Analysis
-
max time kernel
42s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 04:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe
-
Size
56KB
-
MD5
31c6ba2ef4a683864f2c3a8e241e5850
-
SHA1
f6a2e1e3990dcadc5a57d93586b022b97ff95e43
-
SHA256
4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0
-
SHA512
91756a8d41ebe7c6bfe4a5235016c4991368f59a16fca15912a9b74765fb229f5b303529d44bc03e985f8afa72af982f7c4ca936db3269824efbd7630e9dc3a2
-
SSDEEP
768:T5E4n+xeMGRANJmpUC9r4B8m1mHSQOuDEkpmXDAXPOtbjDp/1H5qXdnh:TQxeMlvmdra89Sxkp6FDL+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Melifl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhkmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apgagg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oidglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajqljc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flocfmnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlpkdkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naopaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcghof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kofaicon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqlpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hidcef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcohghbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhmcelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbackc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gildahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmalldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmpibam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmebm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nledoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maefamlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbdodnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgajgeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipfmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpcqnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfkapb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2128 Kopokehd.exe 2780 Kfjggo32.exe 2960 Kglcogeo.exe 2224 Knekla32.exe 2588 Kqdhhm32.exe 2728 Kkileele.exe 2628 Kjllab32.exe 2804 Kdbpnk32.exe 2608 Kceqjhiq.exe 2968 Kjoifb32.exe 1432 Kmmebm32.exe 1308 Kcgmoggn.exe 2044 Kgbipf32.exe 2024 Kmobhmnn.exe 1968 Kqknil32.exe 2840 Kgefefnd.exe 2848 Lifbmn32.exe 2852 Lmbonmll.exe 2672 Lopkjhko.exe 2256 Lfjcfb32.exe 868 Lihobnap.exe 2744 Lkgkoiqc.exe 1556 Lcncpfaf.exe 2104 Lbackc32.exe 2168 Liklhmom.exe 1996 Lmfhil32.exe 1788 Lpedeg32.exe 2432 Lfolaang.exe 3004 Lpgajgeg.exe 3032 Lbemfbdk.exe 2188 Lgbeoibb.exe 2340 Ljabkeaf.exe 2696 Makjho32.exe 2536 Mmakmp32.exe 2516 Meicnm32.exe 2492 Mjekfd32.exe 2552 Mnaggcej.exe 1700 Mapccndn.exe 768 Mhilph32.exe 2400 Mjhhld32.exe 1600 Mpdqdkie.exe 2784 Mdpldi32.exe 2864 Mbcmpfhi.exe 1740 Mlkail32.exe 1628 Mbeiefff.exe 408 Medeaaej.exe 940 Nlnnnk32.exe 340 Npijoj32.exe 2008 Nfcbldmm.exe 2216 Nefbga32.exe 2412 Nhdocl32.exe 2052 Nlpkdkkd.exe 2936 Nplfdj32.exe 3060 Nbjcqe32.exe 2160 Nehomq32.exe 284 Nidkmojn.exe 2912 Nhgkil32.exe 2500 Nkegeg32.exe 2660 Noacef32.exe 1352 Naopaa32.exe 640 Naopaa32.exe 2468 Nhiholof.exe 684 Nledoj32.exe 2868 Nkhdkgnj.exe -
Loads dropped DLL 64 IoCs
pid Process 1032 4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe 1032 4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe 2128 Kopokehd.exe 2128 Kopokehd.exe 2780 Kfjggo32.exe 2780 Kfjggo32.exe 2960 Kglcogeo.exe 2960 Kglcogeo.exe 2224 Knekla32.exe 2224 Knekla32.exe 2588 Kqdhhm32.exe 2588 Kqdhhm32.exe 2728 Kkileele.exe 2728 Kkileele.exe 2628 Kjllab32.exe 2628 Kjllab32.exe 2804 Kdbpnk32.exe 2804 Kdbpnk32.exe 2608 Kceqjhiq.exe 2608 Kceqjhiq.exe 2968 Kjoifb32.exe 2968 Kjoifb32.exe 1432 Kmmebm32.exe 1432 Kmmebm32.exe 1308 Kcgmoggn.exe 1308 Kcgmoggn.exe 2044 Kgbipf32.exe 2044 Kgbipf32.exe 2024 Kmobhmnn.exe 2024 Kmobhmnn.exe 1968 Kqknil32.exe 1968 Kqknil32.exe 2840 Kgefefnd.exe 2840 Kgefefnd.exe 2848 Lifbmn32.exe 2848 Lifbmn32.exe 2852 Lmbonmll.exe 2852 Lmbonmll.exe 2672 Lopkjhko.exe 2672 Lopkjhko.exe 2256 Lfjcfb32.exe 2256 Lfjcfb32.exe 868 Lihobnap.exe 868 Lihobnap.exe 2744 Lkgkoiqc.exe 2744 Lkgkoiqc.exe 1556 Lcncpfaf.exe 1556 Lcncpfaf.exe 2104 Lbackc32.exe 2104 Lbackc32.exe 2168 Liklhmom.exe 2168 Liklhmom.exe 1996 Lmfhil32.exe 1996 Lmfhil32.exe 1788 Lpedeg32.exe 1788 Lpedeg32.exe 2432 Lfolaang.exe 2432 Lfolaang.exe 3004 Lpgajgeg.exe 3004 Lpgajgeg.exe 3032 Lbemfbdk.exe 3032 Lbemfbdk.exe 