Analysis
-
max time kernel
62s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 10:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe
-
Size
64KB
-
MD5
cabcb3ebf84472fd4a1579b8d1002230
-
SHA1
74791932317a7c2e3586c64e8d694e4664596e5d
-
SHA256
4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0b
-
SHA512
766584ef4a66e3e4657b7d487fcd52467f3068119af6017cef13788503e5c3105334822c0768d1ebae3e8bccb1191777add985c109886d6f0a37012e447fae62
-
SSDEEP
1536:R5fW+FMUH+MHDeiQbrdNgz68F2L+sBMu/H1:R5fsgEP82+aN
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opodknco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcjeaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiokholk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amoibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmdhfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckfjjqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdedde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ealahi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffbmfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlmnogkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnhefh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjalhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clefdcog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oplgeoea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djgfgkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdhbci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfjhbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqennbbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmqmgbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkdhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdigoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdobdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfmpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmefaan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klkfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooggpiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaclfgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makkcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iciopdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcggef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mehpga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebobgmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chocodch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onamle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeghng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obhpad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piieicgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoijebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcikog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcgpkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mploiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joppeeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjjkfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkmdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmchcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chocodch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhjoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejioln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppcmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkkgfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inepgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojceef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clnehado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcplien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnicbh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2228 Jcnoejch.exe 2880 Jjhgbd32.exe 2708 Jikhnaao.exe 2748 Jikhnaao.exe 2056 Jmfcop32.exe 1980 Jabponba.exe 2280 Jimdcqom.exe 2564 Jpgmpk32.exe 1564 Jfaeme32.exe 292 Jmkmjoec.exe 2480 Jlnmel32.exe 1140 Jbhebfck.exe 2916 Jefbnacn.exe 1392 Jplfkjbd.exe 2128 Kambcbhb.exe 1568 Keioca32.exe 1908 Klcgpkhh.exe 1500 Koaclfgl.exe 1148 Kapohbfp.exe 1748 Kdnkdmec.exe 1244 Klecfkff.exe 2928 Khldkllj.exe 1852 Kmimcbja.exe 2404 Kadica32.exe 2532 Kfaalh32.exe 1480 Kpieengb.exe 2776 Kdeaelok.exe 3004 Kgcnahoo.exe 3048 Lmmfnb32.exe 3020 Lplbjm32.exe 1228 Leikbd32.exe 2348 Lidgcclp.exe 3064 Loaokjjg.exe 2100 Lghgmg32.exe 2848 Lifcib32.exe 1104 Laahme32.exe 2676 Liipnb32.exe 2932 Llgljn32.exe 332 Lcadghnk.exe 1688 Lklikj32.exe 2328 Lohelidp.exe 2552 Lnkege32.exe 972 Mebnic32.exe 1616 Mojbaham.exe 1236 Mainndaq.exe 1608 Mploiq32.exe 316 Mkacfiga.exe 2176 Mnpobefe.exe 1484 Makkcc32.exe 2392 Mdigoo32.exe 2608 Mclgklel.exe 2720 Mkcplien.exe 2996 