Analysis
-
max time kernel
38s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 23:01
Behavioral task
behavioral1
Sample
add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe
-
Size
400KB
-
MD5
df2a570eba24749efd14135fe5113cd0
-
SHA1
d5b7e093c6b99d26e94d9bc2e0c17b87b88c94ec
-
SHA256
add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9
-
SHA512
15a90f5332d735eb9be4bf5b99984f1e1214b7841654259562633995897f000639e8b8a0889d3963a57996a7109bb5ad4b11352ebe4c5991f1b0a6155beda576
-
SSDEEP
6144:ZTong0zf9QgRJ5dLAY/Xr4Br3CbArLAZ26RQ8sY6CbArLAY/9bPk6CbN:9u9F3Rrgryg426RQagrkp
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhmfgdch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhmnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dicmlpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcojbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkegimk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckopch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbccnji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccileljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacegd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Henjnica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njipabhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihojnqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemhpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmkkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eponmmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eelfedpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlkdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbaafocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bocfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfeljlqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhljnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfdnijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peaibajp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkojcgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaadjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmmmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfdnijp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phknlfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjqqianh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgljfmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqgngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipoqofjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnaehgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfbbabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahjahk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fplknh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qggoeilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nidoamch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effidg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeffpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohnpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpohb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cclkcdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mookod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfehq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhjghlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Behnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdlialfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdqlkhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpijgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejcab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hggeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peaibajp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbccklmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbccklmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhqbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdkmld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kokppd32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2584 Fplknh32.exe 2864 Fhccoe32.exe 2472 Fjdpgnee.exe 2936 Gqcaoghl.exe 2828 Gohnpcmd.exe 2736 Gcfgfack.exe 3060 Gdgcnj32.exe 2468 Gnbelong.exe 1404 Helmiiec.exe 408 Hndaao32.exe 1004 Henjnica.exe 1136 Hjkbfpah.exe 892 Hminbkql.exe 2152 Hccfoehi.exe 2244 Hjmolp32.exe 2052 Hpjgdf32.exe 2004 Hjplao32.exe 2180 Hmnhnk32.exe 872 Hchpjddc.exe 352 Hjbhgolp.exe 2572 Ipoqofjh.exe 920 Ifiilp32.exe 264 Ilfadg32.exe 1972 Ibpjaagi.exe 1964 Iijbnkne.exe 2596 Infjfblm.exe 2500 Iilocklc.exe 2812 Ijmkkc32.exe 2868 Iagchmjn.exe 2820 Ihaldgak.exe 2688 Imndmnob.exe 2716 Jhchjgoh.exe 3056 Jonqfq32.exe 2944 Jpomnilc.exe 2156 Jkdalb32.exe 2452 Jmbnhm32.exe 1360 Jbpfpd32.exe 1572 Jkfnaa32.exe 2620 Jmejmm32.exe 1388 Jbbbed32.exe 1376 Jmggcmgg.exe 1804 Joicje32.exe 2368 Jinghn32.exe 1452 Kokppd32.exe 2044 Kiqdmm32.exe 2400 Kkaaee32.exe 2524 Kegebn32.exe 2060 Kkdnke32.exe 3000 Kejahn32.exe 1552 Kgknpfdi.exe 2028 Kapbmo32.exe 1484 Khjkiikl.exe 2848 Kngcbpjc.exe 1084 Kcdljghj.exe 3016 Lnipgp32.exe 484 Lcfhpf32.exe 2520 Llomhllh.exe 1072 Lgdafeln.exe 2996 Llainlje.exe 1716 Lckbkfbb.exe 1960 Lhhjcmpj.exe 2260 Lobbpg32.exe 1920 Lbpolb32.exe 700 Lhjghlng.exe -
