Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23/11/2024, 20:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe
-
Size
344KB
-
MD5
c53706bb075e77c5ca2400daa7f6e53b
-
SHA1
31c7807c68cadef539286a9f5638fa07deac5e3b
-
SHA256
ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c
-
SHA512
a77360d127eda845372a80ea0fe5058ef2369ffb1ffb5887eaf5b3bd89e2b478fd7b61d83550b798d74c71f292234999f10feeb8bd96731c85f9fb92078248f4
-
SSDEEP
6144:MFMIisZcCpX2/mnbzvdLaD6OkPgl6bmIjlQF1:9IidCpXImbzQD6OkPgl6bmIjK1
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onmfin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okqgcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coiqmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpddgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeaael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmjmekan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niqgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oibpdico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiockd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjkpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjmmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhngkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbiijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiockd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkiobge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jclnnmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nianjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egeecf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ambhpljg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khcbpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odckfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbikig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcghbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmikpngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hffjng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgiibp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmkbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iopeoknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnqkjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chofhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bldpiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmgifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcjmcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfebdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fichqckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpqgkpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmjgnaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmikpngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmgifa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bneancnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfaqbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liboodmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmemoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmgodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iopeoknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgbcofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onapdmma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkaneao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fichqckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfklepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ladpagin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peeabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clclhmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphhgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooofcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcakbjpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkfhglen.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3036 Ocfiif32.exe 2756 Ojpaeq32.exe 3052 Ofgbkacb.exe 2864 Ooofcg32.exe 2692 Pioamlkk.exe 2224 Peeabm32.exe 2560 Pegnglnm.exe 2584 Qmcclolh.exe 2948 Qjgcecja.exe 988 Afndjdpe.exe 868 Acadchoo.exe 1912 Aphehidc.exe 2176 Aiqjao32.exe 2428 Abinjdad.exe 1944 Anpooe32.exe 948 Bldpiifb.exe 840 Beldao32.exe 1868 Bmgifa32.exe 932 Bkkioeig.exe 1804 Bknfeege.exe 2520 Bbikig32.exe 1628 Bpmkbl32.exe 1864 Clclhmin.exe 1684 Chjmmnnb.exe 1884 Chmibmlo.exe 2152 Chofhm32.exe 1600 Chabmm32.exe 2792 Dckcnj32.exe 2776 Dcmpcjcf.exe 2456 Dodahk32.exe 2764 Dofnnkfg.exe 1780 Dfpfke32.exe 2392 Edeclabl.exe 2980 Ehclbpic.exe 1964 Edjlgq32.exe 2368 Edmilpld.exe 2328 Edofbpja.exe 2336 Fqffgapf.exe 108 Fiakkcma.exe 2840 Fichqckn.exe 2924 Hbpbck32.exe 1796 Hiockd32.exe 2252 Hbghdj32.exe 2056 Hhdqma32.exe 1460 Hehafe32.exe 1976 Iopeoknn.exe 1696 Ikgfdlcb.exe 2768 Igngim32.exe 2148 Iecdji32.exe 1316 Iphhgb32.exe 2652 Ijampgde.exe 1056 Ialadj32.exe 852 Jclnnmic.exe 2364 Jkgbcofn.exe 2636 Jgnchplb.exe 2396 Jbcgeilh.exe 2868 Jkllnn32.exe 2780 Jddqgdii.exe 1676 Kmoekf32.exe 2436 Kqmnadlk.exe 1452 Kbqgolpf.exe 1492 Kmfklepl.exe 1048 Kimlqfeq.exe 2004 Kpgdnp32.exe -
