Analysis
-
max time kernel
21s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 13:49
Behavioral task
behavioral1
Sample
3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ffN.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ffN.exe
-
Size
93KB
-
MD5
720357d0136afbd55211e43abafdcef0
-
SHA1
f0247e6a1a5f4bf08f0c761bbba2f3b3e372616d
-
SHA256
3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ff
-
SHA512
7dc1a64503d6f3c74c1e2aaf191d5d856a21e3ac51fefb7b3c7976b0190c936b81cfd541e8c08cda52aa46a25d9ef48bc7dc95b968ba16a4aa945409e5d7cb11
-
SSDEEP
1536:NYzdymcyOphebJ7iwDZ9Qjy0KD11DaYfMZRWuLsV+1Z:NidOHmJ7iuQjBKD1gYfc0DV+1Z
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgoje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknmhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplimbka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdojgmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebnlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifampo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddpobo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogmcjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piqpkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckajebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgedmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcgnnlle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdaqmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mclebc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncbdbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljieppcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeaepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecafd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnflke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqnqofm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elfcbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeohkeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famope32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefdpjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfomk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boidnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahnac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklkcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oplelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjojef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmgjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edibhmml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcfbdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcnkhmdp.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1620 Hjfcpo32.exe 1184 Hapklimq.exe 2040 Helgmg32.exe 2880 Hhjcic32.exe 2716 Ipehmebh.exe 2908 Ifoqjo32.exe 2636 Ijklknbn.exe 2328 Iphecepe.exe 1400 Ifampo32.exe 1636 Ilofhffj.exe 320 Ibhndp32.exe 2852 Iibfajdc.exe 1744 Ibkkjp32.exe 2196 Ilcoce32.exe 1708 Iapgkl32.exe 2208 Jlelhe32.exe 844 Jbpdeogo.exe 1120 Jdaqmg32.exe 912 Jkkija32.exe 2144 Jepmgj32.exe 2280 Jgaiobjn.exe 2384 Jpjngh32.exe 2964 Jgdfdbhk.exe 2312 Jjbbpmgo.exe 1628 Jplkmgol.exe 2072 Jckgicnp.exe 2832 Jlckbh32.exe 2104 Kghpoa32.exe 2896 Knbhlkkc.exe 2916 Kpadhg32.exe 2776 Kfnmpn32.exe 2004 Klhemhpk.exe 2116 Kbdmeoob.exe 1456 Kljabgnh.exe 2440 Kcdjoaee.exe 1056 Kdefgj32.exe 1764 Kllnhg32.exe 1016 Knnkpobc.exe 1680 Khcomhbi.exe 2276 Kgfoie32.exe 2472 Lomgjb32.exe 552 Lhelbh32.exe 1304 Lnbdko32.exe 2120 Lqqpgj32.exe 2380 Lgkhdddo.exe 2360 Ljieppcb.exe 3032 Lmgalkcf.exe 1924 Lqcmmjko.exe 1528 Lcaiiejc.exe 2688 Lfpeeqig.exe 2812 Lngnfnji.exe 2828 Lqejbiim.exe 2816 Lcdfnehp.exe 2652 Lgoboc32.exe 2884 Liqoflfh.exe 668 Lmljgj32.exe 2856 Lokgcf32.exe 388 Lcfbdd32.exe 1984 Mjpkqonj.exe 3056 Mmogmjmn.exe 2252 Mpmcielb.exe 2256 Mbkpeake.exe 1572 Miehak32.exe 2480 Mpopnejo.exe -
Loads dropped DLL 64 IoCs
pid Process 2388 3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ffN.exe 2388 3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ffN.exe 1620 Hjfcpo32.exe 1620 Hjfcpo32.exe 1184 Hapklimq.exe 1184 Hapklimq.exe 2040 Helgmg32.exe 2040 Helgmg32.exe 2880 Hhjcic32.exe 2880 Hhjcic32.exe 2716 Ipehmebh.exe 2716 Ipehmebh.exe 2908 Ifoqjo32.exe 2908 Ifoqjo32.exe 2636 Ijklknbn.exe 2636 Ijklknbn.exe 2328 Iphecepe.exe 2328 Iphecepe.exe 1400 Ifampo32.exe 1400 Ifampo32.exe 1636 Ilofhffj.exe 1636 Ilofhffj.exe 320 Ibhndp32.exe 320 Ibhndp32.exe 2852 Iibfajdc.exe 2852 Iibfajdc.exe 1744 Ibkkjp32.exe 1744 Ibkkjp32.exe 2196 Ilcoce32.exe 2196 Ilcoce32.exe 1708 Iapgkl32.exe 1708 Iapgkl32.exe 2208 Jlelhe32.exe 2208 Jlelhe32.exe 844 Jbpdeogo.exe 844 Jbpdeogo.exe 1120 Jdaqmg32.exe 1120 Jdaqmg32.exe 912 Jkkija32.exe 912 Jkkija32.exe 2144 Jepmgj32.exe 2144 Jepmgj32.exe 2280 Jgaiobjn.exe 2280 Jgaiobjn.exe 