Analysis
-
max time kernel
16s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 20:16
Behavioral task
behavioral1
Sample
1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe
Resource
win7-20240729-en
General
-
Target
1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe
-
Size
93KB
-
MD5
6e726c373f5a05876b669921ae6c5086
-
SHA1
7c047a0c4e8baad9f96a17175eb8a6e3f15322e3
-
SHA256
1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d
-
SHA512
e5d3d94903cf38d40ba21c178feed3539f81272c787c879d802175f9427a8d7fbd11bcb43d81f51d62e0f68166d43a1132142d45b0bcccf619e3aa83021b7cd7
-
SSDEEP
1536:n2azpaYwasKpEZJPCXF+Yk92R1DaYfMZRWuLsV+1T:n2a4vapESXMYk92RgYfc0DV+1T
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgdnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laeidfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjgqcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmngn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdajpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnllnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokdga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdego32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igffmkno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnijnjbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omgfdhbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oheppe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oipcnieb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkiie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgabgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgabgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjbihpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpcdfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfljmmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiipeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfgcieii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khglkqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhmeehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pobeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaondi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjlap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfobllj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgfdhbq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeghmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaondi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnbnnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcmgal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndoelpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfmahkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olopjddf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjblcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afnfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjneoeeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opebpdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phocfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nilndfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abgdnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkkblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amhopfof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agfikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hidfjckg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbkchj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peiaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpcdqpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpapgnpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailboh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klonqpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migdig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikoehj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikoehj32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 3004 Hidfjckg.exe 2944 Ioaobjin.exe 3068 Ifhgcgjq.exe 1636 Ileoknhh.exe 2860 Iiipeb32.exe 2768 Iaddid32.exe 2764 Iljifm32.exe 2308 Imkeneja.exe 1212 Idemkp32.exe 3012 Ikoehj32.exe 1804 Iainddpg.exe 652 Igffmkno.exe 2372 Jnpoie32.exe 1980 Jcmgal32.exe 2052 Jjgonf32.exe 2096 Jdlclo32.exe 2408 Jempcgad.exe 1552 Jndhddaf.exe 1912 Jpcdqpqj.exe 2444 Jgmlmj32.exe 2648 Jjkiie32.exe 1648 Johaalea.exe 864 Jcdmbk32.exe 1796 Jjneoeeh.exe 2276 Jojnglco.exe 2824 Jcfjhj32.exe 2848 Klonqpbi.exe 2856 Kfgcieii.exe 592 Kdjceb32.exe 2752 Kbncof32.exe 2772 Khglkqfj.exe 1104 Kjihci32.exe 2296 Kdnlpaln.exe 344 Kngaig32.exe 2900 Kccian32.exe 2148 Kjnanhhc.exe 2084 Kninog32.exe 2340 Lgabgl32.exe 2180 Ljpnch32.exe 1940 Liboodmk.exe 2428 Lbkchj32.exe 1932 Ljbkig32.exe 104 Lkcgapjl.exe 2108 Lbmpnjai.exe 1468 Lelljepm.exe 2472 Lpapgnpb.exe 1732 Lndqbk32.exe 1632 Lgmekpmn.exe 264 Lpcmlnnp.exe 2964 Lbbiii32.exe 1688 Laeidfdn.exe 2952 Mgoaap32.exe 2736 Mnijnjbh.exe 2692 Mbdfni32.exe 1852 Mecbjd32.exe 1896 Mcfbfaao.exe 2796 Mlmjgnaa.exe 2872 Mjpkbk32.exe 1100 Majcoepi.exe 1728 Meeopdhb.exe 492 Mhckloge.exe 1148 Mjbghkfi.exe 928 Mmpcdfem.exe 1768 Malpee32.exe -
