Analysis
-
max time kernel
90s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-11-2024 10:56
Behavioral task
behavioral1
Sample
e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc.exe
-
Size
93KB
-
MD5
ab233e37d9cd874370b77c37652f76e5
-
SHA1
8bbc67cac79a7b7278078ee6d8c4dd4be0942903
-
SHA256
e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc
-
SHA512
baf069f4428f21266af6f2d7750b5688b7e8187672911fbf9d9f00acf20f537e39b38a48b19e8af6f261424ec250179eac14b3c4790c4f7bb9d5e3f1484fff8e
-
SSDEEP
1536:Z33HBe+GD379SUCXCZ1DaYfMZRWuLsV+1z:p3hrG/9SUCXCZgYfc0DV+1z
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adncoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alfflhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikohg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcajjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdegnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcbofk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdcebagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikemiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npjonlee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndoenlcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkfco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iekgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkkilfjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iockhigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcndag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnambeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agchdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejejkhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaciom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niijdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbmggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlgmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmhjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjpehn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpckeek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmaoomld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gomjckqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onipbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaolne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojojmfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okmceiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhibenb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccdmmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgffpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpcjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmaaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdkfco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glcfgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefjlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcajjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpgha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajipmocp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okijhmcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjbibli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eodknifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mognco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofaaghom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldljqpli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfqpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiinmnaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmelfeqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdnjlcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgdjipfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfdmogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kacakgip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alicahno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ablmilgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knodnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjplao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbiolnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhgpgjoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpekln32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1824 Oaciom32.exe 3012 Oklmhcdf.exe 2208 Oeaael32.exe 1988 Oojfnakl.exe 2780 Ohbjgg32.exe 2540 Pqplqile.exe 1700 Pnfipm32.exe 2948 Pfando32.exe 1828 Pffgonbb.exe 2860 Qbmhdp32.exe 2328 Qnciiq32.exe 792 Aepnkjcd.exe 2420 Agqfme32.exe 2176 Ajapoqmf.exe 2632 Aiflpm32.exe 2188 Bfjmia32.exe 1804 Bepjjn32.exe 1208 Bhpclica.exe 1868 Bjoohdbd.exe 680 Bhbpahan.exe 1536 Bakdjn32.exe 2664 Ckchcc32.exe 1736 Cihedpcg.exe 1688 Cpejfjha.exe 2320 Cmikpngk.exe 2864 Cojghf32.exe 2920 Chblqlcj.exe 1576 Dibhjokm.exe 3000 Doamhe32.exe 2760 Dglbmg32.exe 536 Docjne32.exe 2056 Dkjkcfjc.exe 2840 Dcepgh32.exe 1720 Echlmh32.exe 320 Elpqemll.exe 1952 Elbmkm32.exe 2112 Ebofcd32.exe 1712 Efmoib32.exe 1540 Fnafdc32.exe 1524 Gbdlnf32.exe 2256 Gibmep32.exe 892 Gbkaneao.exe 2692 Glcfgk32.exe 1384 Hjhchg32.exe 880 Hengep32.exe 1812 Hdcdfmqe.exe 1552 Hfaqbh32.exe 2008 Hagepa32.exe 1036 Hjoiiffo.exe 2560 Hffjng32.exe 3008 Hmpbja32.exe 2032 Iekgod32.exe 2908 Iockhigl.exe 2800 Ihlpqonl.exe 2364 Iofhmi32.exe 1472 Iljifm32.exe 1832 Iagaod32.exe 2212 Ihqilnig.exe 1352 Iainddpg.exe 2372 Jidbifmb.exe 2356 Jdjgfomh.exe 2168 Jlekja32.exe 904 Jcocgkbp.exe 2584 Jcaqmkpn.exe -
