Analysis
-
max time kernel
28s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 03:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
General
-
Target
b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d.exe
-
Size
163KB
-
MD5
cc848512215447d8497e11c12d58a32b
-
SHA1
c91e46c31bd97a3e47a8d7134f361405bda10a7b
-
SHA256
b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d
-
SHA512
074cc30641282ae1af90a357d1c125bb4d0a99f918d7d8e25781245fb491cb6b56cf6538758d2003cd9253f0687f21c24d2e0261155360e8ecb98a96354e52c3
-
SSDEEP
1536:P9cQxSQlAWB47abANNkvPwtrmVKg9qhMqtKbIF7lProNVU4qNVUrk/9QbfBr+7Gh:1zlvO9IuQ9cKMF7ltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcbja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgaoec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incgfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkoidcaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhegcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpjchicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqpahkmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hndaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgaqohql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqffna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbjgjqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepianef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadehh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbieing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnhcdkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gielchpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfhjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiekadkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfbdje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoijjjcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpjchicb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkamk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpmkdpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfhjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Papmlmbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnppgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olobcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnpjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqhbcqmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmiaknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqjfgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjkbfpah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aggkdlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipecndab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jadlgjjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opcaiggo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihlbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcaghm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmfpabp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdlqjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdemap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gielchpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnoklc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cappnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbllph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdkcgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohqbbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glongpao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbccnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gokmnlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cedbmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiniaboi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqhbcqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceanmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnmlpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fakhhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipecndab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchbcmlh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2488 Bgqeea32.exe 2964 Baiingae.exe 2116 Bgcbja32.exe 1380 Bbhfgj32.exe 2968 Cgeopqfp.exe 2896 Cmbghgdg.exe 2704 Cappnf32.exe 2236 Cabldeik.exe 2348 Cjkamk32.exe 2240 Cllmdcej.exe 3056 Cedbmi32.exe 2416 Domffn32.exe 3036 Dlqgob32.exe 2124 Didgig32.exe 2644 Doapanne.exe 2524 Dodlfmlb.exe 1688 Dadehh32.exe 1732 Ekmjanpd.exe 2628 Edenjc32.exe 1092 Eplood32.exe 1104 Eidchjbi.exe 1968 Epnldd32.exe 872 Eigpmjqg.exe 3008 Eabeal32.exe 1604 Elgioe32.exe 2508 Fepnhjdh.exe 2728 Fkmfpabp.exe 964 Fgcgebhd.exe 2756 Faikbkhj.exe 968 Fgfckbfa.exe 2172 Fakhhk32.exe 3040 Fcmdpcle.exe 3028 Fdlqjf32.exe 2908 Gndebkii.exe 1056 Gcankb32.exe 2128 Gmjbchnq.exe 1752 Gfbfln32.exe 2180 Gkoodd32.exe 1964 Gbigao32.exe 1736 Gmnlog32.exe 2528 Gomhkb32.exe 2920 