windows\system32\Opmhqc32.exe119⤵PID:1988
-
C:\Windows\SysWOW64\Peiaij32.exeC:\Windows\system32\Peiaij32.exe120⤵PID:2992
-
C:\Windows\SysWOW64\Piemih32.exeC:\Windows\system32\Piemih32.exe121⤵PID:1376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-