Loads dropped DLL 64 IoCs
pid Process 1520 1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe 1520 1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe 3004 Hidfjckg.exe 3004 Hidfjckg.exe 2944 Ioaobjin.exe 2944 Ioaobjin.exe 3068 Ifhgcgjq.exe 3068 Ifhgcgjq.exe 1636 Ileoknhh.exe 1636 Ileoknhh.exe 2860 Iiipeb32.exe 2860 Iiipeb32.exe 2768 Iaddid32.exe 2768 Iaddid32.exe 2764 Iljifm32.exe 2764 Iljifm32.exe 2308 Imkeneja.exe 2308 Imkeneja.exe 1212 Idemkp32.exe 1212 Idemkp32.exe 3012 Ikoehj32.exe 3012 Ikoehj32.exe 1804 Iainddpg.exe 1804 Iainddpg.exe 652 Igffmkno.exe 652 Igffmkno.exe 2372 Jnpoie32.exe 2372 Jnpoie32.exe 1980 Jcmgal32.exe 1980 Jcmgal32.exe 2052 Jjgonf32.exe 2052 Jjgonf32.exe 2096 Jdlclo32.exe 2096 Jdlclo32.exe 2408 Jempcgad.exe 2408 Jempcgad.exe 1552 Jndhddaf.exe 1552 Jndhddaf.exe 1912 Jpcdqpqj.exe 1912 Jpcdqpqj.exe 2444 Jgmlmj32.exe 2444 Jgmlmj32.exe 2648 Jjkiie32.exe 2648 Jjkiie32.exe 1648 Johaalea.exe 1648 Johaalea.exe 864 Jcdmbk32.exe 864 Jcdmbk32.exe 1796 Jjneoeeh.exe 1796 Jjneoeeh.exe 2276 Jojnglco.exe 2276 Jojnglco.exe 2824 Jcfjhj32.exe 2824 Jcfjhj32.exe 2848 Klonqpbi.exe 2848 Klonqpbi.exe 2856 Kfgcieii.exe 2856 Kfgcieii.exe 592 Kdjceb32.exe 592 Kdjceb32.exe 2752 Kbncof32.exe 2752 Kbncof32.exe 2772 Khglkqfj.exe 2772 Khglkqfj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mecbjd32.exe Mbdfni32.exe File created C:\Windows\SysWOW64\Pkgjak32.dll Omgfdhbq.exe File created C:\Windows\SysWOW64\Iifedg32.dll Olopjddf.exe File created C:\Windows\SysWOW64\Pgmobakj.dll Agfikc32.exe File created C:\Windows\SysWOW64\Khglkqfj.exe Kbncof32.exe File opened for modification C:\Windows\SysWOW64\Mlhmkbhb.exe Miiaogio.exe File opened for modification C:\Windows\SysWOW64\Nlmffa32.exe Nhakecld.exe File created C:\Windows\SysWOW64\Papank32.exe Pobeao32.exe File created C:\Windows\SysWOW64\Aokdga32.exe Aialjgbh.exe File created C:\Windows\SysWOW64\Aicipgqe.exe Aehmoh32.exe File opened for modification C:\Windows\SysWOW64\Ajdego32.exe Agfikc32.exe File created C:\Windows\SysWOW64\Bjaoaabb.dll Pkkblp32.exe File opened for modification C:\Windows\SysWOW64\Ioaobjin.exe Hidfjckg.exe File created C:\Windows\SysWOW64\Iiipeb32.exe Ileoknhh.exe File opened for modification C:\Windows\SysWOW64\Kninog32.exe Kjnanhhc.exe File created C:\Windows\SysWOW64\Opgcne32.dll Ogmngn32.exe File created C:\Windows\SysWOW64\Qmcnifll.dll Okkfmmqj.exe File created C:\Windows\SysWOW64\Podbgo32.exe Phjjkefd.exe File opened for modification C:\Windows\SysWOW64\Pdajpf32.exe Pabncj32.exe File created C:\Windows\SysWOW64\Pjmgop32.dll Amhopfof.exe File created C:\Windows\SysWOW64\Lpcmlnnp.exe Lgmekpmn.exe File opened for modification C:\Windows\SysWOW64\Nhakecld.exe Nebnigmp.exe File created C:\Windows\SysWOW64\Amhopfof.exe Ailboh32.exe File created C:\Windows\SysWOW64\Hiohip32.dll Lbkchj32.exe File created C:\Windows\SysWOW64\Ibnqpj32.dll Lkcgapjl.exe File created C:\Windows\SysWOW64\Nhhqfb32.exe Nmbmii32.exe File created C:\Windows\SysWOW64\Flgdah32.dll Odoakckp.exe File created C:\Windows\SysWOW64\Kepajbam.dll Pdajpf32.exe File opened for modification C:\Windows\SysWOW64\Anpahn32.exe Ajdego32.exe File created C:\Windows\SysWOW64\Mfbokqlp.dll Lpcmlnnp.exe File created C:\Windows\SysWOW64\Mmhaikja.dll Mnijnjbh.exe File opened for modification C:\Windows\SysWOW64\Nkdpmn32.exe Ndjhpcoe.exe File opened for modification C:\Windows\SysWOW64\Ollcee32.exe Omjbihpn.exe File opened for modification C:\Windows\SysWOW64\Pobeao32.exe Pkfiaqgk.exe File created C:\Windows\SysWOW64\Jdeadmlb.dll Kninog32.exe File created C:\Windows\SysWOW64\Omjbihpn.exe Okkfmmqj.exe File created C:\Windows\SysWOW64\Pchdfb32.exe Pdfdkehc.exe File opened for modification C:\Windows\SysWOW64\Ljbkig32.exe Lbkchj32.exe File opened for modification C:\Windows\SysWOW64\Lbbiii32.exe Lpcmlnnp.exe File created C:\Windows\SysWOW64\Iijfeeok.dll Ikoehj32.exe File created C:\Windows\SysWOW64\Mlhmkbhb.exe Miiaogio.exe File created C:\Windows\SysWOW64\Dkhdhoei.dll Nmgjee32.exe File created C:\Windows\SysWOW64\Jjgonf32.exe Jcmgal32.exe File created C:\Windows\SysWOW64\Meeopdhb.exe Majcoepi.exe File created C:\Windows\SysWOW64\Migdig32.exe Mcjlap32.exe File opened for modification C:\Windows\SysWOW64\Opebpdad.exe Omgfdhbq.exe File opened for modification C:\Windows\SysWOW64\Qmahog32.exe Pjblcl32.exe File created C:\Windows\SysWOW64\Enalae32.dll Qnpeijla.exe File created C:\Windows\SysWOW64\Anpahn32.exe Ajdego32.exe File created C:\Windows\SysWOW64\Klonqpbi.exe Jcfjhj32.exe File created C:\Windows\SysWOW64\Lqnmhm32.dll Kngaig32.exe File created C:\Windows\SysWOW64\Fjfiqjch.dll Nmbmii32.exe File created C:\Windows\SysWOW64\Dcemgk32.dll Afbpnlcd.exe File created C:\Windows\SysWOW64\Nbfobllj.exe Nlmffa32.exe File created C:\Windows\SysWOW64\Agefobee.dll Paekijkb.exe File opened for modification