Loads dropped DLL 64 IoCs
pid Process 2604 add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe 2604 add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe 2584 Fplknh32.exe 2584 Fplknh32.exe 2864 Fhccoe32.exe 2864 Fhccoe32.exe 2472 Fjdpgnee.exe 2472 Fjdpgnee.exe 2936 Gqcaoghl.exe 2936 Gqcaoghl.exe 2828 Gohnpcmd.exe 2828 Gohnpcmd.exe 2736 Gcfgfack.exe 2736 Gcfgfack.exe 3060 Gdgcnj32.exe 3060 Gdgcnj32.exe 2468 Gnbelong.exe 2468 Gnbelong.exe 1404 Helmiiec.exe 1404 Helmiiec.exe 408 Hndaao32.exe 408 Hndaao32.exe 1004 Henjnica.exe 1004 Henjnica.exe 1136 Hjkbfpah.exe 1136 Hjkbfpah.exe 892 Hminbkql.exe 892 Hminbkql.exe 2152 Hccfoehi.exe 2152 Hccfoehi.exe 2244 Hjmolp32.exe 2244 Hjmolp32.exe 2052 Hpjgdf32.exe 2052 Hpjgdf32.exe 2004 Hjplao32.exe 2004 Hjplao32.exe 2180 Hmnhnk32.exe 2180 Hmnhnk32.exe 872 Hchpjddc.exe 872 Hchpjddc.exe 352 Hjbhgolp.exe 352 Hjbhgolp.exe 2572 Ipoqofjh.exe 2572 Ipoqofjh.exe 920 Ifiilp32.exe 920 Ifiilp32.exe 264 Ilfadg32.exe 264 Ilfadg32.exe 1972 Ibpjaagi.exe 1972 Ibpjaagi.exe 1964 Iijbnkne.exe 1964 Iijbnkne.exe 2596 Infjfblm.exe 2596 Infjfblm.exe 2500 Iilocklc.exe 2500 Iilocklc.exe 2812 Ijmkkc32.exe 2812 Ijmkkc32.exe 2868 Iagchmjn.exe 2868 Iagchmjn.exe 2820 Ihaldgak.exe 2820 Ihaldgak.exe 2688 Imndmnob.exe 2688 Imndmnob.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bnaomeci.dll Jhchjgoh.exe File created C:\Windows\SysWOW64\Pbaide32.exe Papmlmbp.exe File created C:\Windows\SysWOW64\Gdpene32.dll Dfdqpdja.exe File opened for modification C:\Windows\SysWOW64\Kdoaackf.exe Kmeiei32.exe File opened for modification C:\Windows\SysWOW64\Mdqclpgd.exe Mlikkbga.exe File opened for modification C:\Windows\SysWOW64\Adhohapp.exe Anngkg32.exe File created C:\Windows\SysWOW64\Bmhmgbif.exe Bkgqpjch.exe File opened for modification C:\Windows\SysWOW64\Jhgnbehe.exe Jlpmndba.exe File created C:\Windows\SysWOW64\Bgdalf32.dll Pmbdfolj.exe File created C:\Windows\SysWOW64\Kcmlppdo.dll Mqoqlfkl.exe File opened for modification C:\Windows\SysWOW64\Jjjfbikh.exe Jgljfmkd.exe File created C:\Windows\SysWOW64\Qnbhgadc.dll Mdqclpgd.exe File created C:\Windows\SysWOW64\Oloioh32.dll Oqcffi32.exe File created C:\Windows\SysWOW64\Nbinad32.exe Npkaei32.exe File created C:\Windows\SysWOW64\Bncpffdn.exe Bhfhnofg.exe File opened for modification C:\Windows\SysWOW64\Dmcibdad.exe Djemfibq.exe File created C:\Windows\SysWOW64\Lojholgi.dll Lcqdidim.exe File opened for modification C:\Windows\SysWOW64\Pfjiod32.exe Pdllci32.exe File created C:\Windows\SysWOW64\Hdloab32.exe Hnbgdh32.exe File created C:\Windows\SysWOW64\Lgpjcnhh.exe Lpfagd32.exe File created C:\Windows\SysWOW64\Cnifhcei.dll Djaedbnj.exe File opened for modification C:\Windows\SysWOW64\Hnmcne32.exe Hkngbj32.exe File created C:\Windows\SysWOW64\Ndgbohdn.dll Jfdgnf32.exe File opened for modification C:\Windows\SysWOW64\Ldndng32.exe Ljhppo32.exe File created C:\Windows\SysWOW64\Alncgn32.exe Agakog32.exe File created C:\Windows\SysWOW64\Qmhfaj32.dll Cdgdlnop.exe File created C:\Windows\SysWOW64\Eccdmmpk.exe Dnfkefad.exe File created C:\Windows\SysWOW64\Hldpfnij.exe Hifdjcif.exe File created C:\Windows\SysWOW64\Mkkbcpbl.exe Mhmfgdch.exe File created C:\Windows\SysWOW64\Lenapcbd.dll Neemgp32.exe File created C:\Windows\SysWOW64\Djemfibq.exe Dpphipbk.exe File created C:\Windows\SysWOW64\Cffgqn32.dll Gcgpiq32.exe File created C:\Windows\SysWOW64\Acaoflhe.dll Ipecndab.exe File created C:\Windows\SysWOW64\Pdjpmi32.exe Ompgqonl.exe File opened for modification C:\Windows\SysWOW64\Hjnaehgj.exe Hcdihn32.exe File created C:\Windows\SysWOW64\Daopajpf.dll Jfigdl32.exe File created C:\Windows\SysWOW64\Oemmad32.dll Obilip32.exe File created C:\Windows\SysWOW64\Elkdakmp.dll Fooghg32.exe File created C:\Windows\SysWOW64\Ocbbbd32.exe Oqcffi32.exe File created C:\Windows\SysWOW64\Qgckhoib.dll Kegebn32.exe File created C:\Windows\SysWOW64\Lhjghlng.exe Lbpolb32.exe File created C:\Windows\SysWOW64\Eabjhf32.dll Mjgclcjh.exe File opened for modification C:\Windows\SysWOW64\Hfmbfkhf.exe Hobjia32.exe File opened for modification C:\Windows\SysWOW64\Jjlqpp32.exe Jdbhcfjd.exe File opened for modification C:\Windows\SysWOW64\Kplfmfmf.exe Kiamql32.exe File created C:\Windows\SysWOW64\Nknplm32.dll Lghgocek.exe File opened for modification C:\Windows\SysWOW64\Hjbhgolp.exe Hchpjddc.exe File created C:\Windows\SysWOW64\Ipoqofjh.exe Hjbhgolp.exe File opened for modification C:\Windows\SysWOW64\Obniel32.exe Oncndnlq.exe File created C:\Windows\SysWOW64\Oqcffi32.exe Ojjnioae.exe File created C:\Windows\SysWOW64\Kgmgdi32.dll Ejcohe32.exe File created C:\Windows\SysWOW64\Dcihdo32.exe Dpmlcpdm.exe File created C:\Windows\SysWOW64\Ghbode32.dll Adcobk32.exe File created C:\Windows\SysWOW64\Adkbgf32.exe Qifnjm32.exe File created C:\Windows\SysWOW64\Bcedbefd.exe Bnhljnhm.exe File created C:\Windows\SysWOW64\Hndnokni.dll Eccdmmpk.exe File opened for modification C:\Windows\SysWOW64\Ddfjak32.exe Dqknqleg.exe File created C:\Windows\SysWOW64\Bdgplhji.dll Dqknqleg.exe File opened for modification C:\Windows\SysWOW64\Ijhmnf32.exe Icnealbb.exe File created C:\Windows\SysWOW64\Ekjeio32.dll Bhfhnofg.exe File created C:\Windows\SysWOW64\Hnkbglmp.dll Kfenjq32.exe File created C:\Windows\SysWOW64\Nejbpm32.dll Agakog32.exe File created C:\Windows\SysWOW64\Fpojlp32.exe Fomndhng.exe File created C:\Windows\SysWOW64\Anokok32.dll Ickoimie.