Loads dropped DLL 64 IoCs
pid Process 2576 e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc.exe 2576 e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc.exe 1824 Oaciom32.exe 1824 Oaciom32.exe 3012 Oklmhcdf.exe 3012 Oklmhcdf.exe 2208 Oeaael32.exe 2208 Oeaael32.exe 1988 Oojfnakl.exe 1988 Oojfnakl.exe 2780 Ohbjgg32.exe 2780 Ohbjgg32.exe 2540 Pqplqile.exe 2540 Pqplqile.exe 1700 Pnfipm32.exe 1700 Pnfipm32.exe 2948 Pfando32.exe 2948 Pfando32.exe 1828 Pffgonbb.exe 1828 Pffgonbb.exe 2860 Qbmhdp32.exe 2860 Qbmhdp32.exe 2328 Qnciiq32.exe 2328 Qnciiq32.exe 792 Aepnkjcd.exe 792 Aepnkjcd.exe 2420 Agqfme32.exe 2420 Agqfme32.exe 2176 Ajapoqmf.exe 2176 Ajapoqmf.exe 2632 Aiflpm32.exe 2632 Aiflpm32.exe 2188 Bfjmia32.exe 2188 Bfjmia32.exe 1804 Bepjjn32.exe 1804 Bepjjn32.exe 1208 Bhpclica.exe 1208 Bhpclica.exe 1868 Bjoohdbd.exe 1868 Bjoohdbd.exe 680 Bhbpahan.exe 680 Bhbpahan.exe 1536 Bakdjn32.exe 1536 Bakdjn32.exe 2664 Ckchcc32.exe 2664 Ckchcc32.exe 1736 Cihedpcg.exe 1736 Cihedpcg.exe 1688 Cpejfjha.exe 1688 Cpejfjha.exe 2320 Cmikpngk.exe 2320 Cmikpngk.exe 2864 Cojghf32.exe 2864 Cojghf32.exe 2920 Chblqlcj.exe 2920 Chblqlcj.exe 1576 Dibhjokm.exe 1576 Dibhjokm.exe 3000 Doamhe32.exe 3000 Doamhe32.exe 2760 Dglbmg32.exe 2760 Dglbmg32.exe 536 Docjne32.exe 536 Docjne32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fbjchfaq.exe Fianpp32.exe File opened for modification C:\Windows\SysWOW64\Gfjcgc32.exe Gmaoomld.exe File opened for modification C:\Windows\SysWOW64\Kbflqccl.exe Jlmddi32.exe File created C:\Windows\SysWOW64\Nicfnn32.exe Nnnbqeib.exe File created C:\Windows\SysWOW64\Dbfaopqo.exe Cdbqflae.exe File opened for modification C:\Windows\SysWOW64\Gkoodd32.exe Gfbfln32.exe File created C:\Windows\SysWOW64\Ccbpjajc.dll Alfflhpa.exe File created C:\Windows\SysWOW64\Nogeln32.dll Hlijan32.exe File created C:\Windows\SysWOW64\Anjnllbd.exe Allbpqcp.exe File created C:\Windows\SysWOW64\Gnaffpoi.exe Fffabman.exe File created C:\Windows\SysWOW64\Koogdg32.exe Kffblb32.exe File opened for modification C:\Windows\SysWOW64\Akmlacdn.exe Afpchl32.exe File created C:\Windows\SysWOW64\Iklbhdga.exe Ijjebd32.exe File created C:\Windows\SysWOW64\Hefdpl32.dll Jfiekc32.exe File opened for modification C:\Windows\SysWOW64\Gbolce32.exe Ghihfl32.exe File opened for modification C:\Windows\SysWOW64\Gbbdemnl.exe Gaahmd32.exe File created C:\Windows\SysWOW64\Apeflmjc.exe Agmacgcc.exe File created C:\Windows\SysWOW64\Qfbahldf.exe Pcokaa32.exe File created C:\Windows\SysWOW64\Bbgnlkhf.dll Hpfoekhm.exe File created C:\Windows\SysWOW64\Mipjbokm.exe Mdcbjhme.exe File created C:\Windows\SysWOW64\Kgqlke32.dll Ebofcd32.exe File created C:\Windows\SysWOW64\Qfimhmlo.exe Qmahog32.exe File opened for modification C:\Windows\SysWOW64\Jidngh32.exe Jlpmndba.exe File created C:\Windows\SysWOW64\Dlicoiod.dll Qlqdmj32.exe File created C:\Windows\SysWOW64\Fnglekch.exe Fdohme32.exe File opened for modification C:\Windows\SysWOW64\Lgdcom32.exe Lphnlcnh.exe File created C:\Windows\SysWOW64\Noiiaj32.exe Nijdcdgn.exe File created C:\Windows\SysWOW64\Dokmel32.exe Dechlfkl.exe File opened for modification C:\Windows\SysWOW64\Fmcchb32.exe Ebnokjpf.exe File created C:\Windows\SysWOW64\Agonig32.exe Apeflmjc.exe File created C:\Windows\SysWOW64\Kckaokam.dll Cgmiba32.exe File created C:\Windows\SysWOW64\Ilneef32.exe Hinlck32.exe File created C:\Windows\SysWOW64\Mnpfkfcn.dll Jpeafo32.exe File created C:\Windows\SysWOW64\Dkhdhoei.dll Nbbegl32.exe File opened for modification C:\Windows\SysWOW64\Eokiabjf.exe Eeceim32.exe File created C:\Windows\SysWOW64\Qggoeilh.exe Qicoleno.exe File opened for modification C:\Windows\SysWOW64\Gpfbfh32.exe Geqnho32.exe File opened for modification C:\Windows\SysWOW64\Ilolol32.exe Hpfoekhm.exe File created C:\Windows\SysWOW64\Lcllii32.exe Lgekdh32.exe File created C:\Windows\SysWOW64\Lffohikd.exe Lmnkpc32.exe File opened for modification C:\Windows\SysWOW64\Cmapna32.exe Cbllph32.exe File opened for modification C:\Windows\SysWOW64\Eehqme32.exe Eonhpk32.exe File created C:\Windows\SysWOW64\Kgokdhjl.dll Pjdjbl32.exe File opened for modification C:\Windows\SysWOW64\Hblgkkfa.exe Hiccbfoa.exe File created C:\Windows\SysWOW64\Mdahnmck.exe Lbpolb32.exe File created C:\Windows\SysWOW64\Nnhkggli.dll Cfjdfg32.exe File opened for modification C:\Windows\SysWOW64\Abhnlqlf.exe Afamgpga.exe File created C:\Windows\SysWOW64\Fgdjipfc.exe Fbgaahgl.exe File created C:\Windows\SysWOW64\Khejqp32.dll Hajdniep.exe File created C:\Windows\SysWOW64\Eagdgaoe.exe Eccdmmpk.exe File opened for modification C:\Windows\SysWOW64\Kfccmini.exe Jkjbml32.exe File created C:\Windows\SysWOW64\Kjdiigbm.exe Kpndlobg.exe