Analysis
-
max time kernel
78s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 06:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe
-
Size
45KB
-
MD5
bc191bb1527acfc574065e3185c7c4b1
-
SHA1
87a470ef3af6201cb128cf35295103320e31824a
-
SHA256
2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82
-
SHA512
57cb02ca4722b3058d1fcdf22a5407812ac7de35e3eb69f8b8a67dd6e9efea2043153e36f74ef41ad0adc2071778998c0083c6f1d70e26dd71d1c38f81159fa5
-
SSDEEP
768:z/vbjLoWMKYyr4GmHMqZGbISwoYI3eqAx3emW/1H5cr:zPLqKYHsq7ShYI3eqAFem8mr
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajaagi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjikadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calgoken.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iilocklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlfjjpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hocmbjhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniglajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkbcmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colgpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobcekld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgodjico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdpinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfbaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfqbol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcehpbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldihjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keehmobp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjfbaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgjgapaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjnje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiaoip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbmnjenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gijncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Galhhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbpffhnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgqcel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikpgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gledgkfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goicaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkbnjmhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naihdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghjqlmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddqeodjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiglfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpfjnnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcdpacgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpmjjhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnoocq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlddpkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceioieei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Almmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdqmeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnpgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcllmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgkjji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehpna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dieiap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhmki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhopfof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpicceon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eigbfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfnchd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocdqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aipickfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgljced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enliaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpcmojia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeeanm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmfpabp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2932 Aijfihip.exe 2888 Acpjga32.exe 2952 Amhopfof.exe 2776 Aioodg32.exe 2628 Agdlfd32.exe 2860 Aalaoipc.exe 1168 Bghfacem.exe 2700 Bcoffd32.exe 2352 Bpfgke32.exe 1868 Bcdpacgl.exe 3036 Bpkqfdmp.exe 1968 Bmoaoikj.exe 2060 Cldnqe32.exe 2512 Cealdjcm.exe 1136 Dhaefepn.exe 872 Dpmjjhmi.exe 1308 Dmajdl32.exe 2636 Dgiomabc.exe 932 Dcpoab32.exe 612 Dpdpkfga.exe 1620 Dhodpidl.exe 2644 Eioaillo.exe 1748 Eokiabjf.exe 2392 Eeeanm32.exe 2572 Ealbcngg.exe 2276 Edmkei32.exe 2864 Ejjdmp32.exe 2416 Egndgdai.exe 2828 Fgpalcog.exe 3028 Fmofjj32.exe 2736 Fjcfco32.exe 2784 Fdmgdl32.exe 2556 Fnelmb32.exe 1624 Gikpjk32.exe 2652 Gqfeom32.exe 3024 Gjnigb32.exe 1808 Gjqfmb32.exe 1872 Gcikfhed.exe 2076 Gnoocq32.exe 2084 Gppkkikh.exe 2088 Haohel32.exe 1148 Hflpmb32.exe 2012 Himionmc.exe 1040 Hpinagbm.exe 2360 Hamgno32.exe 2204 Idnppjcj.exe 812 Iaaaiobc.exe 2544 Imhanp32.exe 2716 Imkndofe.exe 2240 Ipijpkei.exe 2896 Iiaoip32.exe 1692 Ipkgejcf.exe 2856 Jehpna32.exe 2900 Jpndkj32.exe 2752 Jifhdphd.exe 2580 Jlddpkgh.exe 1576 Jcnmme32.exe 2384 Jemiiqmh.exe 3008 Jhkeelml.exe 2800 Jdbfjm32.exe 1088 Jpigonhd.exe 2496 Jgbolhoa.exe 1632 Kpkcdn32.exe 2116 Knodnb32.exe -
