Analysis
-
max time kernel
57s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 04:44
Behavioral task
behavioral1
Sample
99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5.exe
-
Size
337KB
-
MD5
de5498f2a0e58687dfdd5fa2e2d0b102
-
SHA1
b309c02a72189fa0a4cda60167ea62d2e8b9425e
-
SHA256
99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5
-
SHA512
eec8cfad7829422ddcffff44487b382ca98f198fdc44d76e3c8bcca3bbe089e641b36568f6a6385765e7d9ca16b17338cc5d9789f922b76dd8663ad6fd984019
-
SSDEEP
3072:LExDV7zufesU7969INgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc0l:AxD9ufa7RN1+fIyG5jZkCwi8j
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekeiel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailboh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgopak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akhkkmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkkckdhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pieobaiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcdmikma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhibakmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbfeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckopch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lndqbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmnmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollcee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nadoiccn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmjbchnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggeiooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgdhcmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpchl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmffa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjfjalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cohlnkeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdcgeejf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcdpacgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpmjpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdokceo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdminod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqmnadlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqbeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgopak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllakpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbmcjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Polakmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hndoifdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plfhdlfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnkfcjqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgeopqfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpajdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jepoao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnaonia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoopie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giejkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjqfmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ophanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elqcnfdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eponmmaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbkig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niijdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcajjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofpmegpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejmljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdngpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bapejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmdofebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iockhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kanfgofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoopie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmkhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhahb32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1692 Kqmnadlk.exe 2980 Kmdofebo.exe 568 Kecmfg32.exe 2792 Lajmkhai.exe 2756 Ladpagin.exe 836 Mddibb32.exe 2324 Mlgdhcmb.exe 2948 Nogmin32.exe 2416 Nejkdm32.exe 2212 Ogjhnp32.exe 2448 Odfofhic.exe 580 Ohdglfoj.exe 2152 Pgnnhbpm.exe 2312 Pqgbah32.exe 960 Qqbeel32.exe 2108 Anfeop32.exe 1924 Aiflpm32.exe 1508 Bboahbio.exe 2600 Bbfgiabg.exe 1536 Ckchcc32.exe 2664 Ckhbnb32.exe 524 Ceacoqfi.exe 1736 Chblqlcj.exe 2308 Dibhjokm.exe 2568 Dkeahf32.exe 1288 Dhibakmb.exe 1556 Dadcppbp.exe 2896 Enkdda32.exe 2804 Effhic32.exe 2772 Eclfhgaf.exe 2820 Ehinpnpm.exe 2476 Ekjgbi32.exe 2252 Fjaqhe32.exe 1928 Fkambhgf.exe 1120 Ffkncf32.exe 2368 Ffmkhe32.exe 760 Gbdlnf32.exe 1880 Gfadcemm.exe 2356 Ghenamai.exe 2440 Giejkp32.exe 864 Gapoob32.exe 2132 Hndoifdp.exe 1356 Hjkpng32.exe 1052 Hpghfn32.exe 2516 Hmkiobge.exe 1324 Hibidc32.exe 704 Hmpbja32.exe 2560 Iigcobid.exe 2912 Iockhigl.exe 3048 Ibadnhmb.exe 2972 Iagaod32.exe 1500 Ikoehj32.exe 2564 Iplnpq32.exe 2456 Jakjjcnd.exe 1856 Jkdoci32.exe 1656 Jgkphj32.exe 980 Jpcdqpqj.exe 284 Jhniebne.exe 2504 Jfbinf32.exe 588 Jllakpdk.exe 2632 Jojnglco.exe 2188 Khcbpa32.exe 1496 Kbppdfmk.exe 456 Kngaig32.exe -