File created C:\Windows\SysWOW64\Ebineoap.dll Fbjchfaq.exe File created C:\Windows\SysWOW64\Edghoc32.dll Qgeckn32.exe File created C:\Windows\SysWOW64\Ekjjebed.exe Dfmbmkgm.exe File created C:\Windows\SysWOW64\Dmkdanef.dll Dfmbmkgm.exe File created C:\Windows\SysWOW64\Mlmjgnaa.exe Magfjebk.exe File created C:\Windows\SysWOW64\Ollljo32.exe Opekenmh.exe File created C:\Windows\SysWOW64\Imjhfl32.dll Pdljjplb.exe File created C:\Windows\SysWOW64\Glqang32.dll Mqhhbn32.exe File opened for modification C:\Windows\SysWOW64\Bchmolkm.exe Bichbckg.exe File created C:\Windows\SysWOW64\Cffejk32.exe Ckpdej32.exe File opened for modification C:\Windows\SysWOW64\Iipgeb32.exe Iccnmk32.exe File created C:\Windows\SysWOW64\Afjplj32.exe Qgeckn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3172 4336 WerFault.exe 998 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaeacppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefjpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omoehf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injlmcib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfajhblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnppei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaffpoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaiijgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgklma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnbqijd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdljjplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjplao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacgli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiihgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobmkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbibli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldljqpli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofhcmig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfdfcjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjohoej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belfldoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjoohdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfeibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeceim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbnkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnihneon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnikmnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lighjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpndlobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjdonndl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbnjpic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmdehgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkppkpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljnaocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbmgapgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pffgonbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmjgnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpbiaqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkckblgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caqfiloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkemli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghdanac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbfcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkjde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidppaio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cplkehnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agfikc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcoffd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelfedpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljhmmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcllii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gednek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllmdcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcokaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffabman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpchl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adhohapp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaffja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajdniep.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odckho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjfae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbolce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdpjaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okidgo32.dll" Cdkfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pepigm32.dll" Lihifhoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noighakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipohogh.dll" Odckho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfjgopop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkjbml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chohqebq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oenpon32.dll" Kbcfme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmbiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfjgopop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghehoe32.dll" Mcbofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjompcl.dll" Jiinmnaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adhohapp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qicoleno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjaeambn.dll" Alqplmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cilfka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojlgfmgh.dll" Pqcncnpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaciom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbmlo32.dll" Cahmik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajibckpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odckho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eghdanac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hojqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagegjio.dll" Cgcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aikjmm32.dll" Ckchcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iljifm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geaaolbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhaiefep.dll" Legmpdga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeidlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbcfme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhqpmc32.dll" Nljcflbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlklik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpdlhhj.dll" Pcokaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbiamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaolne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kglhbijp.dll" Pconjjql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglbcaph.dll" Cojghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaaeegkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbflqccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgagnjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdgdja32.dll" Fljhmmci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aepnkjcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geaaolbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njammhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aecdpmbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qabojbcg.dll" Hohfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlamnm32.dll" Fqfipj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npneeocq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnkpmkkd.dll" Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blabef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dblcnngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpfbfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocnanmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhibenb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Denknngk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2576 wrote to memory of 1824 2576 e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc.exe 30 PID 2576 wrote to memory of 1824 2576 e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc.exe 30 PID 2576 wrote to memory of 1824 2576 e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc.exe 30 PID 2576 wrote to memory of 1824 2576 e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc.exe 30 PID 1824 wrote to memory of 3012 1824 Oaciom32.exe 31 PID 1824 wrote to memory of 3012 1824 Oaciom32.exe 31 PID 1824 wrote to memory of 3012 1824 Oaciom32.exe 31 PID 1824 wrote to memory of 3012 1824 Oaciom32.exe 31 PID 3012 wrote to memory of 2208 3012 Oklmhcdf.exe 32 PID 3012 wrote to memory of 2208 3012 Oklmhcdf.exe 32 PID 3012 wrote to memory of 2208 3012 Oklmhcdf.exe 32 PID 3012 wrote to memory of 2208 3012 Oklmhcdf.exe 32 PID 2208 wrote to memory of 1988 2208 Oeaael32.exe 33 PID 2208 wrote to memory of 1988 2208 Oeaael32.exe 33 PID 2208 wrote to memory of 1988 2208 Oeaael32.exe 33 PID 2208 wrote to memory of 1988 2208 Oeaael32.exe 33 PID 1988 wrote to memory of 2780 1988 Oojfnakl.exe 34 PID 1988 wrote to memory of 2780 1988 Oojfnakl.exe 34 PID 1988 wrote to memory of 2780 1988 Oojfnakl.exe 34 PID 1988 wrote to memory of 2780 1988 Oojfnakl.exe 34 PID 2780 wrote to memory of 2540 2780 Ohbjgg32.exe 35 PID 2780 wrote to memory of 2540 2780 Ohbjgg32.exe 35 PID 2780 wrote to memory of 2540 2780 Ohbjgg32.exe 35 PID 2780 wrote to memory of 2540 2780 Ohbjgg32.exe 35 PID 2540 wrote to memory of 1700 2540 Pqplqile.exe 36 PID 2540 wrote to memory of 1700 2540 Pqplqile.exe 36 PID 2540 wrote to memory of 1700 2540 Pqplqile.exe 36 PID 2540 wrote to memory of 1700 2540 Pqplqile.exe 36 PID 1700 wrote to memory of 2948 1700 Pnfipm32.exe 37 PID 1700 wrote to memory of 2948 1700 Pnfipm32.exe 37 PID 1700 wrote to memory of 2948 1700 Pnfipm32.exe 37 PID 1700 wrote to memory of 2948 1700 Pnfipm32.exe 37 PID 2948 wrote to memory of 1828 2948 Pfando32.exe 