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 484 3020 WerFault.exe 865 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejejkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifajif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helmiiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfdcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhfmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggqamh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlcgmpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjpmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbolge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijqeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfagd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmolkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaihjbno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapfmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgomoboc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbgdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbolce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpqnpacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfnaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpolb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbihpbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdieaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjgopop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmiea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djffihmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jennjblp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehopnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coehnecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chmlfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplknh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfenjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnegldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcojbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnbccia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjeoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfjak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infjfblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnaokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmeogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihedan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iggbdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgdqef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnknqpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noighakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebbeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdqfajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkiae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpieli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdlbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoinfao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obffpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djibogkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmknko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcihdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efolib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fianpp32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqcffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghinlgob.dll" Amfcfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpnikb32.dll" Bkefcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnocdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcaajnk.dll" Nogjbbma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcegdnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcqj32.dll" Ffaeneno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhhjcmpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofehiocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplmhi32.dll" Ldndng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmllgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmhile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kadhen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfihbo32.dll" Dmllgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqhiab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbcpokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgdqaf32.dll" Hchpjddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgmjcla.dll" Poddphee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajghgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldgnmhhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlfacbk.dll" Ljfckodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiplecnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoanij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laenqg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnaomeci.dll" Jhchjgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifdjcif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkcnkj32.dll" Bhdmahpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnafjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dggcbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gifhkpgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogpkhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alfdcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obdjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opqjjalh.dll" Obdjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Difikhen.dll" Bohoogbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hngppgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqpaln32.dll" Lophcpam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oifelfni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhldob32.dll" Joicje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anijicnf.dll" Chmlfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcadn32.dll" Bqhbcqmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjlqpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpicpa32.dll" Khpaidpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emnelbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocdohdfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gadidabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joicje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmkkpm32.dll" Klimcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdmplfkj.dll" Ggkoojip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkojcgga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdnipal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcaehhnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccakij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbmgkoo.dll" Ohhcokmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkepdbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Affdii32.dll" Bdpnlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhac32.dll" Cnpieceq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kngcbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngalll32.dll" Jeenfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onggom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjegbfin.dll" Jfhqiegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egcpbc32.dll" Kokppd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2584 2604 add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe 29 PID 2604 wrote to memory of 2584 2604 add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe 29 PID 2604 wrote to memory of 2584 2604 add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe 29 PID 2604 wrote to memory of 2584 2604 add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe 29 PID 2584 wrote to memory of 2864 2584 Fplknh32.exe 30 PID 2584 wrote to memory of 2864 2584 Fplknh32.exe 30 PID 2584 wrote to memory of 2864 2584 Fplknh32.exe 30 PID 2584 wrote to memory of 2864 2584 Fplknh32.exe 30 PID 2864 wrote to memory of 2472 2864 Fhccoe32.exe 31 PID 2864 wrote to memory of 2472 2864 Fhccoe32.exe 31 PID 2864 wrote to memory of 2472 2864 Fhccoe32.exe 31 PID 2864 wrote to memory of 2472 2864 Fhccoe32.exe 31 PID 2472 wrote to memory of 2936 2472 Fjdpgnee.exe 32 PID 2472 wrote to memory of 2936 2472 Fjdpgnee.exe 32 PID 2472 wrote to memory of 2936 2472 Fjdpgnee.exe 32 PID 2472 wrote to memory of 2936 2472 Fjdpgnee.exe 32 PID 2936 wrote to memory of 2828 2936 Gqcaoghl.exe 33 PID 2936 wrote to memory of 2828 2936 Gqcaoghl.exe 33 PID 2936 wrote to memory of 2828 2936 Gqcaoghl.exe 33 PID 2936 wrote to memory of 2828 2936 Gqcaoghl.exe 33 PID 2828 wrote to memory of 2736 2828 Gohnpcmd.exe 34 PID 2828 wrote to memory of 2736 2828 Gohnpcmd.exe 34 PID 2828 wrote to memory of 2736 2828 Gohnpcmd.exe 34 PID 2828 wrote to memory of 2736 2828 Gohnpcmd.exe 34 PID 2736 wrote to memory of 3060 2736 Gcfgfack.exe 35 PID 2736 wrote to memory of 3060 2736 Gcfgfack.exe 35 PID 2736 wrote to memory of 3060 2736 Gcfgfack.exe 35 PID 2736 wrote to memory of 3060 2736 Gcfgfack.exe 35 PID 3060 wrote to memory of 2468 3060 Gdgcnj32.exe 36 PID 3060 wrote to memory of 2468 3060 Gdgcnj32.exe 36 PID 3060 wrote to memory of 2468 3060 Gdgcnj32.exe 36 PID 3060 wrote to memory of 2468 3060 Gdgcnj32.exe 36 PID 2468 wrote to memory of 1404 2468 Gnbelong.exe 37 PID 2468 wrote to memory of 1404 2468 Gnbelong.exe 37 PID 2468 wrote to memory of 1404 2468 Gnbelong.exe 37 PID 2468 wrote to memory of 1404 2468 Gnbelong.exe 37 PID 1404 wrote to memory of 408 1404 