Gielchpp.exe 2860 Hqpahkmj.exe 1388 Hndaao32.exe 2408 Hcajjf32.exe 1264 Hjkbfpah.exe 1032 Hgobpd32.exe 2092 Hmlkhk32.exe 2700 Hgaoec32.exe 1008 Hpmdjf32.exe 2576 Imqdcjkd.exe 2952 Icjmpd32.exe 2888 Ieligmho.exe 3000 Ilfadg32.exe 1012 Ifkfap32.exe 2156 Ihlbih32.exe 1996 Ieqbbl32.exe 1004 Iniglajj.exe 1740 Iecohl32.exe 1992 Ijphqbpo.exe 1668 Jdhlih32.exe 2688 Lphlck32.exe 1284 Lpjiik32.exe 2932 Lhenmm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2328 b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d.exe 2328 b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d.exe 2488 Bgqeea32.exe 2488 Bgqeea32.exe 2964 Baiingae.exe 2964 Baiingae.exe 2116 Bgcbja32.exe 2116 Bgcbja32.exe 1380 Bbhfgj32.exe 1380 Bbhfgj32.exe 2968 Cgeopqfp.exe 2968 Cgeopqfp.exe 2896 Cmbghgdg.exe 2896 Cmbghgdg.exe 2704 Cappnf32.exe 2704 Cappnf32.exe 2236 Cabldeik.exe 2236 Cabldeik.exe 2348 Cjkamk32.exe 2348 Cjkamk32.exe 2240 Cllmdcej.exe 2240 Cllmdcej.exe 3056 Cedbmi32.exe 3056 Cedbmi32.exe 2416 Domffn32.exe 2416 Domffn32.exe 3036 Dlqgob32.exe 3036 Dlqgob32.exe 2124 Didgig32.exe 2124 Didgig32.exe 2644 Doapanne.exe 2644 Doapanne.exe 2524 Dodlfmlb.exe 2524 Dodlfmlb.exe 1688 Dadehh32.exe 1688 Dadehh32.exe 1732 Ekmjanpd.exe 1732 Ekmjanpd.exe 2628 Edenjc32.exe 2628 Edenjc32.exe 1092 Eplood32.exe 1092 Eplood32.exe 1104 Eidchjbi.exe 1104 Eidchjbi.exe 1968 Epnldd32.exe 1968 Epnldd32.exe 872 Eigpmjqg.exe 872 Eigpmjqg.exe 3008 Eabeal32.exe 3008 Eabeal32.exe 1604 Elgioe32.exe 1604 Elgioe32.exe 2508 Fepnhjdh.exe 2508 Fepnhjdh.exe 2728 Fkmfpabp.exe 2728 Fkmfpabp.exe 964 Fgcgebhd.exe 964 Fgcgebhd.exe 2756 Faikbkhj.exe 2756 Faikbkhj.exe 968 Fgfckbfa.exe 968 Fgfckbfa.exe 2172 Fakhhk32.exe 2172 Fakhhk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ojgokflc.exe Naokbq32.exe File created C:\Windows\SysWOW64\Jmbilgok.dll Bhljlnma.exe File created C:\Windows\SysWOW64\Omldapkm.dll Plaoim32.exe File created C:\Windows\SysWOW64\Mcllmmbh.dll Dgbgon32.exe File created C:\Windows\SysWOW64\Ldgnmhhj.exe Lahaqm32.exe File opened for modification C:\Windows\SysWOW64\Ijphqbpo.exe Iecohl32.exe File opened for modification C:\Windows\SysWOW64\Aoijjjcl.exe Ahoamplo.exe File created C:\Windows\SysWOW64\Didgig32.exe Dlqgob32.exe File created C:\Windows\SysWOW64\Bnqcaffa.exe Aggkdlod.exe File created C:\Windows\SysWOW64\Fkafkl32.dll Kdincdcl.exe File opened for modification C:\Windows\SysWOW64\Mogene32.exe Mfoqephq.exe File created C:\Windows\SysWOW64\Mbkkepio.exe Moloidjl.exe File opened for modification C:\Windows\SysWOW64\Bhngbm32.exe Bbdoec32.exe File opened for modification C:\Windows\SysWOW64\Cmgblphf.exe Cfmjoe32.exe File created C:\Windows\SysWOW64\Qiekadkl.exe Qckcdj32.exe File created C:\Windows\SysWOW64\Gcifdj32.exe Glongpao.exe File created C:\Windows\SysWOW64\Cabldeik.exe Cappnf32.exe File opened for modification C:\Windows\SysWOW64\Hndaao32.exe Hqpahkmj.exe File opened for modification C:\Windows\SysWOW64\Llfcik32.exe Lhenmm32.exe File opened for modification C:\Windows\SysWOW64\Jehbfjia.exe Jplinckj.exe File opened for modification C:\Windows\SysWOW64\Mcendc32.exe Mhpigk32.exe File created C:\Windows\SysWOW64\Cocbbk32.exe Cfknjfbl.exe File created C:\Windows\SysWOW64\Cjcfdm32.dll Dnbbjf32.exe File opened for modification C:\Windows\SysWOW64\Cfjdfg32.exe Cncmei32.exe File opened for modification C:\Windows\SysWOW64\Fkmfpabp.exe Fepnhjdh.exe File opened for modification C:\Windows\SysWOW64\Aglhph32.exe Alfdcp32.exe File created C:\Windows\SysWOW64\Ldndng32.exe Lndlamke.exe File opened for modification C:\Windows\SysWOW64\Oclpdf32.exe Ombhgljn.exe File created C:\Windows\SysWOW64\Bbflkcao.exe Bgagnjbi.exe File created C:\Windows\SysWOW64\Jhenkpja.dll Cbllph32.exe File created C:\Windows\SysWOW64\Lcnhcdkp.exe Lamkllea.exe File created C:\Windows\SysWOW64\Fbbcdh32.exe Flhkhnel.exe File created C:\Windows\SysWOW64\Bqhbcqmj.exe Bfcnfh32.exe File opened for modification C:\Windows\SysWOW64\Dhdddnep.exe Dgbgon32.exe File created C:\Windows\SysWOW64\Johlpoij.exe Jadlgjjq.exe File created C:\Windows\SysWOW64\Cmgblphf.exe Cfmjoe32.exe File opened for modification C:\Windows\SysWOW64\Dpmeij32.exe Dicmlpje.exe File opened for modification C:\Windows\SysWOW64\Kgjgepqm.exe Kppohf32.exe File created C:\Windows\SysWOW64\Khkdmh32.exe Kgjgepqm.exe File opened for modification C:\Windows\SysWOW64\Oljanhmc.exe Oepianef.exe File created C:\Windows\SysWOW64\Pmbdfolj.exe Pfhlie32.exe File created C:\Windows\SysWOW64\Eenckc32.exe Ebpgoh32.exe File opened for modification C:\Windows\SysWOW64\Ipecndab.exe Incgfl32.exe File opened for modification C:\Windows\SysWOW64\Icjmpd32.exe Imqdcjkd.exe File created C:\Windows\SysWOW64\Llfcik32.exe Lhenmm32.exe File created C:\Windows\SysWOW64\Ceanmc32.exe Cngfqi32.exe File opened for modification C:\Windows\SysWOW64\Eaegaaah.exe Djkodg32.exe