Loads dropped DLL 64 IoCs
pid Process 2528 99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5.exe 2528 99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5.exe 1692 Kqmnadlk.exe 1692 Kqmnadlk.exe 2980 Kmdofebo.exe 2980 Kmdofebo.exe 568 Kecmfg32.exe 568 Kecmfg32.exe 2792 Lajmkhai.exe 2792 Lajmkhai.exe 2756 Ladpagin.exe 2756 Ladpagin.exe 836 Mddibb32.exe 836 Mddibb32.exe 2324 Mlgdhcmb.exe 2324 Mlgdhcmb.exe 2948 Nogmin32.exe 2948 Nogmin32.exe 2416 Nejkdm32.exe 2416 Nejkdm32.exe 2212 Ogjhnp32.exe 2212 Ogjhnp32.exe 2448 Odfofhic.exe 2448 Odfofhic.exe 580 Ohdglfoj.exe 580 Ohdglfoj.exe 2152 Pgnnhbpm.exe 2152 Pgnnhbpm.exe 2312 Pqgbah32.exe 2312 Pqgbah32.exe 960 Qqbeel32.exe 960 Qqbeel32.exe 2108 Anfeop32.exe 2108 Anfeop32.exe 1924 Aiflpm32.exe 1924 Aiflpm32.exe 1508 Bboahbio.exe 1508 Bboahbio.exe 2600 Bbfgiabg.exe 2600 Bbfgiabg.exe 1536 Ckchcc32.exe 1536 Ckchcc32.exe 2664 Ckhbnb32.exe 2664 Ckhbnb32.exe 524 Ceacoqfi.exe 524 Ceacoqfi.exe 1736 Chblqlcj.exe 1736 Chblqlcj.exe 2308 Dibhjokm.exe 2308 Dibhjokm.exe 2568 Dkeahf32.exe 2568 Dkeahf32.exe 1288 Dhibakmb.exe 1288 Dhibakmb.exe 1556 Dadcppbp.exe 1556 Dadcppbp.exe 2896 Enkdda32.exe 2896 Enkdda32.exe 2804 Effhic32.exe 2804 Effhic32.exe 2772 Eclfhgaf.exe 2772 Eclfhgaf.exe 2820 Ehinpnpm.exe 2820 Ehinpnpm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oefcdgnb.dll Nkjeod32.exe File created C:\Windows\SysWOW64\Pmahenoo.dll Gjqfmb32.exe File created C:\Windows\SysWOW64\Eedohjpf.dll Hpgakh32.exe File created C:\Windows\SysWOW64\Ljhppo32.exe Lppkgi32.exe File opened for modification C:\Windows\SysWOW64\Pieobaiq.exe Oicbma32.exe File opened for modification C:\Windows\SysWOW64\Eiocbd32.exe Epgoio32.exe File created C:\Windows\SysWOW64\Kdgane32.exe Kpiihgoh.exe File created C:\Windows\SysWOW64\Jabeia32.dll Mhgpgjoj.exe File created C:\Windows\SysWOW64\Ladpagin.exe Lajmkhai.exe File created C:\Windows\SysWOW64\Dgjoqd32.dll Ollcee32.exe File opened for modification C:\Windows\SysWOW64\Omhhma32.exe Ohkpdj32.exe File created C:\Windows\SysWOW64\Bngnoa32.dll Moloidjl.exe File opened for modification C:\Windows\SysWOW64\Gqfeom32.exe Ggnqfgce.exe File created C:\Windows\SysWOW64\Infjfblm.exe Ilfadg32.exe File created C:\Windows\SysWOW64\Ecoobjme.dll Nbbhpegc.exe File created C:\Windows\SysWOW64\Okefloqc.dll Cbfeam32.exe File opened for modification C:\Windows\SysWOW64\Dmiihjak.exe Dabicikf.exe File opened for modification C:\Windows\SysWOW64\Apjpglfn.exe Apgcbmha.exe File created C:\Windows\SysWOW64\Ehhgfgla.exe Eaooin32.exe File created C:\Windows\SysWOW64\Mmpmjpba.exe Mcekkkmc.exe File created C:\Windows\SysWOW64\Bgqeea32.exe Bkjdpp32.exe File created C:\Windows\SysWOW64\Nkmgmf32.dll Plildb32.exe File created C:\Windows\SysWOW64\Lfhednad.dll Gielchpp.exe File created C:\Windows\SysWOW64\Mpaoojjb.exe Mbgela32.exe File created C:\Windows\SysWOW64\Hjincg32.dll Jifkmh32.exe File created C:\Windows\SysWOW64\Enkdda32.exe Dadcppbp.exe File created C:\Windows\SysWOW64\Epjqgm32.dll Gapoob32.exe File opened for modification C:\Windows\SysWOW64\Hmfhjmho.exe Hflpmb32.exe File opened for modification C:\Windows\SysWOW64\Qmahog32.exe Pchdfb32.exe File created C:\Windows\SysWOW64\Oikcicfl.exe Olgboogb.exe File opened for modification C:\Windows\SysWOW64\Fdjddf32.exe Fdggofgn.exe File created C:\Windows\SysWOW64\Kbbedq32.dll Pgnnhbpm.exe File created C:\Windows\SysWOW64\Ceacoqfi.exe Ckhbnb32.exe File created C:\Windows\SysWOW64\Pnllnk32.exe Pdcgeejf.exe File opened for modification C:\Windows\SysWOW64\Njdbefnf.exe Nehjmppo.exe File created C:\Windows\SysWOW64\Aghalcja.dll Ojnelefl.exe File created C:\Windows\SysWOW64\Bqjfdaio.dll Ejmljg32.exe File opened for modification C:\Windows\SysWOW64\Bqffna32.exe Bgnaekil.exe File opened for modification C:\Windows\SysWOW64\Ohcohh32.exe Onhnjclg.exe File created C:\Windows\SysWOW64\Bgbkhnja.dll Hjkdoh32.exe File created C:\Windows\SysWOW64\Cldcdi32.dll Kecmfg32.exe File opened for modification C:\Windows\SysWOW64\Ogbgbn32.exe Ollcee32.exe File created C:\Windows\SysWOW64\Pchdfb32.exe Pnllnk32.exe File created C:\Windows\SysWOW64\Boqgep32.exe Ampncd32.exe File created C:\Windows\SysWOW64\Bgcbja32.exe Bgqeea32.exe File created C:\Windows\SysWOW64\Khcdijac.exe Jinghn32.exe File opened for modification C:\Windows\SysWOW64\Hkndiabh.exe Hklhca32.exe File opened for modification C:\Windows\SysWOW64\Jlbjcd32.exe Jbjejojn.exe File opened for modification C:\Windows\SysWOW64\Jkdoci32.exe Jakjjcnd.exe File opened for modification C:\Windows\SysWOW64\Mjmnmk32.exe Lnfmhj32.exe File created C:\Windows\SysWOW64\Kgelahmn.exe Kknklg32.exe File created C:\Windows\SysWOW64\Jaaoakmc.exe Jifkmh32.exe File created C:\Windows\SysWOW64\Donkapjh.dll Apgcbmha.exe File created C:\Windows\SysWOW64\Oifakkod.dll Dibhjokm.exe File created C:\Windows\SysWOW64\Ihceebkc.dll Ealbcngg.exe File created C:\Windows\SysWOW64\Apdminod.exe Aglhph32.exe File opened for