Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 22:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe
-
Size
314KB
-
MD5
6cd3113352e41fd633cafd4ae044df26
-
SHA1
47a6a19028ae51f538cfa87e7a1ae8e0b214911b
-
SHA256
5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e
-
SHA512
d06e69de692df7302c730071e1a88eba06a71ec18094d689db95f6836a17701fafdf4b108d20d26624f0626eb8421c0250130cb48caddac4d45b7f8233f09887
-
SSDEEP
6144:j9dKacQk0BDj6MB8MhjwszeXmr8SeNpgdyuH1lFDjC:j9zcBm6Najb87gP3C
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpena32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clhecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgildi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjpddigo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoipnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlboca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hflndjin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaobkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljplkonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmnlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hflndjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aldfcpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkjcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gddobpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchoop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heakefnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maanab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momapqgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnofaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblpke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felekcop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhdph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njeelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehfhgogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcimhpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnlaomae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmbdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghghnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghidcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipkfkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpcpdfhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaggbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofiopaap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdadadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcanq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikelhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jneoojeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noepdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciepkajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcbjni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbkgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojceef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabngjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpcgbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainmlomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaobkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaflgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blobmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koibpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqngcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdgkicek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edofbpja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heakefnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkghqpb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2680 Dilchhgg.exe 2664 Dpfkeb32.exe 2832 Ebialmjb.exe 2716 Eejjnhgc.exe 236 Ecogodlk.exe 2060 Ehmpeb32.exe 2444 Fiqibj32.exe 2904 Ficehj32.exe 2084 Fhhbif32.exe 804 Flfkoeoh.exe 2108 Flhhed32.exe 1820 Geqlnjcf.exe 2208 Gajjhkgh.exe 1912 Gkbnap32.exe 960 Gpacogjm.exe 1520 Genlgnhd.exe 868 Hpcpdfhj.exe 1768 Heqimm32.exe 1728 Hoimecmb.exe 2328 Hdefnjkj.exe 2380 Hgiked32.exe 2148 Hjggap32.exe 2220 Idmlniea.exe 1620 Ikfdkc32.exe 2896 Imjmhkpj.exe 1596 Ifbaapfk.exe 2812 Ijnnao32.exe 2848 Ibibfa32.exe 2544 Iblola32.exe 2204 Iejkhlip.exe 2508 Jnbpqb32.exe 1300 Jihdnk32.exe 112 Jnemfa32.exe 2120 Jgmaog32.exe 1236 Jcdadhjb.exe 2352 Jnifaajh.exe 1292 Jecnnk32.exe 1628 Jjpgfbom.exe 2156 Jpmooind.exe 2124 Kgdgpfnf.exe 2976 Kiecgo32.exe 1580 Kfidqb32.exe 1548 Kmclmm32.exe 2036 Kpbhjh32.exe 2128 Kbpefc32.exe 1932 Keoabo32.exe 1908 Klhioioc.exe 2424 Kpdeoh32.exe 2688 Kbbakc32.exe 2136 Keango32.exe 2740 Klkfdi32.exe 2704 Koibpd32.exe 1156 Kaholp32.exe 1488 Kiofnm32.exe 2172 Lolofd32.exe 2892 Lajkbp32.exe 2360 Ldhgnk32.exe 380 Llpoohik.exe 1816 Lmalgq32.exe 2344 Lalhgogb.exe 2944 Ldkdckff.exe 644 Lophacfl.exe 2436 Laodmoep.exe 2888 Lhimji32.exe -
Loads dropped DLL 64 IoCs