C:\Windows\SysWOW64\Qfimhmlo.exe Qckalamk.exe File created C:\Windows\SysWOW64\Acbglq32.exe Amhopfof.exe File created C:\Windows\SysWOW64\Bcmjpd32.exe Aaondi32.exe File created C:\Windows\SysWOW64\Denlga32.dll Aoihaa32.exe File created C:\Windows\SysWOW64\Lmkcfaod.dll Ifhgcgjq.exe File created C:\Windows\SysWOW64\Imkeneja.exe Iljifm32.exe File created C:\Windows\SysWOW64\Njbnon32.dll Kbncof32.exe File opened for modification C:\Windows\SysWOW64\Liboodmk.exe Ljpnch32.exe File created C:\Windows\SysWOW64\Lbmpnjai.exe Lkcgapjl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1664 2240 WerFault.exe 189 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kccian32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndqbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhqfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjgonf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmgal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbfaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paekijkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailboh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anndbnao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalaoipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iainddpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbnnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdbab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johaalea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjceb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkdpmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgabgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeopdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nebnigmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfobllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjhpcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoaaqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokdga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcdqpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnanhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhckloge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odoakckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjbihpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oheppe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicipgqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jempcgad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbncof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kninog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmffa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhcgkbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaondi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igffmkno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkchj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oegdcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijfihip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ileoknhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnllnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqeogll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klonqpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkcgapjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilndfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobiclmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollcee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olopjddf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idemkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgogla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdajpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aialjgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khglkqfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnijnjbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Migdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbpibm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbmpnjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfbokqlp.dll" Lpcmlnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgmlmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojnglco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhhqfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omjbihpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opmhqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acbglq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpapgnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejbmjalg.dll" Aeccdila.