2384 Jpjngh32.exe 2384 Jpjngh32.exe 2964 Jgdfdbhk.exe 2964 Jgdfdbhk.exe 2312 Jjbbpmgo.exe 2312 Jjbbpmgo.exe 1628 Jplkmgol.exe 1628 Jplkmgol.exe 2072 Jckgicnp.exe 2072 Jckgicnp.exe 2832 Jlckbh32.exe 2832 Jlckbh32.exe 2104 Kghpoa32.exe 2104 Kghpoa32.exe 2896 Knbhlkkc.exe 2896 Knbhlkkc.exe 2916 Kpadhg32.exe 2916 Kpadhg32.exe 2776 Kfnmpn32.exe 2776 Kfnmpn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pahoec32.dll Dejbqb32.exe File created C:\Windows\SysWOW64\Edibhmml.exe Epmfgo32.exe File created C:\Windows\SysWOW64\Nbjeinje.exe Nnoiio32.exe File opened for modification C:\Windows\SysWOW64\Gdhkfd32.exe Gcgnnlle.exe File opened for modification C:\Windows\SysWOW64\Jlkngc32.exe Jeafjiop.exe File created C:\Windows\SysWOW64\Coamkc32.dll Mcjhmcok.exe File created C:\Windows\SysWOW64\Ndjcbk32.dll Lnbdko32.exe File created C:\Windows\SysWOW64\Iiegdegb.dll Miehak32.exe File opened for modification C:\Windows\SysWOW64\Oaqbln32.exe Oijjka32.exe File created C:\Windows\SysWOW64\Dqlapaeh.dll Dacpkc32.exe File created C:\Windows\SysWOW64\Eecafd32.exe Eaheeecg.exe File opened for modification C:\Windows\SysWOW64\Opnbbe32.exe Ompefj32.exe File created C:\Windows\SysWOW64\Kdpfadlm.exe Kocmim32.exe File opened for modification C:\Windows\SysWOW64\Nbmaon32.exe Nlcibc32.exe File created C:\Windows\SysWOW64\Qlgkki32.exe Qndkpmkm.exe File opened for modification C:\Windows\SysWOW64\Lmgalkcf.exe Ljieppcb.exe File created C:\Windows\SysWOW64\Egkoigpo.dll Pcdkif32.exe File created C:\Windows\SysWOW64\Eldglp32.exe Eiekpd32.exe File created C:\Windows\SysWOW64\Gcgnnlle.exe Gkpfmnlb.exe File opened for modification C:\Windows\SysWOW64\Jgabdlfb.exe Jojkco32.exe File created C:\Windows\SysWOW64\Hakapcjd.dll Iakgefqe.exe File opened for modification C:\Windows\SysWOW64\Imahkg32.exe Ifgpnmom.exe File opened for modification C:\Windows\SysWOW64\Apedah32.exe Alihaioe.exe File opened for modification C:\Windows\SysWOW64\Jepmgj32.exe Jkkija32.exe File created C:\Windows\SysWOW64\Lmljgj32.exe Liqoflfh.exe File created C:\Windows\SysWOW64\Olkfmi32.exe Neqnqofm.exe File created C:\Windows\SysWOW64\Bbgqjdce.exe Boidnh32.exe File opened for modification C:\Windows\SysWOW64\Iafnjg32.exe Ipeaco32.exe File opened for modification C:\Windows\SysWOW64\Agolnbok.exe Apedah32.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Caifjn32.exe File opened for modification C:\Windows\SysWOW64\Lnbdko32.exe Lhelbh32.exe File created C:\Windows\SysWOW64\Lgoboc32.exe Lcdfnehp.exe File opened for modification C:\Windows\SysWOW64\Lgoboc32.exe Lcdfnehp.exe File created C:\Windows\SysWOW64\Nfllknkp.dll Oijjka32.exe File created C:\Windows\SysWOW64\Ajmijmnn.exe Agolnbok.exe File opened for modification C:\Windows\SysWOW64\Lboiol32.exe Loqmba32.exe File created C:\Windows\SysWOW64\Gfdkid32.dll Ngealejo.exe File created C:\Windows\SysWOW64\Ibfmbhnd.dll Jgaiobjn.exe File created C:\Windows\SysWOW64\Knbhlkkc.exe Kghpoa32.exe File created C:\Windows\SysWOW64\Lcdfnehp.exe Lqejbiim.exe File opened for modification C:\Windows\SysWOW64\Oeckfndj.exe Obdojcef.exe File opened for modification C:\Windows\SysWOW64\Jpigma32.exe Jhbold32.exe File created C:\Windows\SysWOW64\Ecbhdi32.exe Eogmcjef.exe File created C:\Windows\SysWOW64\Aficjnpm.exe Abmgjo32.exe File created C:\Windows\SysWOW64\Omlflo32.dll Dafmqb32.exe File created C:\Windows\SysWOW64\Fdmhbplb.exe Fncpef32.exe File created C:\Windows\SysWOW64\Iidobe32.dll Pdbdqh32.exe File created C:\Windows\SysWOW64\Pebpkk32.exe Pafdjmkq.exe File opened for modification C:\Windows\SysWOW64\Achjibcl.exe Alnalh32.exe File created C:\Windows\SysWOW64\Bffbdadk.exe Bchfhfeh.exe File opened for modification C:\Windows\SysWOW64\Ndkhngdd.exe Nmqpam32.exe File created C:\Windows\SysWOW64\Aodkci32.exe Aijbfo32.exe File created C:\Windows\SysWOW64\Fkfnnoge.dll Phqmgg32.exe File created C:\Windows\SysWOW64\Pdgmlhha.exe Paiaplin.exe File opened for modification C:\Windows\SysWOW64\Aoagccfn.exe Agjobffl.exe File opened for modification C:\Windows\SysWOW64\Lfpeeqig.exe Lcaiiejc.exe File opened for modification C:\Windows\SysWOW64\Ilnomp32.exe Idgglb32.exe File created C:\Windows\SysWOW64\Jojkco32.exe Jlkngc32.exe File created C:\Windows\SysWOW64\Cnfqccna.exe Ckhdggom.exe File created C:\Windows\SysWOW64\Lqcmmjko.exe Lmgalkcf.exe File created C:\Windows\SysWOW64\Ajcipc32.exe Aciqcifh.exe File opened for modification C:\Windows\SysWOW64\Epmfgo32.exe Dmojkc32.exe File created C:\Windows\SysWOW64\Fbbnekdd.dll Qndkpmkm.exe File opened for modification C:\Windows\SysWOW64\Cenljmgq.exe Cfkloq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5604 5448 WerFault.exe 535 