Loads dropped DLL 64 IoCs
pid Process 1820 2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe 1820 2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe 2932 Aijfihip.exe 2932 Aijfihip.exe 2888 Acpjga32.exe 2888 Acpjga32.exe 2952 Amhopfof.exe 2952 Amhopfof.exe 2776 Aioodg32.exe 2776 Aioodg32.exe 2628 Agdlfd32.exe 2628 Agdlfd32.exe 2860 Aalaoipc.exe 2860 Aalaoipc.exe 1168 Bghfacem.exe 1168 Bghfacem.exe 2700 Bcoffd32.exe 2700 Bcoffd32.exe 2352 Bpfgke32.exe 2352 Bpfgke32.exe 1868 Bcdpacgl.exe 1868 Bcdpacgl.exe 3036 Bpkqfdmp.exe 3036 Bpkqfdmp.exe 1968 Bmoaoikj.exe 1968 Bmoaoikj.exe 2060 Cldnqe32.exe 2060 Cldnqe32.exe 2512 Cealdjcm.exe 2512 Cealdjcm.exe 1136 Dhaefepn.exe 1136 Dhaefepn.exe 872 Dpmjjhmi.exe 872 Dpmjjhmi.exe 1308 Dmajdl32.exe 1308 Dmajdl32.exe 2636 Dgiomabc.exe 2636 Dgiomabc.exe 932 Dcpoab32.exe 932 Dcpoab32.exe 612 Dpdpkfga.exe 612 Dpdpkfga.exe 1620 Dhodpidl.exe 1620 Dhodpidl.exe 2644 Eioaillo.exe 2644 Eioaillo.exe 1748 Eokiabjf.exe 1748 Eokiabjf.exe 2392 Eeeanm32.exe 2392 Eeeanm32.exe 2572 Ealbcngg.exe 2572 Ealbcngg.exe 2276 Edmkei32.exe 2276 Edmkei32.exe 2864 Ejjdmp32.exe 2864 Ejjdmp32.exe 2416 Egndgdai.exe 2416 Egndgdai.exe 2828 Fgpalcog.exe 2828 Fgpalcog.exe 3028 Fmofjj32.exe 3028 Fmofjj32.exe 2736 Fjcfco32.exe 2736 Fjcfco32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fpgcde32.dll Ccmcfc32.exe File opened for modification C:\Windows\SysWOW64\Fpoleilj.exe Fjbdmbmb.exe File created C:\Windows\SysWOW64\Jfnchd32.exe Jijbnppi.exe File opened for modification C:\Windows\SysWOW64\Kjfdcc32.exe Kcllfi32.exe File created C:\Windows\SysWOW64\Fompem32.dll Eijffhjd.exe File created C:\Windows\SysWOW64\Kfeohc32.dll Bcobdgoj.exe File opened for modification C:\Windows\SysWOW64\Kiifjd32.exe Kleeqp32.exe File opened for modification C:\Windows\SysWOW64\Blhifemo.exe Babdhlmh.exe File opened for modification C:\Windows\SysWOW64\Liaenblm.exe Lbgmah32.exe File created C:\Windows\SysWOW64\Bieplj32.dll Dljdcqek.exe File created C:\Windows\SysWOW64\Iofpmj32.dll Nndhpqma.exe File opened for modification C:\Windows\SysWOW64\Dcijmhdj.exe Dmobpn32.exe File created C:\Windows\SysWOW64\Gmhibenb.exe Gcpdip32.exe File opened for modification C:\Windows\SysWOW64\Aijfihip.exe 2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe File created C:\Windows\SysWOW64\Lfcmcj32.dll Gikpjk32.exe File created C:\Windows\SysWOW64\Dhqpmc32.dll Nnhobgag.exe File opened for modification C:\Windows\SysWOW64\Qkeofnfk.exe Qfifmghc.exe File opened for modification C:\Windows\SysWOW64\Flbehbqm.exe Falakjag.exe File opened for modification C:\Windows\SysWOW64\Opbopn32.exe Ofjjghik.exe File opened for modification C:\Windows\SysWOW64\Dhggdcgh.exe Deikhhhe.exe File created C:\Windows\SysWOW64\Ecahhhlc.dll Kobhillo.exe File opened for modification C:\Windows\SysWOW64\Nlfaag32.exe Ncnmhajo.exe File created C:\Windows\SysWOW64\Pnmaofkf.dll Cgibpj32.exe File opened for modification C:\Windows\SysWOW64\Nlgfqldf.exe Maabcc32.exe File opened for modification C:\Windows\SysWOW64\Qakmghbm.exe Pgamgken.exe File opened for modification C:\Windows\SysWOW64\Gjiibm32.exe Fqqdigko.exe File created C:\Windows\SysWOW64\Lapcee32.dll Boggkicf.exe File created C:\Windows\SysWOW64\Bnejjf32.dll Dcffmb32.exe File opened for modification C:\Windows\SysWOW64\Kamncagl.exe Kkpekjie.exe File created C:\Windows\SysWOW64\Oceaql32.exe Omkidb32.exe File opened for modification C:\Windows\SysWOW64\Kkaaee32.exe Keehmobp.exe File created C:\Windows\SysWOW64\Peaibajp.exe Plheil32.exe File created C:\Windows\SysWOW64\Lppikp32.dll Cmocha32.exe File opened for modification C:\Windows\SysWOW64\Chccfe32.exe Cplkehnk.exe File created C:\Windows\SysWOW64\Hlegof32.dll Choejien.exe File opened for modification C:\Windows\SysWOW64\Oleinmgd.exe Oekaab32.exe File created C:\Windows\SysWOW64\Iilalc32.exe Ingmoj32.exe File created C:\Windows\SysWOW64\Ecfednma.exe Enjmlgoj.exe File created C:\Windows\SysWOW64\Ldjmkq32.exe Lkahbkgk.exe File opened for modification C:\Windows\SysWOW64\Hhhmki32.exe Hanenoeh.exe File created C:\Windows\SysWOW64\Ghqobdnq.dll Ockhpgbf.exe File created C:\Windows\SysWOW64\Baiingae.exe Bfphmi32.exe File created C:\Windows\SysWOW64\Ldfmlkmf.dll Dhggdcgh.exe File created C:\Windows\SysWOW64\Nffhad32.dll Plheil32.exe File opened for modification C:\Windows\SysWOW64\Afqeaemk.exe Alhaho32.exe File created C:\Windows\SysWOW64\Hekohm32.dll Dfjaej32.exe File created C:\Windows\SysWOW64\Mgkgdd32.dll Mfoqephq.exe File created C:\Windows\SysWOW64\Ifikehii.exe Ifgooikk.exe File created C:\Windows\SysWOW64\Egaoldnf.exe Emlkoknp.exe File created C:\Windows\SysWOW64\Eddlcgjb.exe Ehnknfdn.exe File created C:\Windows\SysWOW64\Aoclac32.dll Inbobn32.exe File opened for modification C:\Windows\SysWOW64\Iilocklc.exe Ipcjje32.exe File opened for modification C:\Windows\SysWOW64\Ciknhb32.exe Cneiki32.exe File created C:\Windows\SysWOW64\Opcboqhc.dll Mlnbmikh.exe File created C:\Windows\SysWOW64\Neihmpon.exe Mpmpeiqg.exe File created C:\Windows\SysWOW64\Mmlmmdga.exe Meaiia32.exe