Mjfphf32.exe 1876 Mnblhddb.exe 1580 Mlelda32.exe 3068 Mdldeo32.exe 1820 Mcodqkbi.exe 2364 Mfmqmgbm.exe 2620 Mjilmejf.exe 2340 Mlgiiaij.exe 2336 Moeeelhn.exe 1276 Mcaafk32.exe 3016 Mgmmfjip.exe 1188 Mhninb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2264 4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe 2264 4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe 2228 Jcnoejch.exe 2228 Jcnoejch.exe 2880 Jjhgbd32.exe 2880 Jjhgbd32.exe 2708 Jikhnaao.exe 2708 Jikhnaao.exe 2748 Jikhnaao.exe 2748 Jikhnaao.exe 2056 Jmfcop32.exe 2056 Jmfcop32.exe 1980 Jabponba.exe 1980 Jabponba.exe 2280 Jimdcqom.exe 2280 Jimdcqom.exe 2564 Jpgmpk32.exe 2564 Jpgmpk32.exe 1564 Jfaeme32.exe 1564 Jfaeme32.exe 292 Jmkmjoec.exe 292 Jmkmjoec.exe 2480 Jlnmel32.exe 2480 Jlnmel32.exe 1140 Jbhebfck.exe 1140 Jbhebfck.exe 2916 Jefbnacn.exe 2916 Jefbnacn.exe 1392 Jplfkjbd.exe 1392 Jplfkjbd.exe 2128 Kambcbhb.exe 2128 Kambcbhb.exe 1568 Keioca32.exe 1568 Keioca32.exe 1908 Klcgpkhh.exe 1908 Klcgpkhh.exe 1500 Koaclfgl.exe 1500 Koaclfgl.exe 1148 Kapohbfp.exe 1148 Kapohbfp.exe 1748 Kdnkdmec.exe 1748 Kdnkdmec.exe 1244 Klecfkff.exe 1244 Klecfkff.exe 2928 Khldkllj.exe 2928 Khldkllj.exe 1852 Kmimcbja.exe 1852 Kmimcbja.exe 2404 Kadica32.exe 2404 Kadica32.exe 2532 Kfaalh32.exe 2532 Kfaalh32.exe 1480 Kpieengb.exe 1480 Kpieengb.exe 2776 Kdeaelok.exe 2776 Kdeaelok.exe 3004 Kgcnahoo.exe 3004 Kgcnahoo.exe 3048 Lmmfnb32.exe 3048 Lmmfnb32.exe 3020 Lplbjm32.exe 3020 Lplbjm32.exe 1228 Leikbd32.exe 1228 Leikbd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Efoied32.dll Appbcn32.exe File created C:\Windows\SysWOW64\Fhdikdfj.dll Llgljn32.exe File created C:\Windows\SysWOW64\Nhepoaif.exe Ndicnb32.exe File opened for modification C:\Windows\SysWOW64\Ggiofa32.exe Gcmcebkc.exe File created C:\Windows\SysWOW64\Ggklka32.exe Goddjc32.exe File opened for modification C:\Windows\SysWOW64\Lhdcojaa.exe Ldhgnk32.exe File created C:\Windows\SysWOW64\Fpflghlp.dll Gcmcebkc.exe File created C:\Windows\SysWOW64\Heqimm32.exe Haemloni.exe File opened for modification C:\Windows\SysWOW64\Ijqjgo32.exe Ifengpdh.exe File opened for modification C:\Windows\SysWOW64\Meljbqna.exe Mneaacno.exe File created C:\Windows\SysWOW64\Qigebglj.exe Pfhhflmg.exe File created C:\Windows\SysWOW64\Gjhiaadn.dll Geloanjg.exe File opened for modification C:\Windows\SysWOW64\Apilcoho.exe Aaflgb32.exe File created C:\Windows\SysWOW64\Ikkkijnk.dll Aohgfm32.exe File created C:\Windows\SysWOW64\Bccoeo32.exe Babbng32.exe File created C:\Windows\SysWOW64\Gchhdfem.dll Qdpohodn.exe File created C:\Windows\SysWOW64\Jjghbbmo.dll Dglpdomh.exe File created C:\Windows\SysWOW64\Igmobj32.dll Mnpobefe.exe File created C:\Windows\SysWOW64\Aqfnlp32.dll Qanmcdlm.exe File created C:\Windows\SysWOW64\Fhjoof32.exe Felcbk32.exe File opened for modification C:\Windows\SysWOW64\Ecnpdnho.exe Ekghcq32.exe File created C:\Windows\SysWOW64\Ipoidefp.dll Cppobaeb.exe File created C:\Windows\SysWOW64\Cdpdnpif.exe Cpdhna32.exe File created C:\Windows\SysWOW64\Cmqihg32.exe Cjbmll32.exe File created C:\Windows\SysWOW64\Hjggap32.exe Hkdgecna.exe File opened for modification C:\Windows\SysWOW64\Kecjmodq.exe Kbenacdm.exe File opened for modification C:\Windows\SysWOW64\Lkifkdjm.exe Lbbnjgik.exe File created C:\Windows\SysWOW64\Maoalb32.exe Mclqqeaq.exe File opened for modification C:\Windows\SysWOW64\Ahedjb32.exe Aeghng32.exe File created C:\Windows\SysWOW64\Nhknil32.dll Dqaode32.exe File created C:\Windows\SysWOW64\Gedhkkno.dll Fogdap32.exe File created C:\Windows\SysWOW64\Joomjp32.dll Nddcimag.exe File created C:\Windows\SysWOW64\Keioca32.exe Kambcbhb.exe File created C:\Windows\SysWOW64\Pffjjc32.dll Ijnnao32.exe File created C:\Windows\SysWOW64\Iokfjf32.exe Iqhfnifq.exe File opened for modification C:\Windows\SysWOW64\Opaqpn32.exe Ombddbah.exe File opened for modification C:\Windows\SysWOW64\Ifgklp32.exe Iciopdca.exe File opened for modification C:\Windows\SysWOW64\Dhgccbhp.exe Ddkgbc32.exe File created C:\Windows\SysWOW64\Cgngaoal.dll 4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe File created C:\Windows\SysWOW64\Nkadbc32.dll Qifnhaho.exe File created C:\Windows\SysWOW64\Nceqcnpi.dll Dfkclf32.exe File created C:\Windows\SysWOW64\Pnhjgj32.exe Pljnkodm.exe File created C:\Windows\SysWOW64\Blqmid32.exe Bheaiekc.exe File created C:\Windows\SysWOW64\Boleejag.exe Bkqiek32.exe File created C:\Windows\SysWOW64\Fbfjkj32.exe Fnjnkkbk.exe File created C:\Windows\SysWOW64\Ddkgbc32.exe Dbmkfh32.exe File created C:\Windows\SysWOW64\Aoqbnfda.dll Dochelmj.exe File created C:\Windows\SysWOW64\Ippdloip.dll Dgqion32.exe File created C:\Windows\SysWOW64\Lidgcclp.exe Leikbd32.exe File opened for modification C:\Windows\SysWOW64\Ephdjeol.exe Einlmkhp.exe File