File opened for modification C:\Windows\SysWOW64\Ibhieo32.exe Ilnqhddd.exe File created C:\Windows\SysWOW64\Lohiob32.exe Khnqbhdi.exe File opened for modification C:\Windows\SysWOW64\Mfoqephq.exe Ldndng32.exe File created C:\Windows\SysWOW64\Ndbjgjqh.exe Njmejaqb.exe File opened for modification C:\Windows\SysWOW64\Pdnihiad.exe Papmlmbp.exe File created C:\Windows\SysWOW64\Dpmeij32.exe Dicmlpje.exe File created C:\Windows\SysWOW64\Hcckbeha.dll Fokaoh32.exe File opened for modification C:\Windows\SysWOW64\Ilfadg32.exe Ieligmho.exe File created C:\Windows\SysWOW64\Kmlbeoba.dll Hefibg32.exe File opened for modification C:\Windows\SysWOW64\Phckglbq.exe Pojgnf32.exe File created C:\Windows\SysWOW64\Dnbbjf32.exe Dieiap32.exe File opened for modification C:\Windows\SysWOW64\Epnldd32.exe Eidchjbi.exe File created C:\Windows\SysWOW64\Npfhjifm.exe Nilpmo32.exe File created C:\Windows\SysWOW64\Qommgk32.dll Dhdddnep.exe File opened for modification C:\Windows\SysWOW64\Qamleagn.exe Qkcdigpa.exe File created C:\Windows\SysWOW64\Napdqm32.dll Eleobngo.exe File opened for modification C:\Windows\SysWOW64\Fgcgebhd.exe Fkmfpabp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4720 4400 WerFault.exe 349 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgjgepqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljanhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npfhjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbccnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfoqephq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjofanld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfknjfbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doapanne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lolbjahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhlih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmiojla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppqqbjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figoefkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchbcmlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imqdcjkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lahaqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdophn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbieing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadlgjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdemap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacdmpan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmjanpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igioiacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiamql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkkepio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgeopqfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbghgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehbfjia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdjjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohqhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhfgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imdjlida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcfie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ginefe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmfpabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaegaaah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjlnaghp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqcpfcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkidclbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaqohql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjeffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiekkdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqijmkfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgdlnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljhmmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnoklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpjchicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdcbjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohqbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcqcjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cincaq32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgdlpkc.dll" Epnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pngjlfla.dll" Ijphqbpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijcgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oclpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pokjahgh.dll" Hgpeimhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfcnfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqhbcqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhenkpja.dll" Cbllph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Papmlmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