pid Process 3044 5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe 3044 5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe 2680 Dilchhgg.exe 2680 Dilchhgg.exe 2664 Dpfkeb32.exe 2664 Dpfkeb32.exe 2832 Ebialmjb.exe 2832 Ebialmjb.exe 2716 Eejjnhgc.exe 2716 Eejjnhgc.exe 236 Ecogodlk.exe 236 Ecogodlk.exe 2060 Ehmpeb32.exe 2060 Ehmpeb32.exe 2444 Fiqibj32.exe 2444 Fiqibj32.exe 2904 Ficehj32.exe 2904 Ficehj32.exe 2084 Fhhbif32.exe 2084 Fhhbif32.exe 804 Flfkoeoh.exe 804 Flfkoeoh.exe 2108 Flhhed32.exe 2108 Flhhed32.exe 1820 Geqlnjcf.exe 1820 Geqlnjcf.exe 2208 Gajjhkgh.exe 2208 Gajjhkgh.exe 1912 Gkbnap32.exe 1912 Gkbnap32.exe 960 Gpacogjm.exe 960 Gpacogjm.exe 1520 Genlgnhd.exe 1520 Genlgnhd.exe 868 Hpcpdfhj.exe 868 Hpcpdfhj.exe 1768 Heqimm32.exe 1768 Heqimm32.exe 1728 Hoimecmb.exe 1728 Hoimecmb.exe 2328 Hdefnjkj.exe 2328 Hdefnjkj.exe 2380 Hgiked32.exe 2380 Hgiked32.exe 2148 Hjggap32.exe 2148 Hjggap32.exe 2220 Idmlniea.exe 2220 Idmlniea.exe 1620 Ikfdkc32.exe 1620 Ikfdkc32.exe 2896 Imjmhkpj.exe 2896 Imjmhkpj.exe 1596 Ifbaapfk.exe 1596 Ifbaapfk.exe 2812 Ijnnao32.exe 2812 Ijnnao32.exe 2848 Ibibfa32.exe 2848 Ibibfa32.exe 2544 Iblola32.exe 2544 Iblola32.exe 2204 Iejkhlip.exe 2204 Iejkhlip.exe 2508 Jnbpqb32.exe 2508 Jnbpqb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bdfjnkne.exe Blobmm32.exe File created C:\Windows\SysWOW64\Cblgff32.dll Iejkhlip.exe File created C:\Windows\SysWOW64\Fpfjap32.dll Cpbkhabp.exe File created C:\Windows\SysWOW64\Fnahibcg.dll Gefolhja.exe File created C:\Windows\SysWOW64\Idghhf32.exe Inmpklpj.exe File opened for modification C:\Windows\SysWOW64\Jgmjdaqb.exe Jcandb32.exe File created C:\Windows\SysWOW64\Noagjc32.exe Ngjoif32.exe File created C:\Windows\SysWOW64\Aalofa32.exe Anmbje32.exe File created C:\Windows\SysWOW64\Fimoek32.dll Jddqgdii.exe File created C:\Windows\SysWOW64\Eqkjmcmq.exe Efffpjmk.exe File created C:\Windows\SysWOW64\Hlpchfdi.exe Hgckoofa.exe File opened for modification C:\Windows\SysWOW64\Johoic32.exe Jgmjdaqb.exe File opened for modification C:\Windows\SysWOW64\Egpena32.exe Enhaeldn.exe File created C:\Windows\SysWOW64\Lnfbic32.dll Qfikod32.exe File opened for modification C:\Windows\SysWOW64\Ihnjmf32.exe Iadbqlmh.exe File created C:\Windows\SysWOW64\Gjhoogoe.dll Inplqlng.exe File opened for modification C:\Windows\SysWOW64\Odnobj32.exe Noagjc32.exe File opened for modification C:\Windows\SysWOW64\Poacighp.exe Ojdjqp32.exe File opened for modification C:\Windows\SysWOW64\Jhfjadim.exe Ionehnbm.exe File created C:\Windows\SysWOW64\Ogmkne32.exe Odnobj32.exe File created C:\Windows\SysWOW64\Kiofnm32.exe Kaholp32.exe File created C:\Windows\SysWOW64\Gdcdgpcj.dll Aaflgb32.exe File opened for modification C:\Windows\SysWOW64\Bnofaf32.exe Bkqiek32.exe File created C:\Windows\SysWOW64\Dbmkfh32.exe Djafaf32.exe File created C:\Windows\SysWOW64\Apnjbhgo.dll Gllnnc32.exe File opened for modification C:\Windows\SysWOW64\Mdjihgef.exe Momapqgn.exe File opened for modification C:\Windows\SysWOW64\Mkfojakp.exe Mpqjmh32.exe File opened for modification C:\Windows\SysWOW64\Dgildi32.exe Dlchfp32.exe File created C:\Windows\SysWOW64\Fnickdla.dll Maocekoo.exe File opened for modification C:\Windows\SysWOW64\Hajhpgag.exe Holldk32.exe File created C:\Windows\SysWOW64\Nacjlp32.dll Nnjklb32.exe File opened for modification C:\Windows\SysWOW64\Fappgflg.exe Fdlpnamm.exe File created C:\Windows\SysWOW64\Gllnnc32.exe Gminbfoh.exe File opened for modification C:\Windows\SysWOW64\Ikocoa32.exe Ifbkgj32.exe File created C:\Windows\SysWOW64\Lfhiepbn.exe Lpoaheja.exe File created C:\Windows\SysWOW64\Pngjcj32.dll Noagjc32.exe File created C:\Windows\SysWOW64\Fpkchm32.exe Fiakkcma.exe File created C:\Windows\SysWOW64\Fnejdq32.dll Iblola32.exe File opened for modification C:\Windows\SysWOW64\Clkicbfa.exe Cnflae32.exe File created C:\Windows\SysWOW64\Hmfmkjdf.exe Gkhaooec.exe File created C:\Windows\SysWOW64\Iaaekl32.exe Iocioq32.exe File created C:\Windows\SysWOW64\Cbfpkj32.dll Ffghjg32.exe File created C:\Windows\SysWOW64\Ahlfoh32.dll Miaaki32.exe File opened for modification C:\Windows\SysWOW64\Ojbnkp32.exe Ochenfdn.exe File opened for modification C:\Windows\SysWOW64\Dpmgao32.exe Cgdciiod.exe File opened for modification C:\Windows\SysWOW64\Fichqckn.exe Fbipdi32.exe File opened for modification C:\Windows\SysWOW64\Maocekoo.exe Moqgiopk.exe File created C:\Windows\SysWOW64\Gpacogjm.exe Gkbnap32.exe File created C:\Windows\SysWOW64\Ooidei32.exe Oiokholk.exe File opened for modification C:\Windows\SysWOW64\Jcckibfg.exe Johoic32.exe File created C:\Windows\SysWOW64\Niienepq.dll Ccpqjfnh.exe File opened for modification C:\Windows\SysWOW64\Holldk32.exe Hlmphp32.exe File opened for modification C:\Windows\SysWOW64\Kihbfg32.exe Kopnma32.exe File created C:\Windows\SysWOW64\Nobndj32.exe Njeelc32.exe File opened for modification C:\Windows\SysWOW64\Goapjnoo.exe Ghghnc32.exe File created C:\Windows\SysWOW64\Aeojifki.dll Mdjihgef.exe File created C:\Windows\SysWOW64\Neccdc32.dll Jngkdj32.exe File created C:\Windows\SysWOW64\Lkifkdjm.exe Lbbnjgik.exe File created C:\Windows\SysWOW64\Bhkghqpb.exe Bihgmdih.exe File created C:\Windows\SysWOW64\Fnicaj32.dll Bikcbc32.exe File created C:\Windows\SysWOW64\Klqddq32.dll Bnofaf32.exe File created C:\Windows\SysWOW64\Hchoop32.exe Hipkfkgh.exe File created C:\Windows\SysWOW64\Eiefbk32.dll Oabplobe.exe File opened for modification C:\Windows\SysWOW64\Egflml32.exe Edhpaa32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5704 5532 WerFault.exe 547 