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnpkcl32.dll" Ioaobjin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcflp32.dll" Jdlclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdnlpaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ollcee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agefobee.dll" Paekijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdfdkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdonjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agfikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkgjae32.dll" Hidfjckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnbnnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idemkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oipcnieb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnbnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kihjmonk.dll" Jgmlmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmooam32.dll" Malpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omjbihpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meeopdhb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oobiclmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pobeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdqhh32.dll" Pkmobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Denlga32.dll" Aoihaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abgdnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkfiaqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjjhnge.dll" Qfljmmjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkhgnk32.dll" Iaddid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omgfdhbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapapi32.dll" Oegdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdhmkjd.dll" Qmahog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaondi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnqpj32.dll" Lkcgapjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Majcoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnekggoo.dll" Migdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djfoghqi.dll" Mjgqcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhakecld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjneoeeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgflpn32.dll" Panehkaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aokdga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpcdqpqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miiaogio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgogla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcemgk32.dll" Afbpnlcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmekpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkfiaqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlbloflp.dll" Pdonjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aodnfbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Majcoepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkmobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbkingcj.dll" Pchdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaddid32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1520 wrote to memory of 3004 1520 1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe 30 PID 1520 wrote to memory of 3004 1520 1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe 30 PID 1520 wrote to memory of 3004 1520 1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe 30 PID 1520 wrote to memory of 3004 1520 1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe 30 PID 3004 wrote to memory of 2944 3004 Hidfjckg.exe 31 PID 3004 wrote to memory of 2944 3004 Hidfjckg.exe 31 PID 3004 wrote to memory of 2944 3004 Hidfjckg.exe 31 PID 3004 wrote to memory of 2944 3004 Hidfjckg.exe 31 PID 2944 wrote to memory of 3068 2944 Ioaobjin.exe 32 PID 2944 wrote to memory of 3068 2944 Ioaobjin.exe 32 PID 2944 wrote to memory of 3068 2944 Ioaobjin.exe 32 PID 2944 wrote to memory of 3068 2944 Ioaobjin.exe 32 PID 3068 wrote to memory of 1636 3068 Ifhgcgjq.exe 33 PID 3068 wrote to memory of 1636 3068 Ifhgcgjq.exe 33 PID 3068 wrote to memory of 1636 3068 Ifhgcgjq.exe 33 PID 3068 wrote to memory of 1636 3068 Ifhgcgjq.exe 33 PID 1636 wrote to memory of 2860 1636 Ileoknhh.exe 34 PID 1636 wrote to memory of 2860 1636 Ileoknhh.exe 34 PID 1636 wrote to memory of 2860 1636 Ileoknhh.exe 34 PID 1636 wrote to memory of 2860 1636 Ileoknhh.exe 34 PID 2860 wrote to memory of 2768 2860 Iiipeb32.exe 35 PID 2860 wrote to memory of 2768 2860 Iiipeb32.exe 35 PID 2860 wrote to memory of 2768 2860 Iiipeb32.exe 35 PID 2860 wrote to memory of 2768 2860 Iiipeb32.exe 35 PID 2768 wrote to memory of 2764 2768 Iaddid32.exe 36 PID 2768 wrote to memory of 2764 2768 Iaddid32.exe 36 PID 2768 wrote to memory of 2764 2768 Iaddid32.exe 36 PID 2768 wrote to memory of 2764 2768 Iaddid32.exe 36 PID 2764 wrote to memory of 2308 2764 Iljifm32.exe 37 PID 2764 wrote to memory of 2308 2764 Iljifm32.exe 37 PID 2764 wrote to memory of 2308 2764 Iljifm32.exe 37 PID 2764 wrote to memory of 2308 2764 Iljifm32.exe 37 PID 2308 wrote to memory of 1212 2308 Imkeneja.exe 38 PID 2308 wrote to memory of 1212 2308 Imkeneja.exe 38 PID 2308 wrote to memory of 1212 2308 Imkeneja.exe 38 PID 2308 wrote to memory of 1212 2308 Imkeneja.exe 38 PID 1212 wrote to memory of 3012 