File created C:\Windows\SysWOW64\Ooelen32.dll Jhjldiln.exe File created C:\Windows\SysWOW64\Nmiinh32.dll Ekjikadb.exe File opened for modification C:\Windows\SysWOW64\Akjjifji.exe Adqbml32.exe File opened for modification C:\Windows\SysWOW64\Fgffck32.exe Fmnakege.exe File created C:\Windows\SysWOW64\Epaeea32.dll Fngjmb32.exe File created C:\Windows\SysWOW64\Mbjjjlll.dll Kcbcah32.exe File created C:\Windows\SysWOW64\Emqfen32.dll Qamleagn.exe File created C:\Windows\SysWOW64\Gahibj32.dll Dmobpn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1448 2552 WerFault.exe 986 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjplao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadbfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peooek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behpcefk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agaifnhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhbljko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empphi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhieo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkccob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbiggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjmkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockhpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocpcfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjgdfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgqlkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npgppdpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafacd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcaanfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqqpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dofilm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllkaobc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcekkkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljanhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgffck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdfcaegj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhooaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnadiko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcbhlki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbgak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glmckikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefdjnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbnjmhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajghgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbccklmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhggdcgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagdgaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkbhco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gledgkfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djahmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fipdci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmabaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlpadaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjndca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adadedjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqfeom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnecjgch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgogfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeggkoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejmha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmfpabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmopge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpmljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chccfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmabmf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbaide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdapln32.dll" Iilalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkaoai32.dll" Jeenfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agdlfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdbfjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijolbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phooqo32.dll" Inaliedk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnncp32.dll" Kffpcilf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgaengmn.dll" Ledpjdid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obdlcjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbnleefp.dll" Dgkike32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejjdmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfaaalep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behpcefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkonlh32.dll" Jjqlbdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liohhbno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfmoidh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhmomjib.dll" Ddqeodjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmkkhfmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjahfkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljhak32.dll" Obffpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbmnjenb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimedaoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilcfjkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnjaegb.dll" Ehnknfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dofilm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcadn32.dll" Bokcom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdadbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfmnibf.dll" Ecabfpff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhgonj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgkgdd32.dll" Mfoqephq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adqbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffobpfeo.dll" Babdhlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mogqlgbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Colgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaolad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldbjfdld.dll" Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeecd32.dll" Mhpigk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdpgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflnei32.dll" Gcikfhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkaaee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gllabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfehhmgp.dll" Chfffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bahhpf32.dll" Kleeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emlkoknp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamhdckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjoebl.dll" Necqbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionqcpbl.dll" Ciknhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Choejien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abjcleqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgkop32.dll" Bhiglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmcbbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onkoadhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnmaofkf.dll" Cgibpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkfcqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjiibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggnlj32.dll" Mnffnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdhhfgk.dll" Koeeoljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgofbd32.dll" Kniaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egndgdai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaaaiobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eagdgaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coledgje.dll" Mkiemqdo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2932 1820 2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe 30 PID 1820 wrote to memory of 2932 1820 2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe 30 PID 1820 wrote to memory of 2932 1820 2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe 30 PID 1820 wrote to memory of 2932 1820 2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe 30 PID 2932 wrote to memory of 2888 2932 Aijfihip.exe 31 PID 2932 wrote to memory of 2888 2932 Aijfihip.exe 31 PID 2932 wrote to memory of 2888 2932 Aijfihip.exe 31 PID 2932 wrote to memory of 2888 2932 Aijfihip.exe 31 PID 2888 wrote to memory of 2952 2888 Acpjga32.exe 32 PID 2888 wrote to memory of 2952 2888 Acpjga32.exe 32 PID 2888 wrote to memory of 2952 2888 Acpjga32.exe 32 PID 2888 wrote to memory of 2952 2888 Acpjga32.exe 32 PID 2952 wrote to memory of 2776 2952 Amhopfof.exe 33 PID 2952 wrote to memory of 2776 2952 Amhopfof.exe 33 PID 2952 wrote to memory of 2776 2952 Amhopfof.exe 33 PID 2952 wrote to memory of 2776 2952 Amhopfof.exe 33 PID 2776 wrote to memory of 2628 2776 Aioodg32.exe 34 PID 2776 wrote to memory of 2628 2776 Aioodg32.exe 34 PID 2776 wrote to memory of 2628 2776 Aioodg32.exe 34 PID 2776 wrote to memory of 2628 2776 Aioodg32.exe 34 PID 2628 wrote to memory of 2860 2628 Agdlfd32.exe 35 PID 2628 wrote to memory of 2860 2628 Agdlfd32.exe 35 PID 2628 wrote to memory of 2860 2628 Agdlfd32.exe 35 PID 2628 wrote to memory of 2860 2628 Agdlfd32.exe 35 PID 2860 wrote to memory of 1168 2860 Aalaoipc.exe 36 PID 2860 wrote to memory of 1168 2860 Aalaoipc.exe 36 PID 2860 wrote to memory of 1168 2860 Aalaoipc.exe 36 PID 2860 wrote to memory of 1168 2860 Aalaoipc.exe 36 PID 1168 wrote to memory of 2700 1168 Bghfacem.exe 37 PID 1168 wrote to memory of 2700 1168 Bghfacem.exe 37 PID 1168 wrote to memory of 2700 1168 Bghfacem.exe 37 PID 1168 wrote to memory of 2700 1168 Bghfacem.exe 37 PID 2700 wrote to memory of 2352 2700 Bcoffd32.exe 38 PID 2700 wrote to memory of 2352 2700 Bcoffd32.exe 38 PID 2700 wrote to memory of 2352 2700 Bcoffd32.exe 38 PID 2700 wrote to memory of 2352 2700 Bcoffd32.exe 38 PID 2352 wrote to memory of 1868 2352 Bpfgke32.exe 39 PID 2352 wrote to memory of 1868 2352 Bpfgke32.exe 39 PID 2352 wrote to memory of 1868 2352 Bpfgke32.exe 39 PID 2352 wrote to memory of 1868 2352 Bpfgke32.exe 39 PID 1868 wrote to memory of 3036 1868 Bcdpacgl.exe 