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmmcjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhcbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffboohnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnflae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplcia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihdjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnddg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chabmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdciiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadbqlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhleaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhoegqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcgbhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlbkcfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhpaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnemfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdadhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keoabo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdhik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbglpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjmekan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jecnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iemalkgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbipdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpacogjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjddaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnlndkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaobmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmgao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhioioc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkfdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Albjnplq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldhgnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqokgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnifaajh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngeljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnqphhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egebjmdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepclldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpbhjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmfgkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeanhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehfafgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkifkdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddppmclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkjmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ninhamne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbjdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heqimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbbcail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odqlhjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjqcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qghgigkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijjpeha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjiln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfebdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmlniea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lophacfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcmlg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dldbfo32.dll" Jpmooind.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ochenfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmepanje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bojipjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcedne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkaane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjlejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiecgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lolofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aldfcpjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciglaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jneoojeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neccdc32.dll" Jngkdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maapjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgqao32.dll" Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppkmjlca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofdeeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkojoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfhdke32.dll" Pmqffonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhmmcjjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihdmld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keoabo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gplcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miaaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldcdi32.dll" Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkohmocc.dll" Npkfff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgibdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afndjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhhfgcgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlpchfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geindqkj.dll" Inkcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odnobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijopjhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maocekoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njeelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppegfpa.dll" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlbkeee.dll" Kabngjla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pchjmjfn.dll" Gahpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knjdimdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgielf32.dll" Qghgigkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inhoegqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njeelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdkip32.dll" Djoeki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpoaheja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egflml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eblpke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klkfdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibogmjf.dll" Ceickb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgkii32.dll" Lidilk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apkihofl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbadagln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpgfmeag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmiplp32.dll" Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdlnnal.dll" Bdodmlcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggedf32.dll" Jjpgfbom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bedamd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfqlkfoc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2680 3044 5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe 30 PID 3044 wrote to memory of 2680 3044 5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe 30 PID 3044 wrote to memory of 2680 3044 5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe 30 PID 3044 wrote to memory of 2680 3044 5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe 30 PID 2680 wrote to memory of 2664 2680 Dilchhgg.exe 31 PID 2680 wrote to memory of 2664 2680 Dilchhgg.exe 31 PID 2680 wrote to memory of 2664 2680 Dilchhgg.exe 31 PID 2680 wrote to memory of 2664 2680 Dilchhgg.exe 31 PID 2664 wrote to memory of 2832 2664 Dpfkeb32.exe 32 PID 2664 wrote to memory of 2832 2664 Dpfkeb32.exe 32 PID 2664 wrote to memory of 2832 2664 Dpfkeb32.exe 32 PID 2664 wrote to memory of 2832 2664 Dpfkeb32.exe 32 PID 2832 wrote to memory of 2716 2832 Ebialmjb.exe 33 PID 2832 wrote to memory of 2716 2832 Ebialmjb.exe 33 PID 2832 wrote to memory of 2716 2832 Ebialmjb.exe 33 PID 2832 wrote to memory of 2716 2832 Ebialmjb.exe 33 PID 2716 wrote to memory of 236 2716 Eejjnhgc.exe 34 PID 2716 wrote to memory of 236 2716 Eejjnhgc.exe 34 PID 2716 wrote to memory of 236 2716 Eejjnhgc.exe 34 PID 2716 wrote to memory of 236 2716 Eejjnhgc.exe 34 PID 236 wrote to memory of 2060 236 Ecogodlk.exe 35 PID 236 wrote to memory of 2060 236 Ecogodlk.exe 35 PID 236 wrote to memory of 2060 236 Ecogodlk.exe 35 PID 236 wrote to memory of 2060 236 Ecogodlk.exe 35 PID 2060 wrote to memory of 2444 2060 Ehmpeb32.exe 36 PID 2060 wrote to memory of 2444 2060 Ehmpeb32.exe 36 PID 2060 wrote to memory of 2444 2060 Ehmpeb32.exe 36 PID 2060 wrote to memory of 2444 2060 Ehmpeb32.exe 36 PID 2444 wrote to memory of 2904 2444 Fiqibj32.exe 37 PID 2444 wrote to memory of 2904 2444 Fiqibj32.exe 37 PID 2444 wrote to memory of 2904 2444 Fiqibj32.exe 37 PID 2444 wrote to memory of 2904 2444 Fiqibj32.exe 37 PID 2904 wrote to memory of 2084 2904 Ficehj32.exe 38 PID 2904 wrote to memory of 2084 2904 Ficehj32.exe 38 PID 2904 wrote to memory of 2084 2904 Ficehj32.exe 38 PID 2904 wrote to memory of 2084 2904 Ficehj32.exe 38 PID 2084 wrote to memory of 804 2084 Fhhbif32.exe 39 PID 2084 wrote to memory of 804 2084 Fhhbif32.exe 39 PID 2084 wrote to memory of 804 2084 Fhhbif32.exe 39 PID 2084 wrote to memory of 804 2084 Fhhbif32.exe 39 PID 804 wrote to memory of 2108 804 Flfkoeoh.exe 40 PID 804 wrote to memory of 2108 804 Flfkoeoh.exe 40 PID 804 wrote to memory of 2108 804 Flfkoeoh.exe 40 PID 804 wrote to memory of 2108 804 Flfkoeoh.exe 40 PID 2108 wrote to memory of 1820 2108 Flhhed32.exe 41 PID 2108 wrote to memory of 1820 2108 Flhhed32.exe 41 PID 2108 wrote to memory of 1820 2108 Flhhed32.exe 41 PID 2108 wrote to memory of 1820 2108 Flhhed32.exe 41 PID 1820 wrote to memory of 2208 1820 Geqlnjcf.exe 42 PID 1820 wrote to memory of 2208 1820 Geqlnjcf.exe 42 PID 1820 wrote to memory of 2208 1820 Geqlnjcf.exe 42 PID 1820 wrote to memory of 2208 1820 Geqlnjcf.exe 42 PID 2208 wrote to memory of 1912 2208 Gajjhkgh.exe 43 PID 2208 wrote to memory of 1912 2208 Gajjhkgh.exe 43 PID 2208 wrote to memory of 1912 2208 Gajjhkgh.exe 43 PID 2208 wrote to memory of 1912 2208 Gajjhkgh.exe 43 PID 1912 wrote to memory of 960 1912 Gkbnap32.exe 44 PID 1912 wrote to memory of 960 1912 Gkbnap32.exe 44 PID 1912 wrote to memory of 960 1912 Gkbnap32.exe 44 PID 1912 wrote to memory of 960 1912 Gkbnap32.exe 44 PID 960 wrote to memory of 1520 960 Gpacogjm.exe 45 PID 960 wrote to memory of 1520 960 Gpacogjm.exe 45 PID 960 wrote to memory of 1520 960 Gpacogjm.exe 45 PID 960 wrote to memory of 1520 960 Gpacogjm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe"C:\Users\Admin\AppData\Local\Temp\5318120164c806d23943b5201af16e84d97fdb5acc161e8a71e9c3db522c2b0e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Gajjhkgh.exeC:\Windows\system32\Gajjhkgh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Hpcpdfhj.exeC:\Windows\system32\Hpcpdfhj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Heqimm32.exeC:\Windows\system32\Heqimm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Imjmhkpj.exeC:\Windows\system32\Imjmhkpj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Ibibfa32.exeC:\Windows\system32\Ibibfa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe33⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:112 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe35⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Jcdadhjb.exeC:\Windows\system32\Jcdadhjb.