2188 Lgbeoibb.exe 2188 Lgbeoibb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qhmcmk32.exe Qqfkln32.exe File created C:\Windows\SysWOW64\Ieomef32.exe Hbaaik32.exe File created C:\Windows\SysWOW64\Hcnfppba.dll Ohncbdbd.exe File opened for modification C:\Windows\SysWOW64\Aclpaali.exe Process not Found File opened for modification C:\Windows\SysWOW64\Opkccm32.exe Olpgconp.exe File opened for modification C:\Windows\SysWOW64\Jehlkhig.exe Jampjian.exe File opened for modification C:\Windows\SysWOW64\Eopphehb.exe Ekdchf32.exe File opened for modification C:\Windows\SysWOW64\Pmhejhao.exe Process not Found File created C:\Windows\SysWOW64\Affdle32.exe Abkhkgbb.exe File created C:\Windows\SysWOW64\Eapfagno.exe Eoajel32.exe File opened for modification C:\Windows\SysWOW64\Afjjed32.exe Ackmih32.exe File created C:\Windows\SysWOW64\Pcljmdmj.exe Ppnnai32.exe File created C:\Windows\SysWOW64\Dpcmgi32.exe Dmepkn32.exe File created C:\Windows\SysWOW64\Njmokcbh.dll Process not Found File created C:\Windows\SysWOW64\Ldgnklmi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hnpbjnpo.exe Hjdfjo32.exe File created C:\Windows\SysWOW64\Epphbb32.dll Khcomhbi.exe File created C:\Windows\SysWOW64\Bfdmobkp.dll Mjkndb32.exe File created C:\Windows\SysWOW64\Qdojgmfe.exe Qaqnkafa.exe File opened for modification C:\Windows\SysWOW64\Fggkcl32.exe Fdiogq32.exe File opened for modification C:\Windows\SysWOW64\Obmnna32.exe Ooabmbbe.exe File opened for modification C:\Windows\SysWOW64\Dpjbgh32.exe Dlofgj32.exe File created C:\Windows\SysWOW64\Pdcpnn32.dll Mnaggcej.exe File created C:\Windows\SysWOW64\Oidglb32.exe Oehklddp.exe File created C:\Windows\SysWOW64\Kcdjoaee.exe Kkmand32.exe File opened for modification C:\Windows\SysWOW64\Ogknoe32.exe Odmabj32.exe File created C:\Windows\SysWOW64\Ehdigjnf.dll Process not Found File created C:\Windows\SysWOW64\Alhpic32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jfcabd32.exe Process not Found File created C:\Windows\SysWOW64\Camcao32.dll Bekmle32.exe File created C:\Windows\SysWOW64\Fdkklp32.exe Fpoolael.exe File created C:\Windows\SysWOW64\Gblkoham.exe Gonocmbi.exe File created C:\Windows\SysWOW64\Eoobfoke.dll Aficjnpm.exe File opened for modification C:\Windows\SysWOW64\Cmpgpond.exe Cjakccop.exe File created C:\Windows\SysWOW64\Akpkmo32.exe Process not Found File created C:\Windows\SysWOW64\Lbfchlee.dll Process not Found File created C:\Windows\SysWOW64\Jkofeknc.dll Mfglep32.exe File created C:\Windows\SysWOW64\Ndkhngdd.exe Npolmh32.exe File created C:\Windows\SysWOW64\Pdaemiaj.dll Cjlheehe.exe File created C:\Windows\SysWOW64\Gghmmilh.exe Process not Found File created C:\Windows\SysWOW64\Glcgij32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Anahqh32.exe Aoohekal.exe File created C:\Windows\SysWOW64\Ifdjeoep.exe Ibhndp32.exe File opened for modification C:\Windows\SysWOW64\Mnaiol32.exe Mfjann32.exe File opened for modification C:\Windows\SysWOW64\Nbhhdnlh.exe Npjlhcmd.exe File created C:\Windows\SysWOW64\Oabhggjd.dll Bceibfgj.exe File opened for modification C:\Windows\SysWOW64\Cidddj32.exe Process not Found File created C:\Windows\SysWOW64\Ioakoq32.exe Ipokcdjn.exe File created C:\Windows\SysWOW64\Cnckjddd.exe Cjgoje32.exe File opened for modification C:\Windows\SysWOW64\Danmmd32.exe Cmbalfem.exe File created C:\Windows\SysWOW64\Lomgjb32.exe Lkakicam.exe File opened for modification C:\Windows\SysWOW64\Lcaiiejc.exe Ldoimh32.exe File created C:\Windows\SysWOW64\Idppjg32.dll Dpkibo32.exe File created C:\Windows\SysWOW64\Cnimiblo.exe Ckjamgmk.exe File opened for modification C:\Windows\SysWOW64\Bkbdabog.exe Process not Found File created C:\Windows\SysWOW64\Hcepqh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Oihqgbhd.exe Oaaifdhb.exe File opened for modification C:\Windows\SysWOW64\Jhlmmfef.exe Jdaqmg32.exe File opened for modification C:\Windows\SysWOW64\Lfoojj32.exe Lbcbjlmb.exe File created C:\Windows\SysWOW64\Nfoghakb.exe Ndqkleln.exe File created C:\Windows\SysWOW64\Mneohj32.exe Process not Found File created C:\Windows\SysWOW64\Mibnje32.dll Ipokcdjn.exe File created C:\Windows\SysWOW64\Neqnqofm.exe Nbbbdcgi.exe File created C:\Windows\SysWOW64\Pebpkk32.exe Pmkhjncg.