Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 05:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe
-
Size
91KB
-
MD5
6f2371458cedea37bace1a54a3ac4815
-
SHA1
172c375a56e0cdbddfa13bd9d605b18692faa053
-
SHA256
f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8
-
SHA512
dec9db9657a4f625b98e2c7ab36c27e7876ac2f6ac67ea028f5ee2cdf21587092353ab949c677dad98e495cb52b1d1486c83b2aaa1b9f4013116096f3da24051
-
SSDEEP
1536:+Uc8+Yu+y0ForiC3FSr7TiwkU6joqqIVLgO:w+yq6vFSr7TSUurUO
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echoepmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollncgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnlpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbjbnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfief32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmmlccfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qakmghbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhjdjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfbck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlbkmdah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkeahf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oolelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahobdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pegpamoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbjjjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhpkoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbiac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bokcom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciknhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjbaooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndoifdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgaqohql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajghgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmool32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbhlgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmhcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpdkajic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdofebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmokioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjoohdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inqhhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omddmkhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qijdqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnfql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiabjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipecndab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mldgbcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfbfaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pchdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdqfajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aefhpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncgollm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Defljp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldlghhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmajdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oojhfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kloqiijm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmhcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjkefmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joenaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhgbibgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdkdjhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoamoefh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaonji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqimoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmpqbnmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boncej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Honiikpa.