modification C:\Windows\SysWOW64\Lcqdidim.exe Ljhppo32.exe File created C:\Windows\SysWOW64\Iagaod32.exe Ibadnhmb.exe File created C:\Windows\SysWOW64\Fdjddf32.exe Fdggofgn.exe File created C:\Windows\SysWOW64\Eajhgg32.exe Eiocbd32.exe File opened for modification C:\Windows\SysWOW64\Pfhlie32.exe Ohcohh32.exe File created C:\Windows\SysWOW64\Pkicij32.dll Phhhchlp.exe File created C:\Windows\SysWOW64\Ccmanjch.exe Cgfqii32.exe File opened for modification C:\Windows\SysWOW64\Akmlacdn.exe Afpchl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2440 4140 WerFault.exe 468 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdkfic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ealbcngg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jakjjcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnfmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodoefed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpblne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiflpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjikk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caepdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdcngbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnelefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcihdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imkqmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omddmkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajbdpblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjlkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhopcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcbhlki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimhfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmiihjak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gielchpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Himionmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikdbhhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cifdmbib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojnglco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icjmpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odfofhic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plffkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omoehf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcqcoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moloidjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amebjgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgelahmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkebgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfeec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foidii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmnaaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgioe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqffna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fholmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glhhgahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpnch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdpkfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaaoakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhkkmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcajjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijjgegh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahobdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibhjokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmiojla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgejidgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnffnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njcibgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obopobhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqgbah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbinf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foblaefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecjkkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcqdidim.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmdofebo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hingbldn.dll" Ehinpnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjmgbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajghgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnoahlk.dll" Edohki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfhednad.dll" Gielchpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jadlgjjq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhgpgjoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkngmm32.dll" Ccmanjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmahmcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gapoob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahllda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdklnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggeiooea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqemlbqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqeofnd.dll" Mlgdhcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdggofgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkoodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiinmnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iofpmj32.dll" Nqbdllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afnakj32.dll" Fjaqhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpcdqpqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgcbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfnjqifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofednkl.dll" Bfieec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiflpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmioapf.dll" Chblqlcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmahenoo.dll" Gjqfmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgffqlfd.dll" Lnambeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njdbefnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giiinjlg.dll" Lppkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgkknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iagaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhheim32.dll" Jblpge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjgpkgn.dll" Gofajcog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kheaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidqcdjh.dll" Kheaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nogmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oicbma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imkqmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodjdede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glhhgahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doadhjbl.dll" Fjlqcppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqffpm32.dll" Mbmebgpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pieobaiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kifgllbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqgngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boqgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beekdc32.dll" Haggijgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlmiojla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmocha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidjfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjahfkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncmbldke.dll" Lahaqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgdhcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpicfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjagmb32.dll" Dahobdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlgonj32.dll" Eiocbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foqadnpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihooog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noplll32.dll" Nogmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnfmhj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 1692 2528 99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5.exe 30 PID 2528 wrote to memory of 1692 2528 99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5.exe 30 PID 2528 wrote to memory of 1692 2528 99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5.exe 30 PID 2528 wrote to memory of 1692 2528 99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5.exe 30 PID 1692 wrote to memory of 2980 1692 Kqmnadlk.exe 31 PID 1692 wrote to memory of 2980 1692 Kqmnadlk.exe 31 PID 1692 wrote to memory of 2980 1692 Kqmnadlk.exe 31 PID 1692 wrote to memory of 2980 1692 Kqmnadlk.exe 31 PID 2980 wrote to memory of 568 2980 Kmdofebo.exe 32 PID 2980 wrote to memory of 568 2980 Kmdofebo.exe 32 PID 2980 wrote to memory of 568 2980 Kmdofebo.exe 32 PID 2980 wrote to memory of 568 2980 Kmdofebo.exe 32 PID 568 wrote to memory of 2792 568 Kecmfg32.exe 33 PID 568 wrote to memory of 2792 568 Kecmfg32.exe 33 PID 568 wrote to memory of 2792 568 Kecmfg32.exe 33 PID 568 wrote to memory of 2792 568 Kecmfg32.exe 33 PID 2792 wrote to memory of 2756 2792 Lajmkhai.exe 34 PID 2792 wrote to memory of 2756 2792 Lajmkhai.exe 34 PID 2792 wrote to memory of 2756 2792 Lajmkhai.exe 34 PID 2792 wrote to memory of 2756 2792 Lajmkhai.exe 34 PID 2756 wrote to memory of 836 2756 Ladpagin.exe 35 PID 2756 wrote to memory of 836 2756 Ladpagin.exe 35 PID 2756 wrote to memory of 836 2756 Ladpagin.exe 35 PID 2756 wrote to memory of 836 2756 Ladpagin.exe 35 PID 836 wrote to memory of 2324 836 Mddibb32.exe 36 PID 836 wrote to memory of 2324 836 Mddibb32.exe 36 PID 836 wrote to memory of 2324 836 Mddibb32.exe 36 PID 836 wrote to memory of 2324 836 Mddibb32.exe 36 PID 2324 wrote to memory of 2948 2324 Mlgdhcmb.exe 37 PID 2324 wrote to memory of 2948 2324 Mlgdhcmb.exe 37 PID 2324 wrote to memory of 2948 2324 Mlgdhcmb.exe 37 PID 2324 wrote to memory of 2948 2324 Mlgdhcmb.exe 37 PID 2948 wrote to memory of 2416 2948 Nogmin32.exe 38 PID 2948 wrote to memory of 2416 2948 Nogmin32.exe 38 PID 2948 wrote to memory of 2416 2948 Nogmin32.exe 38 PID 2948 wrote to memory of 2416 2948 Nogmin32.exe 