Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2024 10:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
713a2705788437e7c5fdf46a0b911f3f1f36215ade19188864c9180ed0952c00.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
713a2705788437e7c5fdf46a0b911f3f1f36215ade19188864c9180ed0952c00.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
713a2705788437e7c5fdf46a0b911f3f1f36215ade19188864c9180ed0952c00.exe
-
Size
163KB
-
MD5
f772ad5230e6fcb3ab0be36158265018
-
SHA1
d4aa823d44e10e09d50ccd18a638441eec4fe341
-
SHA256
713a2705788437e7c5fdf46a0b911f3f1f36215ade19188864c9180ed0952c00
-
SHA512
a4456ced0dc212acb256baacaead63c9d891d123fb2eaadb6e66a80aab4d7afde4d8e1867bffe3db120f6f71ca1ff2ba5b70bd7650887f8172d80c6a270cf766
-
SSDEEP
1536:Pg9IPz56W9JBKCLo1wRPsD8vwQFHlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUA:I45NJBKPwRP+8vdRltOrWKDBr+yJbA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phneep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pphjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqakfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgknnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmcedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mldfmcfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngmpgjel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olledp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfkieb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdiamqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eajebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgakeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogkcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkjkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfbkbpjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpdkiajo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjean32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcdkpdph.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aichgm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqhljhob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehmgne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkqockbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcdohbq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nekgggpl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjcajgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlihoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foiegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghklfq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpjlngje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndagjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogbploeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqdqbaee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Delnljgl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibdifc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfqgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olledp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idpilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nekgggpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Medgan32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncdgfaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oloidfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojgbij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgminggi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpebch32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeqbcmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jecoimci.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amaqmkaf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefkpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofncnkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kldmff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnehb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebihpkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkglmlkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfmajin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgminggi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qodmnhjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojjooilk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkfjoagf.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2852 Lpicgihh.exe 4684 Lfckdcoe.exe 1264 Lefkpq32.exe 1104 Ldgkmhno.exe 2972 Leihep32.exe 2244 Llbpbjlj.exe 4408 Lekekp32.exe 1664 Lmbmlmbl.exe 2548 Ldlehg32.exe 2484 Memapppg.exe 2712 Mmdiamqj.exe 4564 Mpcenhpn.exe 4580 Mdnang32.exe 2660 Mcabjcoa.exe 4964 Mepnfone.exe 3264 Mikjfn32.exe 396 Mmgfgl32.exe 5044 Mljfbiea.exe 1984 Mpebch32.exe 2136 Mdqncffd.exe 4020 Mccooc32.exe 2504 Mgokpbeh.exe 1532 Mebkko32.exe 2816 Minglmdk.exe 4996 Mmicll32.exe 2100 Mpgoig32.exe 4076 Mdckifda.exe 2724 Mcfkec32.exe 2948 Mgageace.exe 2432 Medgan32.exe 2640 Mipcambi.exe 3872 Mmkpbl32.exe 3568 Mlnpnh32.exe 1400 Mpjlngje.exe 2336 Mdehof32.exe 2276 Mchhjbii.exe 2296 Megdfnhm.exe 3596 Mibpgm32.exe 4112 Mnnlgkho.exe 2440 Mplhdghc.exe 4840 Ndhdde32.exe 1720 Nckepbgf.exe 1548 Ngfqqa32.exe 3396 Neialnfj.exe 3504 Nidmml32.exe 2652 Nlciih32.exe 2544 Npoeif32.exe 4352 Ndjajeni.exe 4772 Nghmfqmm.exe 868 Neknam32.exe 4000 Nnbebk32.exe 1148 Nlefngkd.exe 5040 Npabof32.exe 4568 Nconka32.exe 2120 Ngkjlpkj.exe 3772 Njifhljn.exe 5104 Nnebhj32.exe 1696 Nlhbdgia.exe 4700 Npcodf32.exe 4276 Ncakqaqo.exe 3960 Ngmgap32.exe 244 Njlcmk32.exe 2892 Nngonjqd.exe 4752 Npekjeph.