qakppa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addlbf32.dll" Fhfbmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Didgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnilfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgokflc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcendc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npngng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nijcgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfceqc32.dll" Cmbghgdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjkamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gielchpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcnhcdkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjfdpckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edlmlclc.dll" Epjdbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbgakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekohm32.dll" Djemfibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklicbjm.dll" Ijmdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papmlmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joamihjm.dll" Qckcdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeglqpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfoqe32.dll" Elgioe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lngpac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naegmigc.dll" Ccmanjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djemfibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Incgfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhegcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcebdo32.dll" Hdcebagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baiingae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihlbih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqcepk32.dll" Lhenmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enipjhjm.dll" Bnqcaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgpeimhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgobpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doaapm32.dll" Hgaoec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alhaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlnaghp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceoagcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpdkel32.dll" Ieqbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nilpmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdmkboi.dll" Ofefqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khkdmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcankb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiaaaicm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadpaf32.dll" Pbcfie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgagnjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiniaboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchqamfp.dll" Ibhieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkegca32.dll" Bbflkcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmanjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnimeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkgoccel.dll" Ncpgeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khkdmh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 2488 2328 b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d.exe 29 PID 2328 wrote to memory of 2488 2328 b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d.exe 29 PID 2328 wrote to memory of 2488 2328 b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d.exe 29 PID 2328 wrote to memory of 2488 2328 b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d.exe 29 PID 2488 wrote to memory of 2964 2488 Bgqeea32.exe 30 PID 2488 wrote to memory of 2964 2488 Bgqeea32.exe 30 PID 2488 wrote to memory of 2964 2488 Bgqeea32.exe 30 PID 2488 wrote to memory of 2964 2488 Bgqeea32.exe 30 PID 2964 wrote to memory of 2116 2964 Baiingae.exe 31 PID 2964 wrote to memory of 2116 2964 Baiingae.exe 31 PID 2964 wrote to memory of 2116 2964 Baiingae.exe 31 PID 2964 wrote to memory of 2116 2964 Baiingae.exe 31 PID 2116 wrote to memory of 1380 2116 Bgcbja32.exe 32 PID 2116 wrote to memory of 1380 2116 Bgcbja32.exe 32 PID 2116 wrote to memory of 1380 2116 Bgcbja32.exe 32 PID 2116 wrote to memory of 1380 2116 Bgcbja32.exe 32 PID 1380 wrote to memory of 2968 1380 Bbhfgj32.exe 33 PID 1380 wrote to memory of 2968 1380 Bbhfgj32.exe 33 PID 1380 wrote to memory of 2968 1380 Bbhfgj32.exe 33 PID 1380 wrote to memory of 2968 1380 Bbhfgj32.exe 33 PID 2968 wrote to memory of 2896 2968 Cgeopqfp.exe 34 PID 2968 wrote to memory of 2896 2968 Cgeopqfp.exe 34 PID 2968 wrote to memory of 2896 2968 Cgeopqfp.exe 34 PID 2968 wrote to memory of 2896 2968 Cgeopqfp.exe 34 PID 2896 wrote to memory of 2704 2896 