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckajebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjeinje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgnaehm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohcdhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghpoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kllnhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghdgfbkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnnnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojecajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddblgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldlga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaebkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boidnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmpblnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghajacmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhknaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnmpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpeoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmcchlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmdacnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcmmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqipkhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjmpcab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjofdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnmma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdcanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgabdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkeokjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgibnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkhmdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoqjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhelbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjlnpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idgglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adifpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkhaqpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgamdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipehmebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjojef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbdmeoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmljgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkhngdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noffdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aobnniji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfphcj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anloijlk.dll" Lokgcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jliaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diibmpdj.dll" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlfgce32.dll" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdaqmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqahqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkglnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijklknbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jepmgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opaebkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidgma32.dll" Hfegij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfpnk32.dll" Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jinafidh.dll" Noffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenjme32.dll" Okbpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cillkbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkejc32.dll" Hhjcic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqliblhd.dll" Omnipjni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfahomfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhjcic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pciddedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajeeeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhgpia32.dll" Cpfmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhelbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mqdkdffe.dll" Qobbofgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmimme32.dll" Goiehm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdncmgbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neqnqofm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbdqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkhdddo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlfgcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqahqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hakkgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocmim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odldga32.dll" Nbmaon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanppopl.dll" Qgmfchei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jedcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpjngh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almdmc32.dll" Lgoboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mijamjnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbpeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmgbdm32.dll" Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmbfdl32.dll" Cfmhdpnc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1620 