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odebolpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klehgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfpel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhjhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgkoiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfqgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpgconp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljkcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfhil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcqnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lokgcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimoloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhhjklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affdle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpqain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foafdoag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegabegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqnqofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacclpae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmagpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqoilii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkofjijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpbdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omioekbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgnmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpkbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibjbgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkephn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkngc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lokgcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eogmcjef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpjbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dffocgmn.dll" Ekhmcelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilofhffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehmdgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igiani32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padeldeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjnobhq.dll" Hfmddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcpnn32.dll" Mnaggcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcjdjiqp.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoapfe32.dll" Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adqaqk32.dll" Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihkhkcdl.dll" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padqpaec.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jagnlkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idicbbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnpkmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibhndp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldoimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmkijgm.dll" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfmdh32.dll" Popeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjgoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmagpjhh.dll" Illbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfchh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dobfbpbc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figicd32.dll" Pkacpihj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffmkfifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglabp32.dll" Odmabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fijbkbjk.dll" Hmmbqegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abnhjmjc.dll" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcahif32.dll" Dpjbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpedeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onocmadb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokggo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgodelnq.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpcfmngo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjdnlob.dll" Ijehdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoiaho32.dll" Oalhqohl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjfikeqd.dll" Fdmhbplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgjccb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlofgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkijcgjo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acqnnndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnndbd32.dll" Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdpojm32.dll" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1032 wrote to memory of 2128 1032 4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe 28 PID 1032 wrote to memory of 2128 1032 