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1396 Pkojoghl.exe 2920 Palbgn32.exe 2712 Qijdqp32.exe 2840 Abbhje32.exe 2708 Abdeoe32.exe 944 Ankedf32.exe 3012 Aegkfpah.exe 3016 Abkkpd32.exe 2996 Bfpmog32.exe 1404 Bfbjdf32.exe 2172 Beggec32.exe 572 Bopknhjd.exe 2484 Celpqbon.exe 2184 Ccpqjfnh.exe 980 Cdcjgnbc.exe 1432 Cnlnpd32.exe 1848 Dpmgao32.exe 1700 Djeljd32.exe 1872 Dncdqcbl.exe 1952 Dcpmijqc.exe 1068 Dpcnbn32.exe 540 Dcdfdi32.exe 2568 Eokgij32.exe 2004 Edhpaa32.exe 1572 Eomdoj32.exe 2120 Egihcl32.exe 1532 Eqamla32.exe 2876 Emhnqbjo.exe 3048 Egmbnkie.exe 1016 Fbipdi32.exe 2680 Ffghjg32.exe 2508 Fnbmoi32.exe 1548 Fihalb32.exe 2940 Gbbbjg32.exe 2952 Ghpkbn32.exe 2988 Gnlpeh32.exe 1564 Gdihmo32.exe 580 Gdkebolm.exe 612 Hhogaamj.exe 2432 Hlmphp32.exe 1956 Honiikpa.exe 1624 Hginnmml.exe 1020 Iijfoh32.exe 1224 Ipdolbbj.exe 936 Ikicikap.exe 1964 Iecdji32.exe 1708 Iphhgb32.exe 556 Ieeqpi32.exe 1888 Iloilcci.exe 2572 Ionehnbm.exe 1632 Jkdfmoha.exe 2808 Jaonji32.exe 2964 Jobocn32.exe 2916 Jkioho32.exe 2064 Jdadadkl.exe 2616 Jnjhjj32.exe 3032 Jnlepioj.exe 2372 Kjcedj32.exe 1960 Kggfnoch.exe 1844 Kmdofebo.exe 1144 Kflcok32.exe 2116 Kkilgb32.exe 1920 Kbcddlnd.exe 2516 Kbeqjl32.exe -
Loads dropped DLL 64 IoCs
pid Process 564 f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe 564 f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe 1396 Pkojoghl.exe 1396 Pkojoghl.exe 2920 Palbgn32.exe 2920 Palbgn32.exe 2712 Qijdqp32.exe 2712 Qijdqp32.exe 2840 Abbhje32.exe 2840 Abbhje32.exe 2708 Abdeoe32.exe 2708 Abdeoe32.exe 944 Ankedf32.exe 944 Ankedf32.exe 3012 Aegkfpah.exe 3012 Aegkfpah.exe 3016 Abkkpd32.exe 3016 Abkkpd32.exe 2996 Bfpmog32.exe 2996 Bfpmog32.exe 1404 Bfbjdf32.exe 1404 Bfbjdf32.exe 2172 Beggec32.exe 2172 Beggec32.exe 572 Bopknhjd.exe 572 Bopknhjd.exe 2484 Celpqbon.exe 2484 Celpqbon.exe 2184 Ccpqjfnh.exe 2184 Ccpqjfnh.exe 980 Cdcjgnbc.exe 980 Cdcjgnbc.exe 1432 Cnlnpd32.exe 1432 Cnlnpd32.exe 1848 Dpmgao32.exe 1848 Dpmgao32.exe 1700 Djeljd32.exe 1700 Djeljd32.exe 1872 Dncdqcbl.exe 1872 Dncdqcbl.exe 1952 Dcpmijqc.exe 1952 Dcpmijqc.exe 1068 Dpcnbn32.exe 1068 Dpcnbn32.exe 540 Dcdfdi32.exe 540 Dcdfdi32.exe 2568 Eokgij32.exe 2568 Eokgij32.exe 2004 Edhpaa32.exe 2004 Edhpaa32.exe 1572 Eomdoj32.exe 1572 Eomdoj32.exe 2120 Egihcl32.exe 2120 Egihcl32.exe 1532 Eqamla32.exe 1532 Eqamla32.exe 2876 Emhnqbjo.exe 2876 Emhnqbjo.exe 3048 Egmbnkie.exe 3048 Egmbnkie.exe 1016 Fbipdi32.exe 1016 Fbipdi32.exe 2680 Ffghjg32.exe 2680 Ffghjg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jeenfd32.exe Iionacad.exe File created C:\Windows\SysWOW64\Gfanqcch.dll Eokgij32.exe File opened for modification C:\Windows\SysWOW64\Fhlogo32.exe Ebpgoh32.exe File opened for modification C:\Windows\SysWOW64\Baoopndk.exe Bdknfiea.exe File created C:\Windows\SysWOW64\Gpkafpim.dll Edpoeoea.exe File created C:\Windows\SysWOW64\Moahdd32.exe Mookod32.exe File created C:\Windows\SysWOW64\Anggfg32.dll Gdjpcj32.exe File created C:\Windows\SysWOW64\Oljagk32.dll Johlpoij.exe File created C:\Windows\SysWOW64\Ehjbaooe.exe Eiefqc32.exe File created C:\Windows\SysWOW64\Hknpkfec.dll Hlmphp32.exe File opened for modification C:\Windows\SysWOW64\Iecdji32.exe Ikicikap.exe File created C:\Windows\SysWOW64\Qkgbae32.dll Bfjmia32.exe File opened for modification C:\Windows\SysWOW64\Ibpjaagi.exe Iigehk32.exe File created C:\Windows\SysWOW64\Jiaeeo32.dll Eabeal32.exe File created C:\Windows\SysWOW64\Nbinad32.exe Nhdjdk32.exe File opened for modification C:\Windows\SysWOW64\Qpmgho32.exe Qicoleno.exe File opened for modification C:\Windows\SysWOW64\Ollncgjq.exe Obdjjb32.exe File opened for modification C:\Windows\SysWOW64\Nfnfjmgp.exe Nflidmic.exe File opened for modification C:\Windows\SysWOW64\Afjncabj.exe Aamekk32.exe File created C:\Windows\SysWOW64\Ndmeecmb.exe Nkdpmn32.exe File created C:\Windows\SysWOW64\Odgqoa32.exe Oojhfj32.exe File opened for modification C:\Windows\SysWOW64\Odimdqne.exe Oolelj32.exe File created C:\Windows\SysWOW64\Hklhca32.exe Hbccklmj.exe File created C:\Windows\SysWOW64\Aflkiapg.exe Afjncabj.exe File created C:\Windows\SysWOW64\Nmjmekan.exe Ngqeha32.exe File opened for modification C:\Windows\SysWOW64\Mbhlgg32.exe Mipgnbnn.exe File opened for modification C:\Windows\SysWOW64\Akbelbpi.exe Aokdga32.exe File created C:\Windows\SysWOW64\Kgpdcm32.dll Ekbjgd32.exe File opened for modification C:\Windows\SysWOW64\Cmdcngbd.exe Cghkepdm.exe File created C:\Windows\SysWOW64\Mojaceln.exe Mogene32.exe File created C:\Windows\SysWOW64\Kbcddlnd.exe Kkilgb32.exe File created C:\Windows\SysWOW64\Mjneoljh.dll Pogegeoj.exe File created C:\Windows\SysWOW64\Apgcbmha.exe Aimkeb32.exe File created C:\Windows\SysWOW64\Cieamnan.dll Kmeiei32.exe File opened for modification C:\Windows\SysWOW64\Ldlghhde.exe Lpnobi32.exe File created C:\Windows\SysWOW64\Bnpdkcam.dll Mnnhjk32.exe File created C:\Windows\SysWOW64\Pkdicckk.dll Cgnpmg32.exe File created