2388 3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ffN.exe 30 PID 2388 wrote to memory of 1620 2388 3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ffN.exe 30 PID 2388 wrote to memory of 1620 2388 3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ffN.exe 30 PID 2388 wrote to memory of 1620 2388 3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ffN.exe 30 PID 1620 wrote to memory of 1184 1620 Hjfcpo32.exe 31 PID 1620 wrote to memory of 1184 1620 Hjfcpo32.exe 31 PID 1620 wrote to memory of 1184 1620 Hjfcpo32.exe 31 PID 1620 wrote to memory of 1184 1620 Hjfcpo32.exe 31 PID 1184 wrote to memory of 2040 1184 Hapklimq.exe 32 PID 1184 wrote to memory of 2040 1184 Hapklimq.exe 32 PID 1184 wrote to memory of 2040 1184 Hapklimq.exe 32 PID 1184 wrote to memory of 2040 1184 Hapklimq.exe 32 PID 2040 wrote to memory of 2880 2040 Helgmg32.exe 33 PID 2040 wrote to memory of 2880 2040 Helgmg32.exe 33 PID 2040 wrote to memory of 2880 2040 Helgmg32.exe 33 PID 2040 wrote to memory of 2880 2040 Helgmg32.exe 33 PID 2880 wrote to memory of 2716 2880 Hhjcic32.exe 34 PID 2880 wrote to memory of 2716 2880 Hhjcic32.exe 34 PID 2880 wrote to memory of 2716 2880 Hhjcic32.exe 34 PID 2880 wrote to memory of 2716 2880 Hhjcic32.exe 34 PID 2716 wrote to memory of 2908 2716 Ipehmebh.exe 35 PID 2716 wrote to memory of 2908 2716 Ipehmebh.exe 35 PID 2716 wrote to memory of 2908 2716 Ipehmebh.exe 35 PID 2716 wrote to memory of 2908 2716 Ipehmebh.exe 35 PID 2908 wrote to memory of 2636 2908 Ifoqjo32.exe 36 PID 2908 wrote to memory of 2636 2908 Ifoqjo32.exe 36 PID 2908 wrote to memory of 2636 2908 Ifoqjo32.exe 36 PID 2908 wrote to memory of 2636 2908 Ifoqjo32.exe 36 PID 2636 wrote to memory of 2328 2636 Ijklknbn.exe 37 PID 2636 wrote to memory of 2328 2636 Ijklknbn.exe 37 PID 2636 wrote to memory of 2328 2636 Ijklknbn.exe 37 PID 2636 wrote to memory of 2328 2636 Ijklknbn.exe 37 PID 2328 wrote to memory of 1400 2328 Iphecepe.exe 38 PID 2328 wrote to memory of 1400 2328 Iphecepe.exe 38 PID 2328 wrote to memory of 1400 2328 Iphecepe.exe 38 PID 2328 wrote to memory of 1400 2328 Iphecepe.exe 38 PID 1400 wrote to memory of 1636 1400 Ifampo32.exe 39 PID 1400 wrote to memory of 1636 1400 Ifampo32.exe 39 PID 1400 wrote to memory of 1636 1400 Ifampo32.exe 39 PID 1400 wrote to memory of 1636 1400 Ifampo32.exe 39 PID 1636 wrote to memory of 320 1636 Ilofhffj.exe 40 PID 1636 wrote to memory of 320 1636 Ilofhffj.exe 40 PID 1636 wrote to memory of 320 1636 Ilofhffj.exe 40 PID 1636 wrote to memory of 320 1636 Ilofhffj.exe 40 PID 320 wrote to memory of 2852 320 Ibhndp32.exe 41 PID 320 wrote to memory of 2852 320 Ibhndp32.exe 41 PID 320 wrote to memory of 2852 320 Ibhndp32.exe 41 PID 320 wrote to memory of 2852 320 Ibhndp32.exe 41 PID 2852 wrote to memory of 1744 2852 Iibfajdc.exe 42 PID 2852 wrote to memory of 1744 2852 Iibfajdc.exe 42 PID 2852 wrote to memory of 1744 2852 Iibfajdc.exe 42 PID 2852 wrote to memory of 1744 2852 Iibfajdc.exe 42 PID 1744 wrote to memory of 2196 1744 Ibkkjp32.exe 43 PID 1744 wrote to memory of 2196 1744 Ibkkjp32.exe 43 PID 1744 wrote to memory of 2196 1744 Ibkkjp32.exe 43 PID 1744 wrote to memory of 2196 1744 Ibkkjp32.exe 43 PID 2196 wrote to memory of 1708 2196 Ilcoce32.exe 44 PID 2196 wrote to memory of 1708 2196 Ilcoce32.exe 44 PID 2196 wrote to memory of 1708 2196 Ilcoce32.exe 44 PID 2196 wrote to memory of 1708 2196 Ilcoce32.exe 44 PID 1708 wrote to memory of 2208 1708 Iapgkl32.exe 45 PID 1708 wrote to memory of 2208 1708 Iapgkl32.exe 45 PID 1708 wrote to memory of 2208 1708 Iapgkl32.exe 45 PID 1708 wrote to memory of 2208 1708 Iapgkl32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ffN.exe"C:\Users\Admin\AppData\Local\Temp\3db763838febc702486716374cbb7018ec2f4cb612346130f70ddacbcce674ffN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Jdaqmg32.exeC:\Windows\system32\Jdaqmg32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1120 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Jplkmgol.exeC:\Windows\system32\Jplkmgol.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe33⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Kljabgnh.exeC:\Windows\system32\Kljabgnh.exe35⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe39⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Khcomhbi.exeC:\Windows\system32\Khcomhbi.exe40⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Lomgjb32.exeC:\Windows\system32\Lomgjb32.exe42⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:552 -