Loads dropped DLL 64 IoCs
pid Process 1852 ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe 1852 ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe 3036 Ocfiif32.exe 3036 Ocfiif32.exe 2756 Ojpaeq32.exe 2756 Ojpaeq32.exe 3052 Ofgbkacb.exe 3052 Ofgbkacb.exe 2864 Ooofcg32.exe 2864 Ooofcg32.exe 2692 Pioamlkk.exe 2692 Pioamlkk.exe 2224 Peeabm32.exe 2224 Peeabm32.exe 2560 Pegnglnm.exe 2560 Pegnglnm.exe 2584 Qmcclolh.exe 2584 Qmcclolh.exe 2948 Qjgcecja.exe 2948 Qjgcecja.exe 988 Afndjdpe.exe 988 Afndjdpe.exe 868 Acadchoo.exe 868 Acadchoo.exe 1912 Aphehidc.exe 1912 Aphehidc.exe 2176 Aiqjao32.exe 2176 Aiqjao32.exe 2428 Abinjdad.exe 2428 Abinjdad.exe 1944 Anpooe32.exe 1944 Anpooe32.exe 948 Bldpiifb.exe 948 Bldpiifb.exe 840 Beldao32.exe 840 Beldao32.exe 1868 Bmgifa32.exe 1868 Bmgifa32.exe 932 Bkkioeig.exe 932 Bkkioeig.exe 1804 Bknfeege.exe 1804 Bknfeege.exe 2520 Bbikig32.exe 2520 Bbikig32.exe 1628 Bpmkbl32.exe 1628 Bpmkbl32.exe 1864 Clclhmin.exe 1864 Clclhmin.exe 1684 Chjmmnnb.exe 1684 Chjmmnnb.exe 1884 Chmibmlo.exe 1884 Chmibmlo.exe 2152 Chofhm32.exe 2152 Chofhm32.exe 1600 Chabmm32.exe 1600 Chabmm32.exe 2792 Dckcnj32.exe 2792 Dckcnj32.exe 2776 Dcmpcjcf.exe 2776 Dcmpcjcf.exe 2456 Dodahk32.exe 2456 Dodahk32.exe 2764 Dofnnkfg.exe 2764 Dofnnkfg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nebnigmp.exe Npffaq32.exe File opened for modification C:\Windows\SysWOW64\Pnllnk32.exe Pqhkdg32.exe File opened for modification C:\Windows\SysWOW64\Cjikaa32.exe Cbnfmo32.exe File created C:\Windows\SysWOW64\Ialadj32.exe Ijampgde.exe File created C:\Windows\SysWOW64\Jgnchplb.exe Jkgbcofn.exe File created C:\Windows\SysWOW64\Lmocoj32.dll Okqgcb32.exe File created C:\Windows\SysWOW64\Cmlmpl32.dll Pccahc32.exe File opened for modification C:\Windows\SysWOW64\Bbcjca32.exe Bneancnc.exe File opened for modification C:\Windows\SysWOW64\Eceimadb.exe Deahcneh.exe File created C:\Windows\SysWOW64\Pqjhjf32.exe Pnllnk32.exe File created C:\Windows\SysWOW64\Hgioeh32.dll Anpooe32.exe File opened for modification C:\Windows\SysWOW64\Chabmm32.exe Chofhm32.exe File created C:\Windows\SysWOW64\Nakahn32.dll Hjkpng32.exe File created C:\Windows\SysWOW64\Ckkfef32.dll Iencdc32.exe File opened for modification C:\Windows\SysWOW64\Neghdg32.exe Niqgof32.exe File created C:\Windows\SysWOW64\Qnogkqfo.dll Hehafe32.exe File created C:\Windows\SysWOW64\Nmjmekan.exe Ndbile32.exe File created C:\Windows\SysWOW64\Eajcmh32.dll Cihedpcg.exe File created C:\Windows\SysWOW64\Cbnfmo32.exe Bmoaoikj.exe File created C:\Windows\SysWOW64\Hbfaod32.dll Coiqmp32.exe File created C:\Windows\SysWOW64\Bmcoed32.dll Jbcgeilh.exe File opened for modification C:\Windows\SysWOW64\Eclfhgaf.exe Elbmkm32.exe File created C:\Windows\SysWOW64\Qmicii32.dll Lbmpnjai.exe File created C:\Windows\SysWOW64\Madikm32.dll Npffaq32.exe File created C:\Windows\SysWOW64\Neghdg32.exe Niqgof32.exe File created C:\Windows\SysWOW64\Pioamlkk.exe Ooofcg32.exe File created C:\Windows\SysWOW64\Endbib32.dll Chofhm32.exe File created C:\Windows\SysWOW64\Camqpnel.exe Cfhlbe32.exe File opened for modification C:\Windows\SysWOW64\Agdlfd32.exe Abeghmmn.exe File created C:\Windows\SysWOW64\Dkpabqoa.exe Dhaefepn.exe File created C:\Windows\SysWOW64\Kmoekf32.exe Jddqgdii.exe File created C:\Windows\SysWOW64\Pagmlp32.dll Mfebdm32.exe File opened for modification C:\Windows\SysWOW64\Clnhajlc.exe Cmikpngk.exe File opened for modification C:\Windows\SysWOW64\Khcbpa32.exe Jfbinf32.exe File created C:\Windows\SysWOW64\Koogbk32.exe Komjmk32.exe File opened for modification C:\Windows\SysWOW64\Hffjng32.exe Hjoiiffo.exe File created C:\Windows\SysWOW64\Beldao32.exe Bldpiifb.exe File opened for modification C:\Windows\SysWOW64\Camqpnel.exe Cfhlbe32.exe File created C:\Windows\SysWOW64\Edpoeoea.exe Elejqm32.exe File created C:\Windows\SysWOW64\Pnnbagpd.dll Fbiijb32.exe File created C:\Windows\SysWOW64\Gpjilj32.exe Geddoa32.exe File opened for modification C:\Windows\SysWOW64\Pioamlkk.exe Ooofcg32.exe File created C:\Windows\SysWOW64\Obaqda32.dll Dodahk32.exe File created C:\Windows\SysWOW64\Okqgcb32.exe Onmfin32.exe File created C:\Windows\SysWOW64\Elookl32.dll Cpejfjha.exe File created C:\Windows\SysWOW64\Clnhajlc.exe Cmikpngk.exe File created C:\Windows\SysWOW64\Lbhfkhon.dll Ehclbpic.exe File created C:\Windows\SysWOW64\Agpmcpfm.dll Niqgof32.exe File created C:\Windows\SysWOW64\Modipl32.dll Dmajdl32.exe File created C:\Windows\SysWOW64\Lilfchel.dll Gibmep32.exe File opened for modification C:\Windows\SysWOW64\Hmgodc32.exe Gdnkkmej.exe File created C:\Windows\SysWOW64\Jgkphj32.exe Jpqgkpcl.exe File created C:\Windows\SysWOW64\Oedqakci.dll Aehmoh32.exe File opened for modification C:\Windows\SysWOW64\Aphehidc.exe Acadchoo.exe File created C:\Windows\SysWOW64\Clmkgm32.dll Clclhmin.exe File opened for modification C:\Windows\SysWOW64\Olgpff32.exe Nldcagaq.exe File opened for modification C:\Windows\SysWOW64\Mffkgl32.exe Mlmjgnaa.exe File created C:\Windows\SysWOW64\Folqfbjh.dll