38 PID 2948 wrote to memory of 1828 2948 Pfando32.exe 38 PID 2948 wrote to memory of 1828 2948 Pfando32.exe 38 PID 2948 wrote to memory of 1828 2948 Pfando32.exe 38 PID 1828 wrote to memory of 2860 1828 Pffgonbb.exe 39 PID 1828 wrote to memory of 2860 1828 Pffgonbb.exe 39 PID 1828 wrote to memory of 2860 1828 Pffgonbb.exe 39 PID 1828 wrote to memory of 2860 1828 Pffgonbb.exe 39 PID 2860 wrote to memory of 2328 2860 Qbmhdp32.exe 40 PID 2860 wrote to memory of 2328 2860 Qbmhdp32.exe 40 PID 2860 wrote to memory of 2328 2860 Qbmhdp32.exe 40 PID 2860 wrote to memory of 2328 2860 Qbmhdp32.exe 40 PID 2328 wrote to memory of 792 2328 Qnciiq32.exe 41 PID 2328 wrote to memory of 792 2328 Qnciiq32.exe 41 PID 2328 wrote to memory of 792 2328 Qnciiq32.exe 41 PID 2328 wrote to memory of 792 2328 Qnciiq32.exe 41 PID 792 wrote to memory of 2420 792 Aepnkjcd.exe 42 PID 792 wrote to memory of 2420 792 Aepnkjcd.exe 42 PID 792 wrote to memory of 2420 792 Aepnkjcd.exe 42 PID 792 wrote to memory of 2420 792 Aepnkjcd.exe 42 PID 2420 wrote to memory of 2176 2420 Agqfme32.exe 43 PID 2420 wrote to memory of 2176 2420 Agqfme32.exe 43 PID 2420 wrote to memory of 2176 2420 Agqfme32.exe 43 PID 2420 wrote to memory of 2176 2420 Agqfme32.exe 43 PID 2176 wrote to memory of 2632 2176 Ajapoqmf.exe 44 PID 2176 wrote to memory of 2632 2176 Ajapoqmf.exe 44 PID 2176 wrote to memory of 2632 2176 Ajapoqmf.exe 44 PID 2176 wrote to memory of 2632 2176 Ajapoqmf.exe 44 PID 2632 wrote to memory of 2188 2632 Aiflpm32.exe 45 PID 2632 wrote to memory of 2188 2632 Aiflpm32.exe 45 PID 2632 wrote to memory of 2188 2632 Aiflpm32.exe 45 PID 2632 wrote to memory of 2188 2632 Aiflpm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc.exe"C:\Users\Admin\AppData\Local\Temp\e03c013614756a47a23772ea466e8846b0006a7341c2483ec3f7b7f1911491dc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Oeaael32.exeC:\Windows\system32\Oeaael32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Oojfnakl.exeC:\Windows\system32\Oojfnakl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Pqplqile.exeC:\Windows\system32\Pqplqile.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Pfando32.exeC:\Windows\system32\Pfando32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Pffgonbb.exeC:\Windows\system32\Pffgonbb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1828 -
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Qnciiq32.exeC:\Windows\system32\Qnciiq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Agqfme32.exeC:\Windows\system32\Agqfme32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Aiflpm32.exeC:\Windows\system32\Aiflpm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Bfjmia32.exeC:\Windows\system32\Bfjmia32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Bhpclica.exeC:\Windows\system32\Bhpclica.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Bjoohdbd.exeC:\Windows\system32\Bjoohdbd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Bhbpahan.exeC:\Windows\system32\Bhbpahan.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:680 -
C:\Windows\SysWOW64\Bakdjn32.exeC:\Windows\system32\Bakdjn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Ckchcc32.exeC:\Windows\system32\Ckchcc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Cihedpcg.exeC:\Windows\system32\Cihedpcg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Chblqlcj.exeC:\Windows\system32\Chblqlcj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Doamhe32.exeC:\Windows\system32\Doamhe32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Dglbmg32.exeC:\Windows\system32\Dglbmg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe33⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe34⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe35⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Elpqemll.exeC:\Windows\system32\Elpqemll.exe36⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe37⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Efmoib32.exeC:\Windows\system32\Efmoib32.exe39⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Fnafdc32.exeC:\Windows\system32\Fnafdc32.exe40⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe41⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Gibmep32.exeC:\Windows\system32\Gibmep32.exe42⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Gbkaneao.exeC:\Windows\system32\Gbkaneao.exe43⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe45⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe46⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe47⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe48⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Hagepa32.exeC:\Windows\system32\Hagepa32.exe49⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Hjoiiffo.exeC:\Windows\system32\Hjoiiffo.exe50⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe51⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe52⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ihlpqonl.exeC:\Windows\system32\Ihlpqonl.exe55⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe56⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe58⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe59⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe60⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe61⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe62⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Jlekja32.exeC:\Windows\system32\Jlekja32.exe63⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jcocgkbp.exeC:\Windows\system32\Jcocgkbp.exe64⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe65⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe66⤵