38 PID 2416 wrote to memory of 2212 2416 Nejkdm32.exe 39 PID 2416 wrote to memory of 2212 2416 Nejkdm32.exe 39 PID 2416 wrote to memory of 2212 2416 Nejkdm32.exe 39 PID 2416 wrote to memory of 2212 2416 Nejkdm32.exe 39 PID 2212 wrote to memory of 2448 2212 Ogjhnp32.exe 40 PID 2212 wrote to memory of 2448 2212 Ogjhnp32.exe 40 PID 2212 wrote to memory of 2448 2212 Ogjhnp32.exe 40 PID 2212 wrote to memory of 2448 2212 Ogjhnp32.exe 40 PID 2448 wrote to memory of 580 2448 Odfofhic.exe 41 PID 2448 wrote to memory of 580 2448 Odfofhic.exe 41 PID 2448 wrote to memory of 580 2448 Odfofhic.exe 41 PID 2448 wrote to memory of 580 2448 Odfofhic.exe 41 PID 580 wrote to memory of 2152 580 Ohdglfoj.exe 42 PID 580 wrote to memory of 2152 580 Ohdglfoj.exe 42 PID 580 wrote to memory of 2152 580 Ohdglfoj.exe 42 PID 580 wrote to memory of 2152 580 Ohdglfoj.exe 42 PID 2152 wrote to memory of 2312 2152 Pgnnhbpm.exe 43 PID 2152 wrote to memory of 2312 2152 Pgnnhbpm.exe 43 PID 2152 wrote to memory of 2312 2152 Pgnnhbpm.exe 43 PID 2152 wrote to memory of 2312 2152 Pgnnhbpm.exe 43 PID 2312 wrote to memory of 960 2312 Pqgbah32.exe 44 PID 2312 wrote to memory of 960 2312 Pqgbah32.exe 44 PID 2312 wrote to memory of 960 2312 Pqgbah32.exe 44 PID 2312 wrote to memory of 960 2312 Pqgbah32.exe 44 PID 960 wrote to memory of 2108 960 Qqbeel32.exe 45 PID 960 wrote to memory of 2108 960 Qqbeel32.exe 45 PID 960 wrote to memory of 2108 960 Qqbeel32.exe 45 PID 960 wrote to memory of 2108 960 Qqbeel32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5.exe"C:\Users\Admin\AppData\Local\Temp\99c68bdabc501def1d77ecd1070f825418a12d19e62ed36614995b5b6aa4aad5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Kqmnadlk.exeC:\Windows\system32\Kqmnadlk.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Kmdofebo.exeC:\Windows\system32\Kmdofebo.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Kecmfg32.exeC:\Windows\system32\Kecmfg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Lajmkhai.exeC:\Windows\system32\Lajmkhai.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ladpagin.exeC:\Windows\system32\Ladpagin.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Mddibb32.exeC:\Windows\system32\Mddibb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Mlgdhcmb.exeC:\Windows\system32\Mlgdhcmb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Nogmin32.exeC:\Windows\system32\Nogmin32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Nejkdm32.exeC:\Windows\system32\Nejkdm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Ogjhnp32.exeC:\Windows\system32\Ogjhnp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Odfofhic.exeC:\Windows\system32\Odfofhic.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Ohdglfoj.exeC:\Windows\system32\Ohdglfoj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Pgnnhbpm.exeC:\Windows\system32\Pgnnhbpm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Pqgbah32.exeC:\Windows\system32\Pqgbah32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Qqbeel32.exeC:\Windows\system32\Qqbeel32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Anfeop32.exeC:\Windows\system32\Anfeop32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2108 -
C:\Windows\SysWOW64\Aiflpm32.exeC:\Windows\system32\Aiflpm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Bboahbio.exeC:\Windows\system32\Bboahbio.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Bbfgiabg.exeC:\Windows\system32\Bbfgiabg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Ckchcc32.exeC:\Windows\system32\Ckchcc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Ckhbnb32.exeC:\Windows\system32\Ckhbnb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Ceacoqfi.exeC:\Windows\system32\Ceacoqfi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:524 -
C:\Windows\SysWOW64\Chblqlcj.exeC:\Windows\system32\Chblqlcj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Dhibakmb.exeC:\Windows\system32\Dhibakmb.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Effhic32.exeC:\Windows\system32\Effhic32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Eclfhgaf.exeC:\Windows\system32\Eclfhgaf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe33⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe35⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Ffkncf32.exeC:\Windows\system32\Ffkncf32.exe36⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Ffmkhe32.exeC:\Windows\system32\Ffmkhe32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe38⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe39⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe40⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe44⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe45⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Hmkiobge.exeC:\Windows\system32\Hmkiobge.exe46⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe47⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe48⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Iigcobid.exeC:\Windows\system32\Iigcobid.exe49⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe53⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe54⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2456 -