1212 Idemkp32.exe 39 PID 1212 wrote to memory of 3012 1212 Idemkp32.exe 39 PID 1212 wrote to memory of 3012 1212 Idemkp32.exe 39 PID 1212 wrote to memory of 3012 1212 Idemkp32.exe 39 PID 3012 wrote to memory of 1804 3012 Ikoehj32.exe 40 PID 3012 wrote to memory of 1804 3012 Ikoehj32.exe 40 PID 3012 wrote to memory of 1804 3012 Ikoehj32.exe 40 PID 3012 wrote to memory of 1804 3012 Ikoehj32.exe 40 PID 1804 wrote to memory of 652 1804 Iainddpg.exe 41 PID 1804 wrote to memory of 652 1804 Iainddpg.exe 41 PID 1804 wrote to memory of 652 1804 Iainddpg.exe 41 PID 1804 wrote to memory of 652 1804 Iainddpg.exe 41 PID 652 wrote to memory of 2372 652 Igffmkno.exe 42 PID 652 wrote to memory of 2372 652 Igffmkno.exe 42 PID 652 wrote to memory of 2372 652 Igffmkno.exe 42 PID 652 wrote to memory of 2372 652 Igffmkno.exe 42 PID 2372 wrote to memory of 1980 2372 Jnpoie32.exe 43 PID 2372 wrote to memory of 1980 2372 Jnpoie32.exe 43 PID 2372 wrote to memory of 1980 2372 Jnpoie32.exe 43 PID 2372 wrote to memory of 1980 2372 Jnpoie32.exe 43 PID 1980 wrote to memory of 2052 1980 Jcmgal32.exe 44 PID 1980 wrote to memory of 2052 1980 Jcmgal32.exe 44 PID 1980 wrote to memory of 2052 1980 Jcmgal32.exe 44 PID 1980 wrote to memory of 2052 1980 Jcmgal32.exe 44 PID 2052 wrote to memory of 2096 2052 Jjgonf32.exe 45 PID 2052 wrote to memory of 2096 2052 Jjgonf32.exe 45 PID 2052 wrote to memory of 2096 2052 Jjgonf32.exe 45 PID 2052 wrote to memory of 2096 2052 Jjgonf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe"C:\Users\Admin\AppData\Local\Temp\1afe4bb23e625c96b9d66e41a022c00da4b243de01e17ec22a3f0aed26b6c21d.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Hidfjckg.exeC:\Windows\system32\Hidfjckg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Ileoknhh.exeC:\Windows\system32\Ileoknhh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Iaddid32.exeC:\Windows\system32\Iaddid32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Imkeneja.exeC:\Windows\system32\Imkeneja.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Idemkp32.exeC:\Windows\system32\Idemkp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Ikoehj32.exeC:\Windows\system32\Ikoehj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Windows\SysWOW64\Jnpoie32.exeC:\Windows\system32\Jnpoie32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Jdlclo32.exeC:\Windows\system32\Jdlclo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Jndhddaf.exeC:\Windows\system32\Jndhddaf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Jgmlmj32.exeC:\Windows\system32\Jgmlmj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Jjkiie32.exeC:\Windows\system32\Jjkiie32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Johaalea.exeC:\Windows\system32\Johaalea.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:864 -
C:\Windows\SysWOW64\Jjneoeeh.exeC:\Windows\system32\Jjneoeeh.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Jcfjhj32.exeC:\Windows\system32\Jcfjhj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Klonqpbi.exeC:\Windows\system32\Klonqpbi.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Kfgcieii.exeC:\Windows\system32\Kfgcieii.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Kdjceb32.exeC:\Windows\system32\Kdjceb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:592 -
C:\Windows\SysWOW64\Kbncof32.exeC:\Windows\system32\Kbncof32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe33⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Kdnlpaln.exeC:\Windows\system32\Kdnlpaln.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:344 -
C:\Windows\SysWOW64\Kccian32.exeC:\Windows\system32\Kccian32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Kjnanhhc.exeC:\Windows\system32\Kjnanhhc.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Ljpnch32.exeC:\Windows\system32\Ljpnch32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Liboodmk.exeC:\Windows\system32\Liboodmk.exe41⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Lbkchj32.exeC:\Windows\system32\Lbkchj32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Ljbkig32.exeC:\Windows\system32\Ljbkig32.exe43⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:104 -
C:\Windows\SysWOW64\Lbmpnjai.exeC:\Windows\system32\Lbmpnjai.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe46⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Lgmekpmn.exeC:\Windows\system32\Lgmekpmn.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Lpcmlnnp.exeC:\Windows\system32\Lpcmlnnp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Mgoaap32.exeC:\Windows\system32\Mgoaap32.exe53⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Mbdfni32.exeC:\Windows\system32\Mbdfni32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe56⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe58⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Majcoepi.exeC:\Windows\system32\Majcoepi.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:492 -