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe41⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe43⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe44⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe46⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe49⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe50⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe51⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1156 -
C:\Windows\SysWOW64\Kiofnm32.exeC:\Windows\system32\Kiofnm32.exe55⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe57⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe59⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Lmalgq32.exeC:\Windows\system32\Lmalgq32.exe60⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Lalhgogb.exeC:\Windows\system32\Lalhgogb.exe61⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe62⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:644 -
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe64⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe65⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe66⤵
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe67⤵PID:1540
-
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe68⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Lkifkdjm.exeC:\Windows\system32\Lkifkdjm.exe69⤵
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe70⤵PID:2560
-
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe71⤵PID:2564
-
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe72⤵PID:2596
-
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe73⤵PID:944
-
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe74⤵PID:376
-
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe75⤵PID:2336
-
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe76⤵PID:2080
-
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe77⤵PID:1644
-
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe78⤵PID:1524
-
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe79⤵PID:2948
-
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1544 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe81⤵PID:1748
-
C:\Windows\SysWOW64\Npfjbn32.exeC:\Windows\system32\Npfjbn32.exe82⤵PID:1996
-
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe83⤵PID:3068
-
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe84⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe85⤵PID:2804
-
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe86⤵PID:2640
-
C:\Windows\SysWOW64\Nnlhab32.exeC:\Windows\system32\Nnlhab32.exe87⤵PID:2956
-
C:\Windows\SysWOW64\Npkdnnfk.exeC:\Windows\system32\Npkdnnfk.exe88⤵PID:2512
-
C:\Windows\SysWOW64\Ngeljh32.exeC:\Windows\system32\Ngeljh32.exe89⤵
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe90⤵PID:2356
-
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe91⤵PID:320
-
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Njhbabif.exeC:\Windows\system32\Njhbabif.exe94⤵PID:1924
-
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe95⤵
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Oodjjign.exeC:\Windows\system32\Oodjjign.exe96⤵PID:1072
-
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe97⤵PID:1756
-
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe98⤵PID:2768
-
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe99⤵PID:2776
-
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe100⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe101⤵PID:2620
-
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Objmgd32.exeC:\Windows\system32\Objmgd32.exe104⤵PID:2244
-
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe105⤵PID:2116
-
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe106⤵PID:2492
-
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe107⤵PID:2828
-
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe108⤵PID:3012
-
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe109⤵
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe111⤵PID:2260
-
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe112⤵PID:2784
-
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe113⤵PID:2288
-
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe114⤵PID:2908
-
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe115⤵PID:2160
-
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe116⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Pmkdhq32.exeC:\Windows\system32\Pmkdhq32.exe117⤵PID:1744
-
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe118⤵PID:1680
-
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe120⤵PID:2772
-
C:\Windows\SysWOW64\Pmmqmpdm.exeC:\Windows\system32\Pmmqmpdm.exe121⤵PID:2884
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-