40 PID 1868 wrote to memory of 3036 1868 Bcdpacgl.exe 40 PID 1868 wrote to memory of 3036 1868 Bcdpacgl.exe 40 PID 1868 wrote to memory of 3036 1868 Bcdpacgl.exe 40 PID 3036 wrote to memory of 1968 3036 Bpkqfdmp.exe 41 PID 3036 wrote to memory of 1968 3036 Bpkqfdmp.exe 41 PID 3036 wrote to memory of 1968 3036 Bpkqfdmp.exe 41 PID 3036 wrote to memory of 1968 3036 Bpkqfdmp.exe 41 PID 1968 wrote to memory of 2060 1968 Bmoaoikj.exe 42 PID 1968 wrote to memory of 2060 1968 Bmoaoikj.exe 42 PID 1968 wrote to memory of 2060 1968 Bmoaoikj.exe 42 PID 1968 wrote to memory of 2060 1968 Bmoaoikj.exe 42 PID 2060 wrote to memory of 2512 2060 Cldnqe32.exe 43 PID 2060 wrote to memory of 2512 2060 Cldnqe32.exe 43 PID 2060 wrote to memory of 2512 2060 Cldnqe32.exe 43 PID 2060 wrote to memory of 2512 2060 Cldnqe32.exe 43 PID 2512 wrote to memory of 1136 2512 Cealdjcm.exe 44 PID 2512 wrote to memory of 1136 2512 Cealdjcm.exe 44 PID 2512 wrote to memory of 1136 2512 Cealdjcm.exe 44 PID 2512 wrote to memory of 1136 2512 Cealdjcm.exe 44 PID 1136 wrote to memory of 872 1136 Dhaefepn.exe 45 PID 1136 wrote to memory of 872 1136 Dhaefepn.exe 45 PID 1136 wrote to memory of 872 1136 Dhaefepn.exe 45 PID 1136 wrote to memory of 872 1136 Dhaefepn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe"C:\Users\Admin\AppData\Local\Temp\2a40361643a292993bc51f069a95c35d17282ce06b66cb72e633342f1cbe4a82.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Aijfihip.exeC:\Windows\system32\Aijfihip.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Acpjga32.exeC:\Windows\system32\Acpjga32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Amhopfof.exeC:\Windows\system32\Amhopfof.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Aalaoipc.exeC:\Windows\system32\Aalaoipc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Bghfacem.exeC:\Windows\system32\Bghfacem.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Bcoffd32.exeC:\Windows\system32\Bcoffd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Bmoaoikj.exeC:\Windows\system32\Bmoaoikj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Cldnqe32.exeC:\Windows\system32\Cldnqe32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Cealdjcm.exeC:\Windows\system32\Cealdjcm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Dhaefepn.exeC:\Windows\system32\Dhaefepn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Dmajdl32.exeC:\Windows\system32\Dmajdl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Dgiomabc.exeC:\Windows\system32\Dgiomabc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Dcpoab32.exeC:\Windows\system32\Dcpoab32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Dhodpidl.exeC:\Windows\system32\Dhodpidl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Eioaillo.exeC:\Windows\system32\Eioaillo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Eokiabjf.exeC:\Windows\system32\Eokiabjf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Eeeanm32.exeC:\Windows\system32\Eeeanm32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Ealbcngg.exeC:\Windows\system32\Ealbcngg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Ejjdmp32.exeC:\Windows\system32\Ejjdmp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Egndgdai.exeC:\Windows\system32\Egndgdai.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Fgpalcog.exeC:\Windows\system32\Fgpalcog.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Fmofjj32.exeC:\Windows\system32\Fmofjj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Fjcfco32.exeC:\Windows\system32\Fjcfco32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe33⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Fnelmb32.exeC:\Windows\system32\Fnelmb32.exe34⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Gikpjk32.exeC:\Windows\system32\Gikpjk32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe37⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe38⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Gcikfhed.exeC:\Windows\system32\Gcikfhed.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe41⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Haohel32.exeC:\Windows\system32\Haohel32.exe42⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe43⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Himionmc.exeC:\Windows\system32\Himionmc.exe44⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe45⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe46⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Idnppjcj.exeC:\Windows\system32\Idnppjcj.exe47⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Iaaaiobc.exeC:\Windows\system32\Iaaaiobc.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe49⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Imkndofe.exeC:\Windows\system32\Imkndofe.exe50⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ipijpkei.exeC:\Windows\system32\Ipijpkei.exe51⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Iiaoip32.exeC:\Windows\system32\Iiaoip32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Ipkgejcf.exeC:\Windows\system32\Ipkgejcf.exe53⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Jehpna32.exeC:\Windows\system32\Jehpna32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe55⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Jifhdphd.exeC:\Windows\system32\Jifhdphd.exe56⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Jlddpkgh.exeC:\Windows\system32\Jlddpkgh.