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hddiqaml.exe Hfaied32.exe File created C:\Windows\SysWOW64\Necjgcjo.dll Kbgoba32.exe File created C:\Windows\SysWOW64\Igikac32.dll Medgan32.exe File created C:\Windows\SysWOW64\Dnbicmgi.dll Nngonjqd.exe File created C:\Windows\SysWOW64\Olaejfag.exe Onneoi32.exe File opened for modification C:\Windows\SysWOW64\Ofncnkcb.exe Ogkcbn32.exe File created C:\Windows\SysWOW64\Kbnggn32.dll Chehfhhh.exe File created C:\Windows\SysWOW64\Dmpmpm32.exe Ddhhggdo.exe File created C:\Windows\SysWOW64\Pbeafajf.dll Nohdkl32.exe File opened for modification C:\Windows\SysWOW64\Qhghkn32.exe Qgfldf32.exe File created C:\Windows\SysWOW64\Jflkkn32.dll Bgnkkckd.exe File created C:\Windows\SysWOW64\Llfaiaim.dll Ehmgne32.exe File created C:\Windows\SysWOW64\Fgfpqn32.dll Jkcdohbq.exe File opened for modification C:\Windows\SysWOW64\Nidmml32.exe Neialnfj.exe File created C:\Windows\SysWOW64\Pjnjhf32.dll Nlefngkd.exe File created C:\Windows\SysWOW64\Pcdqmo32.exe Pqfdac32.exe File created C:\Windows\SysWOW64\Ieaplbcc.dll Aqdqbaee.exe File opened for modification C:\Windows\SysWOW64\Dkfjoagf.exe Dgknnb32.exe File created C:\Windows\SysWOW64\Mhqlcc32.dll Dgknnb32.exe File created C:\Windows\SysWOW64\Moleonmd.exe Mhbmbc32.exe File created C:\Windows\SysWOW64\Pambekce.dll Oimihe32.exe File opened for modification C:\Windows\SysWOW64\Biadhkop.exe Bfchlopl.exe File opened for modification C:\Windows\SysWOW64\Mljfbiea.exe Mmgfgl32.exe File created C:\Windows\SysWOW64\Nckepbgf.exe Ndhdde32.exe File opened for modification C:\Windows\SysWOW64\Inkjkd32.exe Ibdifc32.exe File created C:\Windows\SysWOW64\Mhbmbc32.exe Miomggom.exe File created C:\Windows\SysWOW64\Ocfmajin.exe Olledp32.exe File created C:\Windows\SysWOW64\Ngfqqa32.exe Nckepbgf.exe File created C:\Windows\SysWOW64\Bacdhldd.dll Nnbebk32.exe File opened for modification C:\Windows\SysWOW64\Odmgfb32.exe Oqakfdek.exe File opened for modification C:\Windows\SysWOW64\Pfjcji32.exe Pckfnn32.exe File created C:\Windows\SysWOW64\Mflhqocp.dll Nidmml32.exe File created C:\Windows\SysWOW64\Ambgha32.exe Aefbcogf.exe File opened for modification C:\Windows\SysWOW64\Hfompd32.exe Gkjhbl32.exe File created C:\Windows\SysWOW64\Jeilbn32.exe Igekijlj.exe File created C:\Windows\SysWOW64\Lpfogcfo.exe Llkcgenf.exe File opened for modification C:\Windows\SysWOW64\Ahonlmoe.exe Agmbde32.exe File created C:\Windows\SysWOW64\Pgnphnke.exe Pcbdgo32.exe File created C:\Windows\SysWOW64\Bljmpb32.dll Opljpn32.exe File created C:\Windows\SysWOW64\Mdgamc32.dll Ocfmajin.exe File created C:\Windows\SysWOW64\Memapppg.exe Ldlehg32.exe File created C:\Windows\SysWOW64\Hiaponbm.dll Memapppg.exe File created C:\Windows\SysWOW64\Pgedglll.dll Olfoee32.exe File created C:\Windows\SysWOW64\Fgijpp32.exe Emqegkll.exe File created C:\Windows\SysWOW64\Fneobj32.exe Fncblj32.exe File opened for modification C:\Windows\SysWOW64\Kpkple32.exe Klockfhc.exe File opened for modification C:\Windows\SysWOW64\Liocpi32.exe Lfqgdn32.exe File opened for modification C:\Windows\SysWOW64\Noehelej.exe Nlgliaef.exe File opened for modification C:\Windows\SysWOW64\Nhnlnb32.exe Ngmpgjel.exe File created C:\Windows\SysWOW64\Plnkan32.exe Pfdbdcjo.exe File created C:\Windows\SysWOW64\Mdnkbgfn.dll Afboeano.exe File created C:\Windows\SysWOW64\Ddpajb32.dll Lpicgihh.exe File created C:\Windows\SysWOW64\Dddkqjen.dll Pcbdgo32.exe File created C:\Windows\SysWOW64\Lmcbjg32.dll Eajebj32.exe File created C:\Windows\SysWOW64\Pcaphnlb.dll Fhpmjbch.exe File opened for modification C:\Windows\SysWOW64\Mikclg32.exe Mflgpl32.exe File created C:\Windows\SysWOW64\Bjgnlo32.exe Bgiapc32.exe File opened for modification C:\Windows\SysWOW64\Kbgoba32.exe Kphcfe32.exe File created C:\Windows\SysWOW64\Mflgpl32.exe Mpbocblb.exe File created C:\Windows\SysWOW64\Oghpbh32.exe Opngfn32.exe File opened for modification C:\Windows\SysWOW64\Aiakammb.exe Ajnkfp32.exe File created C:\Windows\SysWOW64\Mikjfn32.exe Mepnfone.exe File opened for modification C:\Windows\SysWOW64\Oloidfcj.exe Onlhii32.exe File created C:\Windows\SysWOW64\Ojgbij32.exe Oflfhkee.