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Jhqeka32.exeC:\Windows\system32\Jhqeka32.exe67⤵PID:1936
-
C:\Windows\SysWOW64\Jcfjhj32.exeC:\Windows\system32\Jcfjhj32.exe68⤵PID:1668
-
C:\Windows\SysWOW64\Kkaolm32.exeC:\Windows\system32\Kkaolm32.exe69⤵PID:1568
-
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe70⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Kqqdjceh.exeC:\Windows\system32\Kqqdjceh.exe71⤵PID:2900
-
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe72⤵PID:2808
-
C:\Windows\SysWOW64\Kjkehhjf.exeC:\Windows\system32\Kjkehhjf.exe73⤵PID:2816
-
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe74⤵PID:2848
-
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe75⤵PID:1156
-
C:\Windows\SysWOW64\Lmnkpc32.exeC:\Windows\system32\Lmnkpc32.exe76⤵
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Lffohikd.exeC:\Windows\system32\Lffohikd.exe77⤵PID:2872
-
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe78⤵PID:1108
-
C:\Windows\SysWOW64\Lighjd32.exeC:\Windows\system32\Lighjd32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1880 -
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe80⤵PID:2408
-
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe81⤵PID:2468
-
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe82⤵PID:840
-
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe83⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe84⤵
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe85⤵
- System Location Discovery: System Language Discovery
PID:1168 -
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe86⤵PID:2568
-
C:\Windows\SysWOW64\Mchokq32.exeC:\Windows\system32\Mchokq32.exe87⤵PID:2876
-
C:\Windows\SysWOW64\Mjbghkfi.exeC:\Windows\system32\Mjbghkfi.exe88⤵PID:2924
-
C:\Windows\SysWOW64\Mcjlap32.exeC:\Windows\system32\Mcjlap32.exe89⤵PID:3064
-
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe90⤵PID:2744
-
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe91⤵PID:1392
-
C:\Windows\SysWOW64\Nbbegl32.exeC:\Windows\system32\Nbbegl32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe93⤵PID:3024
-
C:\Windows\SysWOW64\Nfpnnk32.exeC:\Windows\system32\Nfpnnk32.exe94⤵PID:2428
-
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe95⤵PID:2312
-
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe96⤵PID:864
-
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe97⤵PID:1964
-
C:\Windows\SysWOW64\Noplmlok.exeC:\Windows\system32\Noplmlok.exe98⤵PID:108
-
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe99⤵PID:2764
-
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe100⤵PID:1692
-
C:\Windows\SysWOW64\Okijhmcm.exeC:\Windows\system32\Okijhmcm.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2916 -
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe102⤵PID:2884
-
C:\Windows\SysWOW64\Ollcee32.exeC:\Windows\system32\Ollcee32.exe103⤵PID:2836
-
C:\Windows\SysWOW64\Pkkblp32.exeC:\Windows\system32\Pkkblp32.exe104⤵PID:2304
-
C:\Windows\SysWOW64\Pchdfb32.exeC:\Windows\system32\Pchdfb32.exe105⤵PID:784
-
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe106⤵PID:696
-
C:\Windows\SysWOW64\Qmahog32.exeC:\Windows\system32\Qmahog32.exe107⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe108⤵PID:2128
-
C:\Windows\SysWOW64\Qnpeijla.exeC:\Windows\system32\Qnpeijla.exe109⤵PID:2204
-
C:\Windows\SysWOW64\Qcmnaaji.exeC:\Windows\system32\Qcmnaaji.exe110⤵PID:1648
-
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe111⤵PID:1676
-
C:\Windows\SysWOW64\Aodnfbpm.exeC:\Windows\system32\Aodnfbpm.exe112⤵PID:1028
-
C:\Windows\SysWOW64\Ajibckpc.exeC:\Windows\system32\Ajibckpc.exe113⤵
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Amhopfof.exeC:\Windows\system32\Amhopfof.exe114⤵PID:2148
-
C:\Windows\SysWOW64\Afpchl32.exeC:\Windows\system32\Afpchl32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Akmlacdn.exeC:\Windows\system32\Akmlacdn.exe116⤵PID:1956
-
C:\Windows\SysWOW64\Afbpnlcd.exeC:\Windows\system32\Afbpnlcd.exe117⤵PID:2024
-
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe118⤵PID:960
-
C:\Windows\SysWOW64\Aehmoh32.exeC:\Windows\system32\Aehmoh32.exe119⤵PID:2812
-
C:\Windows\SysWOW64\Agfikc32.exeC:\Windows\system32\Agfikc32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Ablmilgf.exeC:\Windows\system32\Ablmilgf.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2612
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-