Hfaqbh32.exe File created C:\Windows\SysWOW64\Hdhllcnb.dll Komjmk32.exe File opened for modification C:\Windows\SysWOW64\Pegnglnm.exe Peeabm32.exe File opened for modification C:\Windows\SysWOW64\Hehafe32.exe Hhdqma32.exe File opened for modification C:\Windows\SysWOW64\Pfoanp32.exe Pdndggcl.exe File created C:\Windows\SysWOW64\Gegknghg.dll Cfhlbe32.exe File opened for modification C:\Windows\SysWOW64\Elejqm32.exe Eclfhgaf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4000 3972 WerFault.exe 254 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcclolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiakkcma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddqgdii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjmekan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbnggjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhehfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhlogjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnanhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakhkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhniebne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibpdico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopeoknn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfaqbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbinf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmpnjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcgik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjbba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhpin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elejqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpfke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclfhgaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgcecja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igngim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfklepl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoanp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pccahc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllomg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmfpddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqjhjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebfpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkaneao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfimhmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edeclabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileoknhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoakckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqhkdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhaefepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgfdlcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdglfoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndndbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkoqmhii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmibmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcghbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqcqpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbghdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okqgcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjinaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobiclmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpddgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmpplh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnhajlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcakbjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnijnjbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdplfflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbmkm32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll" Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaaiakh.dll" Bemmenhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koogbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bldpiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpgoaiep.dll" Chjmmnnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcmpcjcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bneancnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkoqmhii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbmoceol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlcbfnjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcgik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dofnnkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jclnnmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbcjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chofhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmemme32.dll" Mioeeifi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbile32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmoaoikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmjdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooofcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmpplh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcjgba32.dll" Fcjeakfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jikljfbm.dll" Fmbjjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iindag32.dll" Qfimhmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjamcall.dll" Kqmnadlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmofak32.dll" Bmohjooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbmpnjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pccahc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmahec32.dll" Hbhagiem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfimhmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljehdq32.dll" Hmkiobge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niqgof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfbinf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmgifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcming32.dll" Pioamlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elbmkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aempha32.dll" Ckhbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndndbnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khcbpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjgcecja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajjinaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coiqmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocfiif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egeecf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbiijb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaondi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modipl32.dll" Dmajdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acadchoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipanan32.dll" Bbcjca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bllomg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cihedpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhlca32.dll" Dmcgik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miokdmmk.dll" Mpimbcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edjlgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jclnnmic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpgdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcncbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mifkfhpa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1852 wrote to memory of 3036 1852 ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe 30 PID 1852 wrote to memory of 3036 1852 ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe 30 PID 1852 wrote to memory of 3036 1852 ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe 30 PID 1852 wrote to memory of 3036 1852 ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe 30 PID 3036 wrote to memory of 2756 3036 Ocfiif32.exe 31 PID 3036 wrote to memory of 2756 3036 Ocfiif32.exe 31 PID 3036 wrote to memory of 2756 3036 Ocfiif32.exe 31 PID 3036 wrote to memory of 2756 3036 Ocfiif32.exe 31 PID 2756 wrote to memory of 3052 2756 Ojpaeq32.exe 32 PID 2756 wrote to memory of 3052 2756 Ojpaeq32.exe 32 PID 2756 wrote to memory of 3052 2756 Ojpaeq32.exe 32 PID 2756 wrote to memory of 3052 2756 Ojpaeq32.exe 32 PID 3052 wrote to memory of 2864 3052 Ofgbkacb.exe 33 PID 3052 wrote to memory of 2864 3052 Ofgbkacb.exe 33 PID 3052 wrote to memory of 2864 3052 Ofgbkacb.exe 33 PID 3052 wrote to memory of 2864 3052 Ofgbkacb.exe 33 PID 2864 wrote to memory of 2692 2864 Ooofcg32.exe 34 PID 2864 wrote to memory of 2692 2864 Ooofcg32.exe 34 PID 2864 wrote to memory of 2692 2864 Ooofcg32.exe 34 PID 2864 wrote to memory of 2692 2864 Ooofcg32.exe 34 PID 2692 wrote to memory of 2224 2692 Pioamlkk.exe 35 PID 2692 wrote to memory of 2224 2692 Pioamlkk.exe 35 PID 2692 wrote to memory of 2224 2692 Pioamlkk.exe 35 PID 2692 wrote to memory of 2224 2692 Pioamlkk.exe 35 PID 2224 wrote to memory of 2560 2224 Peeabm32.exe 36 PID 2224 wrote to memory of 2560 2224 Peeabm32.exe 36 PID 2224 wrote to memory of 2560 2224 Peeabm32.exe 36 PID 2224 wrote to memory of 2560 2224 Peeabm32.exe 36 PID 2560 wrote to memory of 2584 2560 Pegnglnm.exe 37 PID 2560 wrote to memory of 2584 2560 Pegnglnm.exe 37 PID 2560 wrote to memory of 2584 2560 Pegnglnm.exe 37 PID 2560 wrote to memory of 2584 2560 Pegnglnm.exe 37 PID 2584 wrote to memory of 2948 2584 Qmcclolh.exe 38 PID 2584 wrote to memory of 2948 2584 Qmcclolh.exe 38 PID 2584 wrote to memory of 2948 2584 Qmcclolh.exe 38 PID 2584 wrote to memory of 2948 2584 Qmcclolh.exe 38 PID 2948 wrote to memory of 988 2948 Qjgcecja.exe 39 PID 2948 wrote to memory of 988 2948 Qjgcecja.exe 39 PID 2948 wrote to memory of 988 2948 Qjgcecja.exe 39 PID 2948 wrote to memory of 988 2948 Qjgcecja.exe 39 PID 988 wrote to memory of 868 988 Afndjdpe.exe 40 PID 988 wrote to memory of 868 988 Afndjdpe.exe 40 PID 988 wrote to memory of 868 988 Afndjdpe.exe 40 PID 988 wrote to memory of 868 988 Afndjdpe.exe 40 PID 868 wrote to memory of 1912 868 Acadchoo.exe 41 PID 868 wrote to memory of 1912 