C:\Windows\SysWOW64\Nlgfkmph.dll Ionehnbm.exe File created C:\Windows\SysWOW64\Cpijenld.dll Phocfd32.exe File opened for modification C:\Windows\SysWOW64\Dkmghe32.exe Dpgckm32.exe File created C:\Windows\SysWOW64\Jongag32.exe Ifcbme32.exe File created C:\Windows\SysWOW64\Bdemaknk.dll Pppnia32.exe File created C:\Windows\SysWOW64\Doapanne.exe Didgig32.exe File created C:\Windows\SysWOW64\Pppnpb32.dll Kifgllbc.exe File opened for modification C:\Windows\SysWOW64\Gcocnk32.exe Fgffck32.exe File opened for modification C:\Windows\SysWOW64\Llpaha32.exe Lnlaomae.exe File opened for modification C:\Windows\SysWOW64\Miaaki32.exe Mbginomj.exe File opened for modification C:\Windows\SysWOW64\Ajghgd32.exe Qdkpomkb.exe File created C:\Windows\SysWOW64\Olbpmelm.dll Fimclh32.exe File created C:\Windows\SysWOW64\Oipenooj.dll Nmjmekan.exe File opened for modification C:\Windows\SysWOW64\Oojhfj32.exe Obcgaill.exe File created C:\Windows\SysWOW64\Cjcfjoil.exe Ccinnd32.exe File created C:\Windows\SysWOW64\Mlmaad32.exe Mcbmmbhb.exe File opened for modification C:\Windows\SysWOW64\Bdmhcp32.exe Bjgdfg32.exe File created C:\Windows\SysWOW64\Hnghoc32.dll Cjfjjd32.exe File created C:\Windows\SysWOW64\Ognobcqo.exe Ojjnioae.exe File created C:\Windows\SysWOW64\Kdnlpaln.exe Kjihci32.exe File opened for modification C:\Windows\SysWOW64\Peooek32.exe Ppbfmdfo.exe File created C:\Windows\SysWOW64\Fhlpince.dll Mckpba32.exe File opened for modification C:\Windows\SysWOW64\Bbcjca32.exe Bhnffi32.exe File created C:\Windows\SysWOW64\Pnflkl32.dll Egfglocf.exe File created C:\Windows\SysWOW64\Dopfmmil.dll Ipdaek32.exe File opened for modification C:\Windows\SysWOW64\Kpnbcfkc.exe Kbjbibli.exe File created C:\Windows\SysWOW64\Pfjiod32.exe Pnodjb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4500 4132 WerFault.exe 785 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggdfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglnajjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklpml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmjpoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bejiehfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkqdajhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiofdmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjbaooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgpff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeopdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjkefmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmhij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaciom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlmlidp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkoef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgcnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhljlnma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbdje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpccgppq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klapha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfckhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnogmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emncci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollcee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeceim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhlfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdfmoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkhag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eocfmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klimcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdaeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmlccfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakecld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekpdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflnkjhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojfnakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeahf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limhpihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmqjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppejmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnnhjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajapoqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjeihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihcdkom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niombolm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbinad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfqbol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjfcnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acggbffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpclica.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckkhplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakjophb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpoeoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcdkbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcgaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlapc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgnnhbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdffcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkajof32.dll" Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encjfc32.dll" Jbdadl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cijiejka.dll" Bkjpncii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eafhchmp.dll" Ffaeneno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agiidifg.dll" Hginnmml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emncci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfcnfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apeflmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeahjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbfibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfhfhcl.dll" Ekjikadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hedkhm32.dll" Iijfoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljmapka.dll" Aebjaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdipfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgqoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djmknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnaekil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obcgaill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajapoqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfjmia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baojfoqh.dll" Cgpjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgknok32.dll" Gqmmhdka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdlialfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkigfdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiekadkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciknhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhcif32.dll" Djeljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljpnch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npldppbn.dll" Agaifnhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnbelong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iigehk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdplmflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaegaaah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcdfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glfiinip.dll" Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlacoca.dll" Fcegdnna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiamql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfjjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajghgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmiljb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmajdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daqibb32.dll" Ecgeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knaqcabh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcoaebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naflocji.dll" Miaaki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niombolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkgdd32.dll" Lcqdidim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmbiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmeimblp.dll" Kpcbhlki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edhmhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkilgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blnkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjaqhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpijenld.dll" Phocfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iekpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjgdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbihec32.dll" Obdjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iggkphll.dll" Ankckagj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 