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10052 9916 WerFault.exe 477 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbebk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejeilma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidfbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipcambi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nngonjqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgknnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkjhbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcenhpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdabfhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocdgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgijpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnfjfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhnlnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mibpgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofncnkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokpoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjemgal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noehelej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgojchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biogck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncakqaqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jniflb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lejnpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhiccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbmbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfcjeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbpoofo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilndl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjjpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjean32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahonlmoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcdapbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccooc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocfdlqmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmkjnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpdkiajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkcgenf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjjjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miomggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdnang32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjlngje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcodf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjlfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onneoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijjejae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmpgjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknppp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonnblgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgloc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bappnpkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbmcedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkeoeki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfdhego.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbkeoki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgiapc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mepnfone.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofeqhl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhkgbdlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phneep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qabdlocn.dll" Ngfqqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mflhqocp.dll" Nidmml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojjooilk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgpppo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmllb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mobbioeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niaimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqakfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jedhei32.dll" Chhdlhfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jminkf32.dll" Mpghna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlpeib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pofalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfiefqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leihep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipohm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeqbcmel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbgoba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpkple32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aofjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokpoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohiljpam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agmbde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mccooc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbfmdfnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lejnpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpbocblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqmfgcnl.dll" Llbpbjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhpmjbch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efgehhna.dll" Ibdifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agmbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgfldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgiapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcabjcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadimk32.dll" Ocfdlqmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qimmdloa.dll" Gonnblgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhdqaeag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pofalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflkkn32.dll" Bgnkkckd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnnlgkho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oelfff32.dll" Odmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddjemgal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liocpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agkeoeki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbinm32.dll" Aichgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhdde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpfboh32.dll" Gnfhihjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jldadd32.dll" Iipohm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llkcgenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbpdj32.dll" Mldfmcfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdqncffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojdhh32.dll" Dokpoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biogck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfehoi32.dll" Ngmgap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabegd32.dll" Aqffmkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlaaohoh.dll" Bqfodh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcdkpdph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjlkk32.dll" Leihep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcdqmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbkgpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfiqoad.dll" Pcdjbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgokpbeh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1656 wrote to memory of 2852 1656 713a2705788437e7c5fdf46a0b911f3f1f36215ade19188864c9180ed0952c00.exe 81 PID 1656 wrote to memory of 2852 1656 713a2705788437e7c5fdf46a0b911f3f1f36215ade19188864c9180ed0952c00.exe 81 PID 1656 wrote to memory of 2852 1656 713a2705788437e7c5fdf46a0b911f3f1f36215ade19188864c9180ed0952c00.exe 81 PID 2852 wrote to memory of 4684 2852 Lpicgihh.exe 82 PID 2852 wrote to memory of 4684 2852 Lpicgihh.exe 82 PID 2852 wrote to memory of 4684 2852 Lpicgihh.exe 82 PID 4684 wrote to memory of 1264 4684 Lfckdcoe.exe 83 PID 4684 wrote to memory of 1264 4684 Lfckdcoe.exe 83 PID 4684 wrote to memory of 1264 4684 Lfckdcoe.exe 83 PID 1264 wrote to memory of 1104 1264 Lefkpq32.exe 84 PID 1264 wrote to memory of 1104 1264 Lefkpq32.exe 84 PID 1264 wrote to memory of 1104 1264 Lefkpq32.exe 84 PID 1104 wrote to memory of 2972 1104 Ldgkmhno.exe 85 PID 1104 wrote to memory of 2972 1104 Ldgkmhno.exe 85 PID 1104 wrote to memory of 2972 1104 Ldgkmhno.exe 85 PID 2972 wrote to memory of 2244 2972 Leihep32.exe 86 PID 2972 wrote to memory of 2244 2972 Leihep32.exe 86 PID 2972 wrote to memory of 2244 2972 Leihep32.exe 86 PID 2244 wrote to memory of 4408 2244 Llbpbjlj.exe 87 PID 2244 wrote to memory of 4408 2244 Llbpbjlj.exe 87 PID 2244 wrote to memory of 4408 2244 Llbpbjlj.exe 87 PID 4408 wrote to memory of 1664 4408 Lekekp32.exe 88 PID 4408 wrote to memory of 1664 4408 Lekekp32.exe 88 PID 4408 wrote to memory of 1664 4408 Lekekp32.exe 88 PID 1664 wrote to memory of 2548 1664 Lmbmlmbl.exe 89 PID 1664 wrote to memory of 2548 1664 Lmbmlmbl.exe 89 PID 1664 wrote to memory of 2548 1664 Lmbmlmbl.exe 89 PID 2548 wrote to memory of 2484 2548 Ldlehg32.exe 90 PID 2548 wrote to memory of 2484 2548 Ldlehg32.exe 90 PID 2548 wrote to memory of 2484 2548 Ldlehg32.exe 90 PID 2484 wrote to memory of 2712 2484 Memapppg.exe 91 PID 2484 wrote to memory of 2712 2484 Memapppg.exe 91 PID 2484 wrote to memory of 2712 2484 Memapppg.exe 91 PID 2712 wrote to memory of 4564 2712 Mmdiamqj.exe 92 PID 2712 wrote to memory of 4564 2712 Mmdiamqj.exe 92 PID 2712 wrote to memory of 4564 2712 Mmdiamqj.exe 92 PID 4564 wrote to memory of 4580 4564 Mpcenhpn.exe 93 PID 4564 wrote to memory of 4580 4564 Mpcenhpn.exe 93 PID 4564 wrote to memory of 4580 4564 Mpcenhpn.exe 93 PID 4580 wrote to memory of 2660 4580 Mdnang32.exe 94 PID 4580 wrote to memory of 2660 4580 Mdnang32.exe 94 PID 4580 wrote to memory of 2660 4580 Mdnang32.exe 94 PID 2660 wrote to memory of 4964 2660 Mcabjcoa.exe 95 PID 2660 wrote to memory of 4964 2660 Mcabjcoa.exe 95 PID 2660 wrote to memory of 4964 2660 Mcabjcoa.exe 95 PID 4964 wrote to memory of 3264 4964 Mepnfone.exe 96 PID 4964 wrote to memory of 3264 4964 Mepnfone.exe 96 PID 4964 wrote to memory of 3264 4964 Mepnfone.exe 96 PID 3264 wrote to memory of 396 3264 Mikjfn32.exe 97 PID 3264 wrote