868 Acadchoo.exe 41 PID 868 wrote to memory of 1912 868 Acadchoo.exe 41 PID 868 wrote to memory of 1912 868 Acadchoo.exe 41 PID 1912 wrote to memory of 2176 1912 Aphehidc.exe 42 PID 1912 wrote to memory of 2176 1912 Aphehidc.exe 42 PID 1912 wrote to memory of 2176 1912 Aphehidc.exe 42 PID 1912 wrote to memory of 2176 1912 Aphehidc.exe 42 PID 2176 wrote to memory of 2428 2176 Aiqjao32.exe 43 PID 2176 wrote to memory of 2428 2176 Aiqjao32.exe 43 PID 2176 wrote to memory of 2428 2176 Aiqjao32.exe 43 PID 2176 wrote to memory of 2428 2176 Aiqjao32.exe 43 PID 2428 wrote to memory of 1944 2428 Abinjdad.exe 44 PID 2428 wrote to memory of 1944 2428 Abinjdad.exe 44 PID 2428 wrote to memory of 1944 2428 Abinjdad.exe 44 PID 2428 wrote to memory of 1944 2428 Abinjdad.exe 44 PID 1944 wrote to memory of 948 1944 Anpooe32.exe 45 PID 1944 wrote to memory of 948 1944 Anpooe32.exe 45 PID 1944 wrote to memory of 948 1944 Anpooe32.exe 45 PID 1944 wrote to memory of 948 1944 Anpooe32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe"C:\Users\Admin\AppData\Local\Temp\ecd467ea1ef91219064c70791387b0b136e385f62dcd6d11d3050a76a1f3778c.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Ojpaeq32.exeC:\Windows\system32\Ojpaeq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Ofgbkacb.exeC:\Windows\system32\Ofgbkacb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ooofcg32.exeC:\Windows\system32\Ooofcg32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Pioamlkk.exeC:\Windows\system32\Pioamlkk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Peeabm32.exeC:\Windows\system32\Peeabm32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Pegnglnm.exeC:\Windows\system32\Pegnglnm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Qjgcecja.exeC:\Windows\system32\Qjgcecja.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Windows\SysWOW64\Acadchoo.exeC:\Windows\system32\Acadchoo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Aphehidc.exeC:\Windows\system32\Aphehidc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Abinjdad.exeC:\Windows\system32\Abinjdad.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Anpooe32.exeC:\Windows\system32\Anpooe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Bldpiifb.exeC:\Windows\system32\Bldpiifb.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Bmgifa32.exeC:\Windows\system32\Bmgifa32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Bbikig32.exeC:\Windows\system32\Bbikig32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Chjmmnnb.exeC:\Windows\system32\Chjmmnnb.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Dodahk32.exeC:\Windows\system32\Dodahk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Edeclabl.exeC:\Windows\system32\Edeclabl.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe37⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe38⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe39⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Fiakkcma.exeC:\Windows\system32\Fiakkcma.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:108 -
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Hbpbck32.exeC:\Windows\system32\Hbpbck32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Hiockd32.exeC:\Windows\system32\Hiockd32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Hbghdj32.exeC:\Windows\system32\Hbghdj32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Hhdqma32.exeC:\Windows\system32\Hhdqma32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Hehafe32.exeC:\Windows\system32\Hehafe32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Ikgfdlcb.exeC:\Windows\system32\Ikgfdlcb.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Igngim32.exeC:\Windows\system32\Igngim32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Iecdji32.exeC:\Windows\system32\Iecdji32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Iphhgb32.exeC:\Windows\system32\Iphhgb32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Ijampgde.exeC:\Windows\system32\Ijampgde.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Ialadj32.exeC:\Windows\system32\Ialadj32.exe53⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Jclnnmic.exeC:\Windows\system32\Jclnnmic.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Jgnchplb.exeC:\Windows\system32\Jgnchplb.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Jbcgeilh.exeC:\Windows\system32\Jbcgeilh.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe58⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Jddqgdii.exeC:\Windows\system32\Jddqgdii.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Kmoekf32.exeC:\Windows\system32\Kmoekf32.exe60⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Kqmnadlk.exeC:\Windows\system32\Kqmnadlk.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Kbqgolpf.exeC:\Windows\system32\Kbqgolpf.exe62⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Kmfklepl.exeC:\Windows\system32\Kmfklepl.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Kimlqfeq.exeC:\Windows\system32\Kimlqfeq.exe64⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Kpgdnp32.exeC:\Windows\system32\Kpgdnp32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Kecmfg32.exeC:\Windows\system32\Kecmfg32.exe66⤵PID:2844