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe58⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Jemiiqmh.exeC:\Windows\system32\Jemiiqmh.exe59⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Jhkeelml.exeC:\Windows\system32\Jhkeelml.exe60⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Jdbfjm32.exeC:\Windows\system32\Jdbfjm32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe62⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Jgbolhoa.exeC:\Windows\system32\Jgbolhoa.exe63⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Kpkcdn32.exeC:\Windows\system32\Kpkcdn32.exe64⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Knodnb32.exeC:\Windows\system32\Knodnb32.exe65⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Kdilkllh.exeC:\Windows\system32\Kdilkllh.exe66⤵PID:1804
-
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe67⤵
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe68⤵PID:756
-
C:\Windows\SysWOW64\Kcnilhap.exeC:\Windows\system32\Kcnilhap.exe69⤵PID:1448
-
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe70⤵PID:2624
-
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe71⤵PID:1684
-
C:\Windows\SysWOW64\Koejqi32.exeC:\Windows\system32\Koejqi32.exe72⤵PID:2344
-
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe73⤵PID:2940
-
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe74⤵PID:3068
-
C:\Windows\SysWOW64\Lbfcbdce.exeC:\Windows\system32\Lbfcbdce.exe75⤵PID:2804
-
C:\Windows\SysWOW64\Lkngkj32.exeC:\Windows\system32\Lkngkj32.exe76⤵PID:3052
-
C:\Windows\SysWOW64\Lfckhc32.exeC:\Windows\system32\Lfckhc32.exe77⤵PID:2184
-
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe78⤵PID:1892
-
C:\Windows\SysWOW64\Ldihjo32.exeC:\Windows\system32\Ldihjo32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Ljeabf32.exeC:\Windows\system32\Ljeabf32.exe80⤵PID:2476
-
C:\Windows\SysWOW64\Lncjhd32.exeC:\Windows\system32\Lncjhd32.exe81⤵PID:900
-
C:\Windows\SysWOW64\Lglnajjb.exeC:\Windows\system32\Lglnajjb.exe82⤵PID:2640
-
C:\Windows\SysWOW64\Mnffnd32.exeC:\Windows\system32\Mnffnd32.exe83⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Mfakbf32.exeC:\Windows\system32\Mfakbf32.exe84⤵PID:1464
-
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe85⤵PID:1536
-
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe86⤵
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe87⤵PID:2212
-
C:\Windows\SysWOW64\Mpllpl32.exeC:\Windows\system32\Mpllpl32.exe88⤵PID:1560
-
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe89⤵PID:1468
-
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe90⤵PID:2876
-
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe91⤵PID:2812
-
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe92⤵PID:2336
-
C:\Windows\SysWOW64\Maabcc32.exeC:\Windows\system32\Maabcc32.exe93⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe94⤵PID:2304
-
C:\Windows\SysWOW64\Nepkia32.exeC:\Windows\system32\Nepkia32.exe95⤵PID:1100
-
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe96⤵
- Drops file in System32 directory
PID:956 -
C:\Windows\SysWOW64\Nafknbqk.exeC:\Windows\system32\Nafknbqk.exe97⤵PID:1436
-
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe98⤵PID:2232
-
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Nfeqli32.exeC:\Windows\system32\Nfeqli32.exe100⤵PID:2424
-
C:\Windows\SysWOW64\Nmpiicdm.exeC:\Windows\system32\Nmpiicdm.exe101⤵PID:2272
-
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe102⤵PID:1172
-
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe103⤵PID:2772
-
C:\Windows\SysWOW64\Odlnkmjg.exeC:\Windows\system32\Odlnkmjg.exe104⤵PID:3044
-
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe105⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe107⤵PID:1644
-
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe108⤵PID:2488
-
C:\Windows\SysWOW64\Opekenmh.exeC:\Windows\system32\Opekenmh.exe109⤵PID:2052
-
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe110⤵PID:1452
-
C:\Windows\SysWOW64\Odgqoa32.exeC:\Windows\system32\Odgqoa32.exe111⤵PID:1020
-
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe112⤵PID:1144
-
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Pmabmf32.exeC:\Windows\system32\Pmabmf32.exe114⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Pppnia32.exeC:\Windows\system32\Pppnia32.exe115⤵PID:2552
-
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe116⤵PID:3032
-
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe117⤵PID:3056
-
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe118⤵PID:2172
-
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe119⤵PID:1816
-
C:\Windows\SysWOW64\Pccdqloh.exeC:\Windows\system32\Pccdqloh.exe120⤵PID:2676
-
C:\Windows\SysWOW64\Pnihneon.exeC:\Windows\system32\Pnihneon.exe121⤵PID:1904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-