564 wrote to memory of 1396 564 f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe 30 PID 564 wrote to memory of 1396 564 f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe 30 PID 564 wrote to memory of 1396 564 f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe 30 PID 564 wrote to memory of 1396 564 f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe 30 PID 1396 wrote to memory of 2920 1396 Pkojoghl.exe 31 PID 1396 wrote to memory of 2920 1396 Pkojoghl.exe 31 PID 1396 wrote to memory of 2920 1396 Pkojoghl.exe 31 PID 1396 wrote to memory of 2920 1396 Pkojoghl.exe 31 PID 2920 wrote to memory of 2712 2920 Palbgn32.exe 32 PID 2920 wrote to memory of 2712 2920 Palbgn32.exe 32 PID 2920 wrote to memory of 2712 2920 Palbgn32.exe 32 PID 2920 wrote to memory of 2712 2920 Palbgn32.exe 32 PID 2712 wrote to memory of 2840 2712 Qijdqp32.exe 33 PID 2712 wrote to memory of 2840 2712 Qijdqp32.exe 33 PID 2712 wrote to memory of 2840 2712 Qijdqp32.exe 33 PID 2712 wrote to memory of 2840 2712 Qijdqp32.exe 33 PID 2840 wrote to memory of 2708 2840 Abbhje32.exe 34 PID 2840 wrote to memory of 2708 2840 Abbhje32.exe 34 PID 2840 wrote to memory of 2708 2840 Abbhje32.exe 34 PID 2840 wrote to memory of 2708 2840 Abbhje32.exe 34 PID 2708 wrote to memory of 944 2708 Abdeoe32.exe 35 PID 2708 wrote to memory of 944 2708 Abdeoe32.exe 35 PID 2708 wrote to memory of 944 2708 Abdeoe32.exe 35 PID 2708 wrote to memory of 944 2708 Abdeoe32.exe 35 PID 944 wrote to memory of 3012 944 Ankedf32.exe 36 PID 944 wrote to memory of 3012 944 Ankedf32.exe 36 PID 944 wrote to memory of 3012 944 Ankedf32.exe 36 PID 944 wrote to memory of 3012 944 Ankedf32.exe 36 PID 3012 wrote to memory of 3016 3012 Aegkfpah.exe 37 PID 3012 wrote to memory of 3016 3012 Aegkfpah.exe 37 PID 3012 wrote to memory of 3016 3012 Aegkfpah.exe 37 PID 3012 wrote to memory of 3016 3012 Aegkfpah.exe 37 PID 3016 wrote to memory of 2996 3016 Abkkpd32.exe 38 PID 3016 wrote to memory of 2996 3016 Abkkpd32.exe 38 PID 3016 wrote to memory of 2996 3016 Abkkpd32.exe 38 PID 3016 wrote to memory of 2996 3016 Abkkpd32.exe 38 PID 2996 wrote to memory of 1404 2996 Bfpmog32.exe 39 PID 2996 wrote to memory of 1404 2996 Bfpmog32.exe 39 PID 2996 wrote to memory of 1404 2996 Bfpmog32.exe 39 PID 2996 wrote to memory of 1404 2996 Bfpmog32.exe 39 PID 1404 wrote to memory of 2172 1404 Bfbjdf32.exe 40 PID 1404 wrote to memory of 2172 1404 Bfbjdf32.exe 40 PID 1404 wrote to memory of 2172 1404 Bfbjdf32.exe 40 PID 1404 wrote to memory of 2172 1404 Bfbjdf32.exe 40 PID 2172 wrote to memory of 572 2172 Beggec32.exe 41 PID 2172 wrote to memory of 572 2172 Beggec32.exe 41 PID 2172 wrote to memory of 572 2172 Beggec32.exe 41 PID 2172 wrote to memory of 572 2172 Beggec32.exe 41 PID 572 wrote to memory of 2484 572 Bopknhjd.exe 42 PID 572 wrote to memory of 2484 572 Bopknhjd.exe 42 PID 572 wrote to memory of 2484 572 Bopknhjd.exe 42 PID 572 wrote to memory of 2484 572 Bopknhjd.exe 42 PID 2484 wrote to memory of 2184 2484 Celpqbon.exe 43 PID 2484 wrote to memory of 2184 2484 Celpqbon.exe 43 PID 2484 wrote to memory of 2184 2484 Celpqbon.exe 43 PID 2484 wrote to memory of 2184 2484 Celpqbon.exe 43 PID 2184 wrote to memory of 980 2184 Ccpqjfnh.exe 44 PID 2184 wrote to memory of 980 2184 Ccpqjfnh.exe 44 PID 2184 wrote to memory of 980 2184 Ccpqjfnh.exe 44 PID 2184 wrote to memory of 980 2184 Ccpqjfnh.exe 44 PID 980 wrote to memory of 1432 980 Cdcjgnbc.exe 45 PID 980 wrote to memory of 1432 980 Cdcjgnbc.exe 45 PID 980 wrote to memory of 1432 980 Cdcjgnbc.exe 45 PID 980 wrote to memory of 1432 980 Cdcjgnbc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe"C:\Users\Admin\AppData\Local\Temp\f9e147bfe75f72e611ec26cdf73f894e22207c780765d31d5d1117dc68ec09e8.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Palbgn32.exeC:\Windows\system32\Palbgn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Abdeoe32.exeC:\Windows\system32\Abdeoe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Ankedf32.exeC:\Windows\system32\Ankedf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Aegkfpah.exeC:\Windows\system32\Aegkfpah.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Abkkpd32.exeC:\Windows\system32\Abkkpd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Bfpmog32.exeC:\Windows\system32\Bfpmog32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Bfbjdf32.exeC:\Windows\system32\Bfbjdf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Bopknhjd.exeC:\Windows\system32\Bopknhjd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Celpqbon.exeC:\Windows\system32\Celpqbon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1432 -
C:\Windows\SysWOW64\Dpmgao32.exeC:\Windows\system32\Dpmgao32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Dpcnbn32.exeC:\Windows\system32\Dpcnbn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Eokgij32.exeC:\Windows\system32\Eokgij32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Eomdoj32.exeC:\Windows\system32\Eomdoj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Eqamla32.exeC:\Windows\system32\Eqamla32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Egmbnkie.exeC:\Windows\system32\Egmbnkie.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Fbipdi32.exeC:\Windows\system32\Fbipdi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Ffghjg32.exeC:\Windows\system32\Ffghjg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe33⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Fihalb32.exeC:\Windows\system32\Fihalb32.exe34⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe35⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Ghpkbn32.exeC:\Windows\system32\Ghpkbn32.exe36⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Gnlpeh32.exeC:\Windows\system32\Gnlpeh32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe38⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Gdkebolm.exeC:\Windows\system32\Gdkebolm.exe39⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe40⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Hlmphp32.exeC:\Windows\system32\Hlmphp32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Honiikpa.exeC:\Windows\system32\Honiikpa.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hginnmml.exeC:\Windows\system32\Hginnmml.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Iijfoh32.exeC:\Windows\system32\Iijfoh32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe45⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\Ikicikap.exeC:\Windows\system32\Ikicikap.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Iecdji32.exeC:\Windows\system32\Iecdji32.exe47⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Iphhgb32.exeC:\Windows\system32\Iphhgb32.exe48⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ieeqpi32.exeC:\Windows\system32\Ieeqpi32.exe49⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Iloilcci.exeC:\Windows\system32\Iloilcci.exe50⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Ionehnbm.exeC:\Windows\system32\Ionehnbm.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Jkdfmoha.exeC:\Windows\system32\Jkdfmoha.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Jaonji32.exeC:\Windows\system32\Jaonji32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Jobocn32.exeC:\Windows\system32\Jobocn32.exe54⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Jkioho32.exeC:\Windows\system32\Jkioho32.exe55⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Jdadadkl.exeC:\Windows\system32\Jdadadkl.exe56⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Jnjhjj32.exeC:\Windows\system32\Jnjhjj32.exe57⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Jnlepioj.exeC:\Windows\system32\Jnlepioj.exe58⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Kjcedj32.exeC:\Windows\system32\Kjcedj32.exe59⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Kggfnoch.exeC:\Windows\system32\Kggfnoch.exe60⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Kmdofebo.exeC:\Windows\system32\Kmdofebo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Kflcok32.exeC:\Windows\system32\Kflcok32.exe62⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Kkilgb32.exeC:\Windows\system32\Kkilgb32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Kbcddlnd.exeC:\Windows\system32\Kbcddlnd.exe64⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Kbeqjl32.exeC:\Windows\system32\Kbeqjl32.exe65⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Lnlaomae.exeC:\Windows\system32\Lnlaomae.exe66⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Llpaha32.exeC:\Windows\system32\Llpaha32.exe67⤵PID:3040
-
C:\Windows\SysWOW64\Lnnndl32.exeC:\Windows\system32\Lnnndl32.exe68⤵PID:1048
-