-
C:\Windows\SysWOW64\Lnlaomae.exeC:\Windows\system32\Lnlaomae.exe67⤵PID:1596
-
C:\Windows\SysWOW64\Llpaha32.exeC:\Windows\system32\Llpaha32.exe68⤵PID:1456
-
C:\Windows\SysWOW64\Lbjjekhl.exeC:\Windows\system32\Lbjjekhl.exe69⤵PID:2976
-
C:\Windows\SysWOW64\Lnqkjl32.exeC:\Windows\system32\Lnqkjl32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Lcncbc32.exeC:\Windows\system32\Lcncbc32.exe71⤵
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Ladpagin.exeC:\Windows\system32\Ladpagin.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Mioeeifi.exeC:\Windows\system32\Mioeeifi.exe74⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Mpimbcnf.exeC:\Windows\system32\Mpimbcnf.exe75⤵
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Miaaki32.exeC:\Windows\system32\Miaaki32.exe76⤵PID:2860
-
C:\Windows\SysWOW64\Mfebdm32.exeC:\Windows\system32\Mfebdm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Mifkfhpa.exeC:\Windows\system32\Mifkfhpa.exe78⤵
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Mdplfflp.exeC:\Windows\system32\Mdplfflp.exe79⤵
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:808 -
C:\Windows\SysWOW64\Nmjmekan.exeC:\Windows\system32\Nmjmekan.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Nianjl32.exeC:\Windows\system32\Nianjl32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2236 -
C:\Windows\SysWOW64\Ncjbba32.exeC:\Windows\system32\Ncjbba32.exe83⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Nggkipci.exeC:\Windows\system32\Nggkipci.exe84⤵PID:2160
-
C:\Windows\SysWOW64\Nldcagaq.exeC:\Windows\system32\Nldcagaq.exe85⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Olgpff32.exeC:\Windows\system32\Olgpff32.exe86⤵PID:1520
-
C:\Windows\SysWOW64\Oeaael32.exeC:\Windows\system32\Oeaael32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Onmfin32.exeC:\Windows\system32\Onmfin32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Okqgcb32.exeC:\Windows\system32\Okqgcb32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Ohdglfoj.exeC:\Windows\system32\Ohdglfoj.exe90⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Onapdmma.exeC:\Windows\system32\Onapdmma.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2412 -
C:\Windows\SysWOW64\Pjhpin32.exeC:\Windows\system32\Pjhpin32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Pdndggcl.exeC:\Windows\system32\Pdndggcl.exe93⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Pfoanp32.exeC:\Windows\system32\Pfoanp32.exe94⤵
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\Pccahc32.exeC:\Windows\system32\Pccahc32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Qmpplh32.exeC:\Windows\system32\Qmpplh32.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe97⤵PID:1328
-
C:\Windows\SysWOW64\Ajjinaco.exeC:\Windows\system32\Ajjinaco.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Acbnggjo.exeC:\Windows\system32\Acbnggjo.exe99⤵
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Amkbpm32.exeC:\Windows\system32\Amkbpm32.exe100⤵PID:2816
-
C:\Windows\SysWOW64\Afcghbgp.exeC:\Windows\system32\Afcghbgp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\Acggbffj.exeC:\Windows\system32\Acggbffj.exe102⤵PID:1300
-
C:\Windows\SysWOW64\Aakhkj32.exeC:\Windows\system32\Aakhkj32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Ambhpljg.exeC:\Windows\system32\Ambhpljg.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:772 -
C:\Windows\SysWOW64\Bemmenhb.exeC:\Windows\system32\Bemmenhb.exe105⤵
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Bneancnc.exeC:\Windows\system32\Bneancnc.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Bbcjca32.exeC:\Windows\system32\Bbcjca32.exe107⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Bebfpm32.exeC:\Windows\system32\Bebfpm32.exe108⤵
- System Location Discovery: System Language Discovery
PID:1004 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1480 -
C:\Windows\SysWOW64\Bdgcaj32.exeC:\Windows\system32\Bdgcaj32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Bmohjooe.exeC:\Windows\system32\Bmohjooe.exe111⤵
- Modifies registry class
PID:660 -
C:\Windows\SysWOW64\Cfhlbe32.exeC:\Windows\system32\Cfhlbe32.exe112⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Camqpnel.exeC:\Windows\system32\Camqpnel.exe113⤵PID:2968
-
C:\Windows\SysWOW64\Cihedpcg.exeC:\Windows\system32\Cihedpcg.exe114⤵
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Ckhbnb32.exeC:\Windows\system32\Ckhbnb32.exe115⤵
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe116⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe118⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Dhehfk32.exeC:\Windows\system32\Dhehfk32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Dlbaljhn.exeC:\Windows\system32\Dlbaljhn.exe121⤵PID:2808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-