Helmiiec.exe 38 PID 1404 wrote to memory of 408 1404 Helmiiec.exe 38 PID 1404 wrote to memory of 408 1404 Helmiiec.exe 38 PID 1404 wrote to memory of 408 1404 Helmiiec.exe 38 PID 408 wrote to memory of 1004 408 Hndaao32.exe 39 PID 408 wrote to memory of 1004 408 Hndaao32.exe 39 PID 408 wrote to memory of 1004 408 Hndaao32.exe 39 PID 408 wrote to memory of 1004 408 Hndaao32.exe 39 PID 1004 wrote to memory of 1136 1004 Henjnica.exe 40 PID 1004 wrote to memory of 1136 1004 Henjnica.exe 40 PID 1004 wrote to memory of 1136 1004 Henjnica.exe 40 PID 1004 wrote to memory of 1136 1004 Henjnica.exe 40 PID 1136 wrote to memory of 892 1136 Hjkbfpah.exe 41 PID 1136 wrote to memory of 892 1136 Hjkbfpah.exe 41 PID 1136 wrote to memory of 892 1136 Hjkbfpah.exe 41 PID 1136 wrote to memory of 892 1136 Hjkbfpah.exe 41 PID 892 wrote to memory of 2152 892 Hminbkql.exe 42 PID 892 wrote to memory of 2152 892 Hminbkql.exe 42 PID 892 wrote to memory of 2152 892 Hminbkql.exe 42 PID 892 wrote to memory of 2152 892 Hminbkql.exe 42 PID 2152 wrote to memory of 2244 2152 Hccfoehi.exe 43 PID 2152 wrote to memory of 2244 2152 Hccfoehi.exe 43 PID 2152 wrote to memory of 2244 2152 Hccfoehi.exe 43 PID 2152 wrote to memory of 2244 2152 Hccfoehi.exe 43 PID 2244 wrote to memory of 2052 2244 Hjmolp32.exe 44 PID 2244 wrote to memory of 2052 2244 Hjmolp32.exe 44 PID 2244 wrote to memory of 2052 2244 Hjmolp32.exe 44 PID 2244 wrote to memory of 2052 2244 Hjmolp32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe"C:\Users\Admin\AppData\Local\Temp\add02ec034d18f624eea710023189b699fb7f9f52758d41700a467e1dcf328b9N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Fplknh32.exeC:\Windows\system32\Fplknh32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Fjdpgnee.exeC:\Windows\system32\Fjdpgnee.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Gqcaoghl.exeC:\Windows\system32\Gqcaoghl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Gcfgfack.exeC:\Windows\system32\Gcfgfack.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Gnbelong.exeC:\Windows\system32\Gnbelong.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Helmiiec.exeC:\Windows\system32\Helmiiec.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:408 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Hminbkql.exeC:\Windows\system32\Hminbkql.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Hjmolp32.exeC:\Windows\system32\Hjmolp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Hpjgdf32.exeC:\Windows\system32\Hpjgdf32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Hjplao32.exeC:\Windows\system32\Hjplao32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Hmnhnk32.exeC:\Windows\system32\Hmnhnk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Hjbhgolp.exeC:\Windows\system32\Hjbhgolp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Ipoqofjh.exeC:\Windows\system32\Ipoqofjh.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Ifiilp32.exeC:\Windows\system32\Ifiilp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:920 -
C:\Windows\SysWOW64\Ilfadg32.exeC:\Windows\system32\Ilfadg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Ibpjaagi.exeC:\Windows\system32\Ibpjaagi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Infjfblm.exeC:\Windows\system32\Infjfblm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Ijmkkc32.exeC:\Windows\system32\Ijmkkc32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Ihaldgak.exeC:\Windows\system32\Ihaldgak.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Imndmnob.exeC:\Windows\system32\Imndmnob.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Jonqfq32.exeC:\Windows\system32\Jonqfq32.exe34⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe35⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Jkdalb32.exeC:\Windows\system32\Jkdalb32.exe36⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Jmbnhm32.exeC:\Windows\system32\Jmbnhm32.exe37⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe38⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Jkfnaa32.exeC:\Windows\system32\Jkfnaa32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1572 -
C:\Windows\SysWOW64\Jmejmm32.exeC:\Windows\system32\Jmejmm32.exe40⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Jbbbed32.exeC:\Windows\system32\Jbbbed32.exe41⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Jmggcmgg.exeC:\Windows\system32\Jmggcmgg.exe42⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Joicje32.exeC:\Windows\system32\Joicje32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe44⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Kiqdmm32.exeC:\Windows\system32\Kiqdmm32.exe46⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe47⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Kkdnke32.exeC:\Windows\system32\Kkdnke32.exe49⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Kejahn32.exeC:\Windows\system32\Kejahn32.exe50⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe51⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Kapbmo32.exeC:\Windows\system32\Kapbmo32.exe52⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe53⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Kngcbpjc.exeC:\Windows\system32\Kngcbpjc.