opened for modification C:\Windows\SysWOW64\Hlmnogkl.exe Hdefnjkj.exe File created C:\Windows\SysWOW64\Hcdkmafl.dll Njchfc32.exe File created C:\Windows\SysWOW64\Ppdfimji.exe Pmfjmake.exe File created C:\Windows\SysWOW64\Jhpgpkho.dll Epeajo32.exe File opened for modification C:\Windows\SysWOW64\Pbomli32.exe Pndalkgf.exe File created C:\Windows\SysWOW64\Olcdph32.dll Aokckm32.exe File opened for modification C:\Windows\SysWOW64\Ckfjjqhd.exe Chgnneiq.exe File created C:\Windows\SysWOW64\Ijqjgo32.exe Ifengpdh.exe File opened for modification C:\Windows\SysWOW64\Opodknco.exe Olchjp32.exe File created C:\Windows\SysWOW64\Khldkllj.exe Klecfkff.exe File opened for modification C:\Windows\SysWOW64\Ffgfancd.exe Fbkjap32.exe File created C:\Windows\SysWOW64\Gbfaddpc.dll Mkdioh32.exe File opened for modification C:\Windows\SysWOW64\Babbng32.exe Bikjmj32.exe File created C:\Windows\SysWOW64\Hpmlce32.dll Hdjoii32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7144 6832 WerFault.exe 695 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babbng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdgecna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfglfdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnkege32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkehql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiqibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmldfdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfebhmbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inepgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdcojaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eloipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpokjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqddmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefhlcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpdnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogabql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombddbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decdmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floeof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmoilni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nddcimag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mploiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjpdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjcjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpgfbom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dochelmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ablbjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehpga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnkicen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmnpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgddam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiciig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaeqmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijlaloaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ealahi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajjhkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baclaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkbmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnoegaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhebfck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piieicgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aompambg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiebnjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmficl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcplien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkeah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoaill32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpikik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjoilfek.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pppgjnfc.dll" Omiand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabcdq32.dll" Bogljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdddneh.dll" Fpmned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpcpn32.dll" Ghoijebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgehjlpm.dll" Cofofolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elaeeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmkmjoec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdeaelok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgmofa32.dll" Paggce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgahkngh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmqln32.dll" Cfnkmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Felkabah.dll" Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhocol32.dll" Jnemfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkimpfmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhndnpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhninb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhkhml32.dll" Llkbcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmdmp32.dll" Ogabql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdjoii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bojipjcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imacijjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klfmijae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmcilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnhjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgklibdj.dll" Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kickkg32.dll" Igmepdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompjookk.dll" Mgnfji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfpcblfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhincn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnjnkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcobciom.dll" Oninhgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgnjpcle.dll" Baclaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojdlmb32.dll" Djoeki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmimcbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mainndaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofdclinq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiobie32.dll" Jacibm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njchfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdofep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goddjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabcho32.dll" Iqhfnifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdjpfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchhdfem.dll" Qdpohodn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhebfck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjfphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeelon32.dll" Bhndnpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhina32.dll" Glckihcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aepbmhpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahedjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpcfcddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll" Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omkicqkc.dll" Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedoacoi.dll" Boleejag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndggib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oibohdmd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2228 2264 4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe 30 PID 2264 wrote to memory of 2228 2264 4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe 30 PID 2264 wrote to memory of 2228 2264 4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe 30 PID 2264 wrote to memory of 2228 2264 4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe 30 PID 2228 wrote to memory of 2880 2228 Jcnoejch.exe 31 PID 2228 wrote to memory of 2880 2228 Jcnoejch.exe 31 PID 2228 wrote to memory of 2880 2228 Jcnoejch.exe 31 PID 2228 wrote to memory of 2880 2228 Jcnoejch.exe 31 PID 2880 wrote to memory of 2708 2880 Jjhgbd32.exe 32 PID 2880 wrote to memory of 2708 2880 Jjhgbd32.exe 32 PID 2880 wrote to memory of 2708 2880 Jjhgbd32.exe 32 PID 2880 wrote to memory of 2708 2880 Jjhgbd32.exe 32 PID 2708 wrote to memory of 2748 2708 Jikhnaao.exe 33 PID 2708 wrote to memory of 2748 2708 Jikhnaao.exe 33 PID 2708 wrote to memory of 2748 2708 Jikhnaao.exe 33 PID 2708 wrote to memory of 2748 2708 Jikhnaao.exe 33 PID 2748 wrote to memory of 2056 2748 Jikhnaao.exe 34 PID 2748 wrote to memory of 2056 2748 Jikhnaao.exe 34 PID 2748 wrote to memory of 2056 2748 Jikhnaao.exe 34 PID 2748 wrote to memory of 2056 2748 Jikhnaao.exe 34 PID 2056 wrote to memory of 1980 2056 Jmfcop32.exe 35 PID 2056 wrote to memory of 1980 2056 Jmfcop32.exe 35 PID 2056 wrote to memory of 1980 2056 Jmfcop32.exe 35 PID 2056 wrote to memory of 1980 2056 Jmfcop32.exe 35 PID 1980 wrote to memory of 2280 1980 Jabponba.exe 36 PID 1980 wrote to memory of 2280 1980 Jabponba.exe 36 PID 1980 wrote to memory of 2280 1980 Jabponba.exe 36 PID 1980 wrote to memory of 2280 1980 Jabponba.exe 36 PID 2280 wrote to memory of 2564 2280 Jimdcqom.exe 37 PID 2280 wrote to memory of 2564 2280 Jimdcqom.exe 37 PID 2280 wrote to memory of 2564 2280 Jimdcqom.exe 37 PID 2280 wrote to memory of 2564 2280 Jimdcqom.exe 37 PID 2564 wrote to memory of 1564 2564 Jpgmpk32.exe 38 PID 2564 wrote to memory of 1564 2564 Jpgmpk32.exe 38 PID 2564 