C:\Windows\SysWOW64\Mjbghkfi.exeC:\Windows\system32\Mjbghkfi.exe63⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Malpee32.exeC:\Windows\system32\Malpee32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Mcjlap32.exeC:\Windows\system32\Mcjlap32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Migdig32.exeC:\Windows\system32\Migdig32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Manljd32.exeC:\Windows\system32\Manljd32.exe68⤵PID:2196
-
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe69⤵PID:2840
-
C:\Windows\SysWOW64\Mbpibm32.exeC:\Windows\system32\Mbpibm32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Mjgqcj32.exeC:\Windows\system32\Mjgqcj32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Miiaogio.exeC:\Windows\system32\Miiaogio.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Mlhmkbhb.exeC:\Windows\system32\Mlhmkbhb.exe73⤵PID:2224
-
C:\Windows\SysWOW64\Ndoelpid.exeC:\Windows\system32\Ndoelpid.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:872 -
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Nmgjee32.exeC:\Windows\system32\Nmgjee32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe78⤵PID:1144
-
C:\Windows\SysWOW64\Nebnigmp.exeC:\Windows\system32\Nebnigmp.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1976 -
C:\Windows\SysWOW64\Nhakecld.exeC:\Windows\system32\Nhakecld.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Nbfobllj.exeC:\Windows\system32\Nbfobllj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Neekogkm.exeC:\Windows\system32\Neekogkm.exe83⤵PID:1644
-
C:\Windows\SysWOW64\Nhcgkbja.exeC:\Windows\system32\Nhcgkbja.exe84⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Nalldh32.exeC:\Windows\system32\Nalldh32.exe85⤵PID:2664
-
C:\Windows\SysWOW64\Ndjhpcoe.exeC:\Windows\system32\Ndjhpcoe.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Nkdpmn32.exeC:\Windows\system32\Nkdpmn32.exe87⤵
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe88⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Nhhqfb32.exeC:\Windows\system32\Nhhqfb32.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Oobiclmh.exeC:\Windows\system32\Oobiclmh.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1392 -
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe91⤵
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Odoakckp.exeC:\Windows\system32\Odoakckp.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\Ogmngn32.exeC:\Windows\system32\Ogmngn32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Oiljcj32.exeC:\Windows\system32\Oiljcj32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Opebpdad.exeC:\Windows\system32\Opebpdad.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1880 -
C:\Windows\SysWOW64\Okkfmmqj.exeC:\Windows\system32\Okkfmmqj.exe97⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Ollcee32.exeC:\Windows\system32\Ollcee32.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Ocfkaone.exeC:\Windows\system32\Ocfkaone.exe100⤵PID:2864
-
C:\Windows\SysWOW64\Oipcnieb.exeC:\Windows\system32\Oipcnieb.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Olopjddf.exeC:\Windows\system32\Olopjddf.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe103⤵PID:764
-
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Oheppe32.exeC:\Windows\system32\Oheppe32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Opmhqc32.exeC:\Windows\system32\Opmhqc32.exe106⤵
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe107⤵
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Peiaij32.exeC:\Windows\system32\Peiaij32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Phhmeehg.exeC:\Windows\system32\Phhmeehg.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:852 -
C:\Windows\SysWOW64\Pkfiaqgk.exeC:\Windows\system32\Pkfiaqgk.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Pobeao32.exeC:\Windows\system32\Pobeao32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Papank32.exeC:\Windows\system32\Papank32.exe112⤵PID:2904
-
C:\Windows\SysWOW64\Pdonjf32.exeC:\Windows\system32\Pdonjf32.exe113⤵
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Phjjkefd.exeC:\Windows\system32\Phjjkefd.exe114⤵
- Drops file in System32 directory
PID:1420 -
C:\Windows\SysWOW64\Podbgo32.exeC:\Windows\system32\Podbgo32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Pabncj32.exeC:\Windows\system32\Pabncj32.exe116⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Pdajpf32.exeC:\Windows\system32\Pdajpf32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Pkkblp32.exeC:\Windows\system32\Pkkblp32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1464 -
C:\Windows\SysWOW64\Paekijkb.exeC:\Windows\system32\Paekijkb.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Phocfd32.exeC:\Windows\system32\Phocfd32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1780 -
C:\Windows\SysWOW64\Pkmobp32.exeC:\Windows\system32\Pkmobp32.exe122⤵
- Modifies registry class
PID:2360
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-