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Kcdljghj.exeC:\Windows\system32\Kcdljghj.exe55⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe56⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Lcfhpf32.exeC:\Windows\system32\Lcfhpf32.exe57⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Llomhllh.exeC:\Windows\system32\Llomhllh.exe58⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe59⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe60⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Lckbkfbb.exeC:\Windows\system32\Lckbkfbb.exe61⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Lhhjcmpj.exeC:\Windows\system32\Lhhjcmpj.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Lobbpg32.exeC:\Windows\system32\Lobbpg32.exe63⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Lodoefed.exeC:\Windows\system32\Lodoefed.exe66⤵PID:3052
-
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe67⤵PID:2372
-
C:\Windows\SysWOW64\Mgodjico.exeC:\Windows\system32\Mgodjico.exe68⤵PID:2880
-
C:\Windows\SysWOW64\Moflkfca.exeC:\Windows\system32\Moflkfca.exe69⤵PID:2364
-
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe70⤵PID:2824
-
C:\Windows\SysWOW64\Mqlbnnej.exeC:\Windows\system32\Mqlbnnej.exe71⤵PID:3048
-
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe72⤵PID:2892
-
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe73⤵PID:2168
-
C:\Windows\SysWOW64\Mqoocmcg.exeC:\Windows\system32\Mqoocmcg.exe74⤵PID:1740
-
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe75⤵PID:2232
-
C:\Windows\SysWOW64\Mgigpgkd.exeC:\Windows\system32\Mgigpgkd.exe76⤵PID:2148
-
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe77⤵
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe78⤵PID:3036
-
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe79⤵PID:2312
-
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924 -
C:\Windows\SysWOW64\Nmhlnngi.exeC:\Windows\system32\Nmhlnngi.exe81⤵PID:2644
-
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe82⤵PID:2616
-
C:\Windows\SysWOW64\Nfppfcmj.exeC:\Windows\system32\Nfppfcmj.exe83⤵PID:1584
-
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe84⤵PID:1664
-
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe85⤵PID:2792
-
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe86⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe87⤵PID:2664
-
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe88⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe89⤵PID:536
-
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe90⤵PID:636
-
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe91⤵PID:2408
-
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe92⤵PID:980
-
C:\Windows\SysWOW64\Oejgbonl.exeC:\Windows\system32\Oejgbonl.exe93⤵PID:1808
-
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe94⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe95⤵PID:2488
-
C:\Windows\SysWOW64\Omekgakg.exeC:\Windows\system32\Omekgakg.exe96⤵PID:1600
-
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe97⤵PID:2780
-
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe98⤵PID:2796
-
C:\Windows\SysWOW64\Ofnppgbh.exeC:\Windows\system32\Ofnppgbh.exe99⤵PID:2816
-
C:\Windows\SysWOW64\Onehadbj.exeC:\Windows\system32\Onehadbj.exe100⤵PID:1528
-
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe101⤵PID:876
-
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe102⤵PID:2512
-
C:\Windows\SysWOW64\Ofpmegpe.exeC:\Windows\system32\Ofpmegpe.exe103⤵PID:1952
-
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe104⤵PID:1880
-
C:\Windows\SysWOW64\Ophanl32.exeC:\Windows\system32\Ophanl32.exe105⤵PID:2756
-
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe106⤵PID:996
-
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe107⤵PID:1636
-
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe108⤵PID:2992
-
C:\Windows\SysWOW64\Omonmpcm.exeC:\Windows\system32\Omonmpcm.exe109⤵PID:2964
-
C:\Windows\SysWOW64\Popkeh32.exeC:\Windows\system32\Popkeh32.exe110⤵PID:1196
-
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1436 -
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe112⤵PID:1940
-
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe113⤵PID:2224
-
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe114⤵PID:2764
-
C:\Windows\SysWOW64\Poddphee.exeC:\Windows\system32\Poddphee.exe115⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe116⤵PID:888
-
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe117⤵PID:1632
-
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe118⤵PID:832
-
C:\Windows\SysWOW64\Pmjaadjm.exeC:\Windows\system32\Pmjaadjm.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:768 -
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:960 -
C:\Windows\SysWOW64\Pgbejj32.exeC:\Windows\system32\Pgbejj32.exe121⤵PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-