C:\Windows\SysWOW64\Jkdoci32.exeC:\Windows\system32\Jkdoci32.exe56⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe57⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:980 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe59⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Khcbpa32.exeC:\Windows\system32\Khcbpa32.exe63⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe64⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe65⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe66⤵PID:108
-
C:\Windows\SysWOW64\Ljpnch32.exeC:\Windows\system32\Ljpnch32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Ljbkig32.exeC:\Windows\system32\Ljbkig32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Lbmpnjai.exeC:\Windows\system32\Lbmpnjai.exe69⤵PID:1576
-
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Lkhalo32.exeC:\Windows\system32\Lkhalo32.exe71⤵PID:3000
-
C:\Windows\SysWOW64\Lnfmhj32.exeC:\Windows\system32\Lnfmhj32.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Mjmnmk32.exeC:\Windows\system32\Mjmnmk32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784 -
C:\Windows\SysWOW64\Mnkfcjqe.exeC:\Windows\system32\Mnkfcjqe.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Mchokq32.exeC:\Windows\system32\Mchokq32.exe75⤵PID:2332
-
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe76⤵PID:2024
-
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe77⤵PID:2000
-
C:\Windows\SysWOW64\Mmemoe32.exeC:\Windows\system32\Mmemoe32.exe78⤵PID:548
-
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe79⤵PID:2052
-
C:\Windows\SysWOW64\Nljjqbfp.exeC:\Windows\system32\Nljjqbfp.exe80⤵PID:2016
-
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Nhcgkbja.exeC:\Windows\system32\Nhcgkbja.exe82⤵PID:1208
-
C:\Windows\SysWOW64\Nomphm32.exeC:\Windows\system32\Nomphm32.exe83⤵PID:668
-
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe84⤵PID:1332
-
C:\Windows\SysWOW64\Odoakckp.exeC:\Windows\system32\Odoakckp.exe85⤵PID:2616
-
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe86⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Ollcee32.exeC:\Windows\system32\Ollcee32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Ogbgbn32.exeC:\Windows\system32\Ogbgbn32.exe88⤵PID:2936
-
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Oheppe32.exeC:\Windows\system32\Oheppe32.exe90⤵PID:2628
-
C:\Windows\SysWOW64\Piemih32.exeC:\Windows\system32\Piemih32.exe91⤵PID:2872
-
C:\Windows\SysWOW64\Plffkc32.exeC:\Windows\system32\Plffkc32.exe92⤵
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe93⤵PID:2536
-
C:\Windows\SysWOW64\Pdcgeejf.exeC:\Windows\system32\Pdcgeejf.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Pnllnk32.exeC:\Windows\system32\Pnllnk32.exe95⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Pchdfb32.exeC:\Windows\system32\Pchdfb32.exe96⤵
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Qmahog32.exeC:\Windows\system32\Qmahog32.exe97⤵PID:1936
-
C:\Windows\SysWOW64\Qcmnaaji.exeC:\Windows\system32\Qcmnaaji.exe98⤵
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe99⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Ailboh32.exeC:\Windows\system32\Ailboh32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2976 -
C:\Windows\SysWOW64\Afpchl32.exeC:\Windows\system32\Afpchl32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Akmlacdn.exeC:\Windows\system32\Akmlacdn.exe102⤵PID:2848
-
C:\Windows\SysWOW64\Aialjgbh.exeC:\Windows\system32\Aialjgbh.exe103⤵PID:2580
-
C:\Windows\SysWOW64\Anpahn32.exeC:\Windows\system32\Anpahn32.exe104⤵PID:316
-
C:\Windows\SysWOW64\Bjlkhn32.exeC:\Windows\system32\Bjlkhn32.exe105⤵PID:3024
-
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Bbimbpld.exeC:\Windows\system32\Bbimbpld.exe107⤵PID:2404
-
C:\Windows\SysWOW64\Claake32.exeC:\Windows\system32\Claake32.exe108⤵PID:2360
-
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe109⤵PID:2768
-
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe110⤵PID:1512
-
C:\Windows\SysWOW64\Chmkkf32.exeC:\Windows\system32\Chmkkf32.exe111⤵PID:2716
-
C:\Windows\SysWOW64\Caepdk32.exeC:\Windows\system32\Caepdk32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Ckndmaad.exeC:\Windows\system32\Ckndmaad.exe113⤵PID:2888
-
C:\Windows\SysWOW64\Cdfief32.exeC:\Windows\system32\Cdfief32.exe114⤵PID:1336
-
C:\Windows\SysWOW64\Ddhekfeb.exeC:\Windows\system32\Ddhekfeb.exe115⤵PID:1388
-
C:\Windows\SysWOW64\Diencmcj.exeC:\Windows\system32\Diencmcj.exe116⤵PID:3004
-
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe117⤵PID:2436
-
C:\Windows\SysWOW64\Dcpoab32.exeC:\Windows\system32\Dcpoab32.exe118⤵PID:2200
-
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe119⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Dgnhhq32.exeC:\Windows\system32\Dgnhhq32.exe120⤵PID:2060
-
C:\Windows\SysWOW64\Eoimlc32.exeC:\Windows\system32\Eoimlc32.exe121⤵PID:1808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-