wrote to memory of 1564 2564 Jpgmpk32.exe 38 PID 2564 wrote to memory of 1564 2564 Jpgmpk32.exe 38 PID 1564 wrote to memory of 292 1564 Jfaeme32.exe 39 PID 1564 wrote to memory of 292 1564 Jfaeme32.exe 39 PID 1564 wrote to memory of 292 1564 Jfaeme32.exe 39 PID 1564 wrote to memory of 292 1564 Jfaeme32.exe 39 PID 292 wrote to memory of 2480 292 Jmkmjoec.exe 40 PID 292 wrote to memory of 2480 292 Jmkmjoec.exe 40 PID 292 wrote to memory of 2480 292 Jmkmjoec.exe 40 PID 292 wrote to memory of 2480 292 Jmkmjoec.exe 40 PID 2480 wrote to memory of 1140 2480 Jlnmel32.exe 41 PID 2480 wrote to memory of 1140 2480 Jlnmel32.exe 41 PID 2480 wrote to memory of 1140 2480 Jlnmel32.exe 41 PID 2480 wrote to memory of 1140 2480 Jlnmel32.exe 41 PID 1140 wrote to memory of 2916 1140 Jbhebfck.exe 42 PID 1140 wrote to memory of 2916 1140 Jbhebfck.exe 42 PID 1140 wrote to memory of 2916 1140 Jbhebfck.exe 42 PID 1140 wrote to memory of 2916 1140 Jbhebfck.exe 42 PID 2916 wrote to memory of 1392 2916 Jefbnacn.exe 43 PID 2916 wrote to memory of 1392 2916 Jefbnacn.exe 43 PID 2916 wrote to memory of 1392 2916 Jefbnacn.exe 43 PID 2916 wrote to memory of 1392 2916 Jefbnacn.exe 43 PID 1392 wrote to memory of 2128 1392 Jplfkjbd.exe 44 PID 1392 wrote to memory of 2128 1392 Jplfkjbd.exe 44 PID 1392 wrote to memory of 2128 1392 Jplfkjbd.exe 44 PID 1392 wrote to memory of 2128 1392 Jplfkjbd.exe 44 PID 2128 wrote to memory of 1568 2128 Kambcbhb.exe 45 PID 2128 wrote to memory of 1568 2128 Kambcbhb.exe 45 PID 2128 wrote to memory of 1568 2128 Kambcbhb.exe 45 PID 2128 wrote to memory of 1568 2128 Kambcbhb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe"C:\Users\Admin\AppData\Local\Temp\4430241b323d1a9f8366afc80a971198f10f915e02e25ce39414ef7841004d0bN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Jcnoejch.exeC:\Windows\system32\Jcnoejch.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Jjhgbd32.exeC:\Windows\system32\Jjhgbd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Jabponba.exeC:\Windows\system32\Jabponba.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Jimdcqom.exeC:\Windows\system32\Jimdcqom.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Jfaeme32.exeC:\Windows\system32\Jfaeme32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Jmkmjoec.exeC:\Windows\system32\Jmkmjoec.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Jlnmel32.exeC:\Windows\system32\Jlnmel32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Jbhebfck.exeC:\Windows\system32\Jbhebfck.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Jefbnacn.exeC:\Windows\system32\Jefbnacn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Jplfkjbd.exeC:\Windows\system32\Jplfkjbd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Kambcbhb.exeC:\Windows\system32\Kambcbhb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Keioca32.exeC:\Windows\system32\Keioca32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Klcgpkhh.exeC:\Windows\system32\Klcgpkhh.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Kapohbfp.exeC:\Windows\system32\Kapohbfp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Kdnkdmec.exeC:\Windows\system32\Kdnkdmec.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Klecfkff.exeC:\Windows\system32\Klecfkff.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Kadica32.exeC:\Windows\system32\Kadica32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Kfaalh32.exeC:\Windows\system32\Kfaalh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Kdeaelok.exeC:\Windows\system32\Kdeaelok.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Kgcnahoo.exeC:\Windows\system32\Kgcnahoo.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Leikbd32.exeC:\Windows\system32\Leikbd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe33⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe34⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Lghgmg32.exeC:\Windows\system32\Lghgmg32.exe35⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Lifcib32.exeC:\Windows\system32\Lifcib32.exe36⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Laahme32.exeC:\Windows\system32\Laahme32.exe37⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe38⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Llgljn32.exeC:\Windows\system32\Llgljn32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe40⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Lklikj32.exeC:\Windows\system32\Lklikj32.exe41⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe42⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Mebnic32.exeC:\Windows\system32\Mebnic32.exe44⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Mojbaham.exeC:\Windows\system32\Mojbaham.exe45⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Mainndaq.exeC:\Windows\system32\Mainndaq.