4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe 28 PID 1032 wrote to memory of 2128 1032 4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe 28 PID 1032 wrote to memory of 2128 1032 4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe 28 PID 2128 wrote to memory of 2780 2128 Kopokehd.exe 29 PID 2128 wrote to memory of 2780 2128 Kopokehd.exe 29 PID 2128 wrote to memory of 2780 2128 Kopokehd.exe 29 PID 2128 wrote to memory of 2780 2128 Kopokehd.exe 29 PID 2780 wrote to memory of 2960 2780 Kfjggo32.exe 30 PID 2780 wrote to memory of 2960 2780 Kfjggo32.exe 30 PID 2780 wrote to memory of 2960 2780 Kfjggo32.exe 30 PID 2780 wrote to memory of 2960 2780 Kfjggo32.exe 30 PID 2960 wrote to memory of 2224 2960 Kglcogeo.exe 31 PID 2960 wrote to memory of 2224 2960 Kglcogeo.exe 31 PID 2960 wrote to memory of 2224 2960 Kglcogeo.exe 31 PID 2960 wrote to memory of 2224 2960 Kglcogeo.exe 31 PID 2224 wrote to memory of 2588 2224 Knekla32.exe 32 PID 2224 wrote to memory of 2588 2224 Knekla32.exe 32 PID 2224 wrote to memory of 2588 2224 Knekla32.exe 32 PID 2224 wrote to memory of 2588 2224 Knekla32.exe 32 PID 2588 wrote to memory of 2728 2588 Kqdhhm32.exe 33 PID 2588 wrote to memory of 2728 2588 Kqdhhm32.exe 33 PID 2588 wrote to memory of 2728 2588 Kqdhhm32.exe 33 PID 2588 wrote to memory of 2728 2588 Kqdhhm32.exe 33 PID 2728 wrote to memory of 2628 2728 Kkileele.exe 34 PID 2728 wrote to memory of 2628 2728 Kkileele.exe 34 PID 2728 wrote to memory of 2628 2728 Kkileele.exe 34 PID 2728 wrote to memory of 2628 2728 Kkileele.exe 34 PID 2628 wrote to memory of 2804 2628 Kjllab32.exe 35 PID 2628 wrote to memory of 2804 2628 Kjllab32.exe 35 PID 2628 wrote to memory of 2804 2628 Kjllab32.exe 35 PID 2628 wrote to memory of 2804 2628 Kjllab32.exe 35 PID 2804 wrote to memory of 2608 2804 Kdbpnk32.exe 36 PID 2804 wrote to memory of 2608 2804 Kdbpnk32.exe 36 PID 2804 wrote to memory of 2608 2804 Kdbpnk32.exe 36 PID 2804 wrote to memory of 2608 2804 Kdbpnk32.exe 36 PID 2608 wrote to memory of 2968 2608 Kceqjhiq.exe 37 PID 2608 wrote to memory of 2968 2608 Kceqjhiq.exe 37 PID 2608 wrote to memory of 2968 2608 Kceqjhiq.exe 37 PID 2608 wrote to memory of 2968 2608 Kceqjhiq.exe 37 PID 2968 wrote to memory of 1432 2968 Kjoifb32.exe 38 PID 2968 wrote to memory of 1432 2968 Kjoifb32.exe 38 PID 2968 wrote to memory of 1432 2968 Kjoifb32.exe 38 PID 2968 wrote to memory of 1432 2968 Kjoifb32.exe 38 PID 1432 wrote to memory of 1308 1432 Kmmebm32.exe 39 PID 1432 wrote to memory of 1308 1432 Kmmebm32.exe 39 PID 1432 wrote to memory of 1308 1432 Kmmebm32.exe 39 PID 1432 wrote to memory of 1308 1432 Kmmebm32.exe 39 PID 1308 wrote to memory of 2044 1308 Kcgmoggn.exe 40 PID 1308 wrote to memory of 2044 1308 Kcgmoggn.exe 40 PID 1308 wrote to memory of 2044 1308 Kcgmoggn.exe 40 PID 1308 wrote to memory of 2044 1308 Kcgmoggn.exe 40 PID 2044 wrote to memory of 2024 2044 Kgbipf32.exe 41 PID 2044 wrote to memory of 2024 2044 Kgbipf32.exe 41 PID 2044 wrote to memory of 2024 2044 Kgbipf32.exe 41 PID 2044 wrote to memory of 2024 2044 Kgbipf32.exe 41 PID 2024 wrote to memory of 1968 2024 Kmobhmnn.exe 42 PID 2024 wrote to memory of 1968 2024 Kmobhmnn.exe 42 PID 2024 wrote to memory of 1968 2024 Kmobhmnn.exe 42 PID 2024 wrote to memory of 1968 2024 Kmobhmnn.exe 42 PID 1968 wrote to memory of 2840 1968 Kqknil32.exe 43 PID 1968 wrote to memory of 2840 1968 Kqknil32.exe 43 PID 1968 wrote to memory of 2840 1968 Kqknil32.exe 43 PID 1968 wrote to memory of 2840 1968 Kqknil32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe"C:\Users\Admin\AppData\Local\Temp\4ead78e8d0f91f0b6523ed7db092cf6724b6f8975292da0d9edd4af9306ab6a0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe33⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe34⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe35⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe36⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe37⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe39⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe40⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe41⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe42⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe43⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe44⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe45⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe46⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe47⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe48⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe49⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe50⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe51⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe52⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe54⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe55⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe56⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe57⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe58⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe59⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe60⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe62⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe63⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe65⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe66⤵PID:2352
-
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe67⤵PID:1664
-
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe68⤵PID:2344
-
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe69⤵PID:1780
-
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe70⤵PID:920
-
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe71⤵PID:2088
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe72⤵PID:2996
-
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe73⤵PID:2140
-
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe74⤵PID:2788
-
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe75⤵PID:3036
-
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe76⤵PID:2760
-
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe77⤵PID:2572
-
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe78⤵PID:2540
-
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe79⤵PID:1804
-
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe80⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe81⤵PID:1960
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe82⤵PID:1764
-
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe84⤵PID:2200
-
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe85⤵PID:1092
-
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe86⤵
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:792 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe88⤵
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe89⤵PID:2156
-
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe91⤵PID:2456
-
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe92⤵PID:2644
-
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe93⤵PID:3016
-
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe94⤵PID:1796
-
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe95⤵
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe96⤵PID:1924
-
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe97⤵PID:1800
-
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe98⤵
- Drops file in System32 directory
PID:536 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe99⤵PID:1320
-
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe100⤵PID:2336
-
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe101⤵PID:2940
-
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe102⤵PID:2384
-
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe103⤵PID:3052
-
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe104⤵
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe105⤵PID:2560
-
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe106⤵PID:564
-
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe107⤵PID:1444
-
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe108⤵PID:1860
-
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe109⤵PID:1948
-
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe110⤵PID:1932
-
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe111⤵PID:788
-
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe112⤵PID:2364
-
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe113⤵PID:1548
-
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe114⤵PID:1288
-
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe115⤵
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe116⤵PID:2692
-
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe117⤵PID:2624
-
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe118⤵PID:1296
-
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe119⤵PID:1276
-
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe120⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe121⤵PID:2732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-