Cmbghgdg.exe 35 PID 2896 wrote to memory of 2704 2896 Cmbghgdg.exe 35 PID 2896 wrote to memory of 2704 2896 Cmbghgdg.exe 35 PID 2896 wrote to memory of 2704 2896 Cmbghgdg.exe 35 PID 2704 wrote to memory of 2236 2704 Cappnf32.exe 36 PID 2704 wrote to memory of 2236 2704 Cappnf32.exe 36 PID 2704 wrote to memory of 2236 2704 Cappnf32.exe 36 PID 2704 wrote to memory of 2236 2704 Cappnf32.exe 36 PID 2236 wrote to memory of 2348 2236 Cabldeik.exe 37 PID 2236 wrote to memory of 2348 2236 Cabldeik.exe 37 PID 2236 wrote to memory of 2348 2236 Cabldeik.exe 37 PID 2236 wrote to memory of 2348 2236 Cabldeik.exe 37 PID 2348 wrote to memory of 2240 2348 Cjkamk32.exe 38 PID 2348 wrote to memory of 2240 2348 Cjkamk32.exe 38 PID 2348 wrote to memory of 2240 2348 Cjkamk32.exe 38 PID 2348 wrote to memory of 2240 2348 Cjkamk32.exe 38 PID 2240 wrote to memory of 3056 2240 Cllmdcej.exe 39 PID 2240 wrote to memory of 3056 2240 Cllmdcej.exe 39 PID 2240 wrote to memory of 3056 2240 Cllmdcej.exe 39 PID 2240 wrote to memory of 3056 2240 Cllmdcej.exe 39 PID 3056 wrote to memory of 2416 3056 Cedbmi32.exe 40 PID 3056 wrote to memory of 2416 3056 Cedbmi32.exe 40 PID 3056 wrote to memory of 2416 3056 Cedbmi32.exe 40 PID 3056 wrote to memory of 2416 3056 Cedbmi32.exe 40 PID 2416 wrote to memory of 3036 2416 Domffn32.exe 41 PID 2416 wrote to memory of 3036 2416 Domffn32.exe 41 PID 2416 wrote to memory of 3036 2416 Domffn32.exe 41 PID 2416 wrote to memory of 3036 2416 Domffn32.exe 41 PID 3036 wrote to memory of 2124 3036 Dlqgob32.exe 42 PID 3036 wrote to memory of 2124 3036 Dlqgob32.exe 42 PID 3036 wrote to memory of 2124 3036 Dlqgob32.exe 42 PID 3036 wrote to memory of 2124 3036 Dlqgob32.exe 42 PID 2124 wrote to memory of 2644 2124 Didgig32.exe 43 PID 2124 wrote to memory of 2644 2124 Didgig32.exe 43 PID 2124 wrote to memory of 2644 2124 Didgig32.exe 43 PID 2124 wrote to memory of 2644 2124 Didgig32.exe 43 PID 2644 wrote to memory of 2524 2644 Doapanne.exe 44 PID 2644 wrote to memory of 2524 2644 Doapanne.exe 44 PID 2644 wrote to memory of 2524 2644 Doapanne.exe 44 PID 2644 wrote to memory of 2524 2644 Doapanne.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d.exe"C:\Users\Admin\AppData\Local\Temp\b584424c2747847dd9e936c817b31ddcf0dbada37aac17645b3c2a56ef8e6b8d.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Baiingae.exeC:\Windows\system32\Baiingae.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Cmbghgdg.exeC:\Windows\system32\Cmbghgdg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Cappnf32.exeC:\Windows\system32\Cappnf32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Cllmdcej.exeC:\Windows\system32\Cllmdcej.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Domffn32.exeC:\Windows\system32\Domffn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Dadehh32.exeC:\Windows\system32\Dadehh32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Ekmjanpd.exeC:\Windows\system32\Ekmjanpd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Edenjc32.exeC:\Windows\system32\Edenjc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Eplood32.exeC:\Windows\system32\Eplood32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Eidchjbi.exeC:\Windows\system32\Eidchjbi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Epnldd32.exeC:\Windows\system32\Epnldd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Fkmfpabp.exeC:\Windows\system32\Fkmfpabp.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Faikbkhj.exeC:\Windows\system32\Faikbkhj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Fgfckbfa.exeC:\Windows\system32\Fgfckbfa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Fakhhk32.exeC:\Windows\system32\Fakhhk32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Fcmdpcle.exeC:\Windows\system32\Fcmdpcle.exe33⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Gndebkii.exeC:\Windows\system32\Gndebkii.exe35⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Gcankb32.exeC:\Windows\system32\Gcankb32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe37⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Gfbfln32.exeC:\Windows\system32\Gfbfln32.exe38⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Gkoodd32.exeC:\Windows\system32\Gkoodd32.exe39⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Gbigao32.exeC:\Windows\system32\Gbigao32.exe40⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Gmnlog32.exeC:\Windows\system32\Gmnlog32.exe41⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe42⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Hqpahkmj.exeC:\Windows\system32\Hqpahkmj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Hcajjf32.exeC:\Windows\system32\Hcajjf32.exe46⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1032 -