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Mploiq32.exeC:\Windows\system32\Mploiq32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe48⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Mnpobefe.exeC:\Windows\system32\Mnpobefe.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Makkcc32.exeC:\Windows\system32\Makkcc32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Mdigoo32.exeC:\Windows\system32\Mdigoo32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Mclgklel.exeC:\Windows\system32\Mclgklel.exe52⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe55⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Mlelda32.exeC:\Windows\system32\Mlelda32.exe56⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe57⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Mcodqkbi.exeC:\Windows\system32\Mcodqkbi.exe58⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe60⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe61⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Moeeelhn.exeC:\Windows\system32\Moeeelhn.exe62⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe63⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Mgmmfjip.exeC:\Windows\system32\Mgmmfjip.exe64⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe66⤵PID:2548
-
C:\Windows\SysWOW64\Nqeapo32.exeC:\Windows\system32\Nqeapo32.exe67⤵PID:2132
-
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe68⤵PID:2524
-
C:\Windows\SysWOW64\Nccnlk32.exeC:\Windows\system32\Nccnlk32.exe69⤵PID:2716
-
C:\Windows\SysWOW64\Nbfnggeo.exeC:\Windows\system32\Nbfnggeo.exe70⤵PID:1716
-
C:\Windows\SysWOW64\Nfbjhf32.exeC:\Windows\system32\Nfbjhf32.exe71⤵PID:2764
-
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe72⤵PID:2260
-
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe73⤵PID:2208
-
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe74⤵PID:2816
-
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe75⤵PID:1020
-
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe76⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Nkaoemjm.exeC:\Windows\system32\Nkaoemjm.exe78⤵PID:1632
-
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe79⤵PID:1984
-
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe80⤵PID:1544
-
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe81⤵PID:1168
-
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe82⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe83⤵PID:2312
-
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe84⤵PID:2068
-
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe85⤵PID:1596
-
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe87⤵PID:2576
-
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe88⤵PID:2884
-
C:\Windows\SysWOW64\Nkehql32.exeC:\Windows\system32\Nkehql32.exe89⤵
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe90⤵PID:2324
-
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe91⤵PID:2840
-
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe92⤵PID:2924
-
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe94⤵
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1016 -
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe96⤵PID:828
-
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe97⤵PID:2728
-
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe98⤵PID:2808
-
C:\Windows\SysWOW64\Ojmbgh32.exeC:\Windows\system32\Ojmbgh32.exe99⤵PID:1940
-
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe100⤵
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe101⤵PID:1932
-
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe103⤵
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe104⤵
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe105⤵
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe107⤵PID:2112
-
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe108⤵PID:1364
-
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe109⤵PID:2700
-
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe110⤵PID:2688
-
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe111⤵
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:296 -
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe113⤵PID:2248
-
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe114⤵PID:2940
-
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe115⤵PID:2420
-
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe117⤵PID:1704
-
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe118⤵
- Drops file in System32 directory
PID:1424 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe119⤵PID:1700
-
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe120⤵PID:600
-
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-