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe69⤵PID:2492
-
C:\Windows\SysWOW64\Laogfg32.exeC:\Windows\system32\Laogfg32.exe70⤵PID:896
-
C:\Windows\SysWOW64\Lncgollm.exeC:\Windows\system32\Lncgollm.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2912 -
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe72⤵PID:2864
-
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe73⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Mcbmmbhb.exeC:\Windows\system32\Mcbmmbhb.exe74⤵
- Drops file in System32 directory
PID:2696 -
C:\Windows\SysWOW64\Mlmaad32.exeC:\Windows\system32\Mlmaad32.exe75⤵PID:2200
-
C:\Windows\SysWOW64\Mbginomj.exeC:\Windows\system32\Mbginomj.exe76⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Miaaki32.exeC:\Windows\system32\Miaaki32.exe77⤵
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Mbjfcnkg.exeC:\Windows\system32\Mbjfcnkg.exe78⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Mlbkmdah.exeC:\Windows\system32\Mlbkmdah.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe80⤵PID:1916
-
C:\Windows\SysWOW64\Mldgbcoe.exeC:\Windows\system32\Mldgbcoe.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Maapjjml.exeC:\Windows\system32\Maapjjml.exe82⤵PID:2220
-
C:\Windows\SysWOW64\Nkjdcp32.exeC:\Windows\system32\Nkjdcp32.exe83⤵PID:2632
-
C:\Windows\SysWOW64\Nmhqokcq.exeC:\Windows\system32\Nmhqokcq.exe84⤵PID:1744
-
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Nmjmekan.exeC:\Windows\system32\Nmjmekan.exe86⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Nhpabdqd.exeC:\Windows\system32\Nhpabdqd.exe87⤵PID:1792
-
C:\Windows\SysWOW64\Npkfff32.exeC:\Windows\system32\Npkfff32.exe88⤵PID:2784
-
C:\Windows\SysWOW64\Nkqjdo32.exeC:\Windows\system32\Nkqjdo32.exe89⤵PID:2812
-
C:\Windows\SysWOW64\Npnclf32.exeC:\Windows\system32\Npnclf32.exe90⤵PID:2796
-
C:\Windows\SysWOW64\Nejkdm32.exeC:\Windows\system32\Nejkdm32.exe91⤵PID:2228
-
C:\Windows\SysWOW64\Npppaejj.exeC:\Windows\system32\Npppaejj.exe92⤵PID:1924
-
C:\Windows\SysWOW64\Oemhjlha.exeC:\Windows\system32\Oemhjlha.exe93⤵PID:3028
-
C:\Windows\SysWOW64\Olgpff32.exeC:\Windows\system32\Olgpff32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Olimlf32.exeC:\Windows\system32\Olimlf32.exe96⤵PID:2360
-
C:\Windows\SysWOW64\Oafedmlb.exeC:\Windows\system32\Oafedmlb.exe97⤵PID:2520
-
C:\Windows\SysWOW64\Ohpnag32.exeC:\Windows\system32\Ohpnag32.exe98⤵PID:1712
-
C:\Windows\SysWOW64\Oojfnakl.exeC:\Windows\system32\Oojfnakl.exe99⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Oecnkk32.exeC:\Windows\system32\Oecnkk32.exe100⤵PID:2112
-
C:\Windows\SysWOW64\Okqgcb32.exeC:\Windows\system32\Okqgcb32.exe101⤵PID:2088
-
C:\Windows\SysWOW64\Oqmokioh.exeC:\Windows\system32\Oqmokioh.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2824 -
C:\Windows\SysWOW64\Ojfcdo32.exeC:\Windows\system32\Ojfcdo32.exe103⤵PID:2780
-
C:\Windows\SysWOW64\Pdkhag32.exeC:\Windows\system32\Pdkhag32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Pjhpin32.exeC:\Windows\system32\Pjhpin32.exe105⤵PID:2980
-
C:\Windows\SysWOW64\Pdndggcl.exeC:\Windows\system32\Pdndggcl.exe106⤵PID:1784
-
C:\Windows\SysWOW64\Pjjmonac.exeC:\Windows\system32\Pjjmonac.exe107⤵PID:2716
-
C:\Windows\SysWOW64\Pogegeoj.exeC:\Windows\system32\Pogegeoj.exe108⤵
- Drops file in System32 directory
PID:688 -
C:\Windows\SysWOW64\Pgnnhbpm.exeC:\Windows\system32\Pgnnhbpm.exe109⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Pqgbah32.exeC:\Windows\system32\Pqgbah32.exe110⤵PID:2024
-
C:\Windows\SysWOW64\Qekdpkgj.exeC:\Windows\system32\Qekdpkgj.exe111⤵PID:1736
-
C:\Windows\SysWOW64\Qnciiq32.exeC:\Windows\system32\Qnciiq32.exe112⤵PID:236
-
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe113⤵PID:2140
-
C:\Windows\SysWOW64\Akjfhdka.exeC:\Windows\system32\Akjfhdka.exe114⤵PID:2540
-
C:\Windows\SysWOW64\Amkbpm32.exeC:\Windows\system32\Amkbpm32.exe115⤵PID:2852
-
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe116⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Ajociq32.exeC:\Windows\system32\Ajociq32.exe117⤵PID:2188
-
C:\Windows\SysWOW64\Ammoel32.exeC:\Windows\system32\Ammoel32.exe118⤵PID:3000
-
C:\Windows\SysWOW64\Acggbffj.exeC:\Windows\system32\Acggbffj.exe119⤵
- System Location Discovery: System Language Discovery
PID:368 -
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Apnhggln.exeC:\Windows\system32\Apnhggln.exe121⤵PID:1996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-