C:\Windows\SysWOW64\Hmlkhk32.exeC:\Windows\system32\Hmlkhk32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Hgaoec32.exeC:\Windows\system32\Hgaoec32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Hpmdjf32.exeC:\Windows\system32\Hpmdjf32.exe51⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Imqdcjkd.exeC:\Windows\system32\Imqdcjkd.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Icjmpd32.exeC:\Windows\system32\Icjmpd32.exe53⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Ilfadg32.exeC:\Windows\system32\Ilfadg32.exe55⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ifkfap32.exeC:\Windows\system32\Ifkfap32.exe56⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Ihlbih32.exeC:\Windows\system32\Ihlbih32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe59⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Ijphqbpo.exeC:\Windows\system32\Ijphqbpo.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Jdhlih32.exeC:\Windows\system32\Jdhlih32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Lphlck32.exeC:\Windows\system32\Lphlck32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Lpjiik32.exeC:\Windows\system32\Lpjiik32.exe64⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Llfcik32.exeC:\Windows\system32\Llfcik32.exe66⤵PID:304
-
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe67⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Mhlcnl32.exeC:\Windows\system32\Mhlcnl32.exe68⤵PID:1600
-
C:\Windows\SysWOW64\Mnilfc32.exeC:\Windows\system32\Mnilfc32.exe69⤵
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe72⤵PID:992
-
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe73⤵PID:2984
-
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe74⤵PID:916
-
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe76⤵PID:1860
-
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe77⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Ncpgeh32.exeC:\Windows\system32\Ncpgeh32.exe78⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe81⤵PID:2352
-
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe82⤵
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe83⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe84⤵PID:1536
-
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe85⤵PID:1304
-
C:\Windows\SysWOW64\Naokbq32.exeC:\Windows\system32\Naokbq32.exe86⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe87⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Oelcho32.exeC:\Windows\system32\Oelcho32.exe88⤵PID:540
-
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2768 -
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe90⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Ophanl32.exeC:\Windows\system32\Ophanl32.exe92⤵PID:2044
-
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe94⤵
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe95⤵
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe96⤵PID:1748
-
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe97⤵PID:2720
-
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe98⤵PID:2288
-
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe99⤵PID:2384
-
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe100⤵PID:1756
-
C:\Windows\SysWOW64\Pkkeeikj.exeC:\Windows\system32\Pkkeeikj.exe101⤵PID:2912
-
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe102⤵PID:2696
-
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe103⤵PID:1872
-
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe104⤵PID:2460
-
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe105⤵PID:1680
-
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Qckcdj32.exeC:\Windows\system32\Qckcdj32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Qiekadkl.exeC:\Windows\system32\Qiekadkl.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2212 -
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe110⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Aglhph32.exeC:\Windows\system32\Aglhph32.exe111⤵PID:548
-
C:\Windows\SysWOW64\Alhaho32.exeC:\Windows\system32\Alhaho32.exe112⤵
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Ahoamplo.exeC:\Windows\system32\Ahoamplo.exe114⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Aoijjjcl.exeC:\Windows\system32\Aoijjjcl.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3100 -
C:\Windows\SysWOW64\Adfbbabc.exeC:\Windows\system32\Adfbbabc.exe116⤵PID:3140
-
C:\Windows\SysWOW64\Aokfpjai.exeC:\Windows\system32\Aokfpjai.exe117⤵PID:3180
-
C:\Windows\SysWOW64\Afeold32.exeC:\Windows\system32\Afeold32.exe118⤵PID:3220
-
C:\Windows\SysWOW64\Aggkdlod.exeC:\Windows\system32\Aggkdlod.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3260 -
C:\Windows\SysWOW64\Bnqcaffa.exeC:\Windows\system32\Bnqcaffa.exe120⤵
- Modifies registry class
PID:3300 -
C:\Windows\SysWOW64\Bdklnq32.exeC:\Windows\system32\Bdklnq32.exe121⤵PID:3340
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-