C:\Windows\SysWOW64\Lnbdko32.exeC:\Windows\system32\Lnbdko32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe45⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Lcaiiejc.exeC:\Windows\system32\Lcaiiejc.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe51⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe52⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Lqejbiim.exeC:\Windows\system32\Lqejbiim.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Lgoboc32.exeC:\Windows\system32\Lgoboc32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:668 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Lcfbdd32.exeC:\Windows\system32\Lcfbdd32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe60⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe61⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe62⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe63⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Miehak32.exeC:\Windows\system32\Miehak32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe65⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Mfihkoal.exeC:\Windows\system32\Mfihkoal.exe66⤵PID:2232
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe67⤵PID:992
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe68⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe69⤵PID:1500
-
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe70⤵PID:2748
-
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe71⤵PID:2892
-
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe72⤵PID:2616
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe73⤵PID:2924
-
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe74⤵PID:820
-
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe75⤵PID:1416
-
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe76⤵PID:2824
-
C:\Windows\SysWOW64\Nmnclmoj.exeC:\Windows\system32\Nmnclmoj.exe77⤵PID:2128
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe78⤵PID:1900
-
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe79⤵PID:2520
-
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe80⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe81⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe82⤵
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe83⤵PID:3004
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe84⤵PID:896
-
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe86⤵PID:2972
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe87⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe89⤵PID:2888
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe90⤵
- Drops file in System32 directory
PID:628 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe91⤵PID:2804
-
C:\Windows\SysWOW64\Olmcchlg.exeC:\Windows\system32\Olmcchlg.exe92⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe93⤵PID:1772
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe94⤵
- System Location Discovery: System Language Discovery
PID:1116 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe95⤵
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe96⤵PID:556
-
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe97⤵PID:1940
-
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe99⤵PID:1532
-
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe100⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe101⤵PID:2912
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe102⤵PID:2620
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe103⤵PID:2676
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe104⤵PID:2460
-
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe106⤵
- Drops file in System32 directory
PID:112 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe107⤵PID:1608
-
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe108⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe109⤵PID:2236
-
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe111⤵PID:1856
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe112⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe113⤵PID:2632
-
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe114⤵PID:2136
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe115⤵PID:2848
-
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:268 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe117⤵PID:1036
-
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe118⤵PID:1464
-
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe119⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe120⤵PID:2468
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-