to memory of 396 3264 Mikjfn32.exe 97 PID 3264 wrote to memory of 396 3264 Mikjfn32.exe 97 PID 396 wrote to memory of 5044 396 Mmgfgl32.exe 98 PID 396 wrote to memory of 5044 396 Mmgfgl32.exe 98 PID 396 wrote to memory of 5044 396 Mmgfgl32.exe 98 PID 5044 wrote to memory of 1984 5044 Mljfbiea.exe 99 PID 5044 wrote to memory of 1984 5044 Mljfbiea.exe 99 PID 5044 wrote to memory of 1984 5044 Mljfbiea.exe 99 PID 1984 wrote to memory of 2136 1984 Mpebch32.exe 100 PID 1984 wrote to memory of 2136 1984 Mpebch32.exe 100 PID 1984 wrote to memory of 2136 1984 Mpebch32.exe 100 PID 2136 wrote to memory of 4020 2136 Mdqncffd.exe 101 PID 2136 wrote to memory of 4020 2136 Mdqncffd.exe 101 PID 2136 wrote to memory of 4020 2136 Mdqncffd.exe 101 PID 4020 wrote to memory of 2504 4020 Mccooc32.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\713a2705788437e7c5fdf46a0b911f3f1f36215ade19188864c9180ed0952c00.exe"C:\Users\Admin\AppData\Local\Temp\713a2705788437e7c5fdf46a0b911f3f1f36215ade19188864c9180ed0952c00.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Lpicgihh.exeC:\Windows\system32\Lpicgihh.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Lfckdcoe.exeC:\Windows\system32\Lfckdcoe.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Lefkpq32.exeC:\Windows\system32\Lefkpq32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Ldgkmhno.exeC:\Windows\system32\Ldgkmhno.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Leihep32.exeC:\Windows\system32\Leihep32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Llbpbjlj.exeC:\Windows\system32\Llbpbjlj.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Lekekp32.exeC:\Windows\system32\Lekekp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Lmbmlmbl.exeC:\Windows\system32\Lmbmlmbl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ldlehg32.exeC:\Windows\system32\Ldlehg32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Memapppg.exeC:\Windows\system32\Memapppg.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Mmdiamqj.exeC:\Windows\system32\Mmdiamqj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Mpcenhpn.exeC:\Windows\system32\Mpcenhpn.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4564 -
C:\Windows\SysWOW64\Mdnang32.exeC:\Windows\system32\Mdnang32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Mcabjcoa.exeC:\Windows\system32\Mcabjcoa.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Mepnfone.exeC:\Windows\system32\Mepnfone.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4964 -
C:\Windows\SysWOW64\Mikjfn32.exeC:\Windows\system32\Mikjfn32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Mmgfgl32.exeC:\Windows\system32\Mmgfgl32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Mljfbiea.exeC:\Windows\system32\Mljfbiea.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Mpebch32.exeC:\Windows\system32\Mpebch32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Mdqncffd.exeC:\Windows\system32\Mdqncffd.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Mccooc32.exeC:\Windows\system32\Mccooc32.exe22⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Mgokpbeh.exeC:\Windows\system32\Mgokpbeh.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Mebkko32.exeC:\Windows\system32\Mebkko32.exe24⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Minglmdk.exeC:\Windows\system32\Minglmdk.exe25⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Mmicll32.exeC:\Windows\system32\Mmicll32.exe26⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Mpgoig32.exeC:\Windows\system32\Mpgoig32.exe27⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Mdckifda.exeC:\Windows\system32\Mdckifda.exe28⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Mcfkec32.exeC:\Windows\system32\Mcfkec32.exe29⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Mgageace.exeC:\Windows\system32\Mgageace.exe30⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Medgan32.exeC:\Windows\system32\Medgan32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Mipcambi.exeC:\Windows\system32\Mipcambi.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Mmkpbl32.exeC:\Windows\system32\Mmkpbl32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3872 -
C:\Windows\SysWOW64\Mlnpnh32.exeC:\Windows\system32\Mlnpnh32.exe34⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Mpjlngje.exeC:\Windows\system32\Mpjlngje.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Mdehof32.exeC:\Windows\system32\Mdehof32.exe36⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Mchhjbii.exeC:\Windows\system32\Mchhjbii.exe37⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Megdfnhm.exeC:\Windows\system32\Megdfnhm.exe38⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Mibpgm32.exeC:\Windows\system32\Mibpgm32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Windows\SysWOW64\Mnnlgkho.exeC:\Windows\system32\Mnnlgkho.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:4112 -
C:\Windows\SysWOW64\Mplhdghc.exeC:\Windows\system32\Mplhdghc.exe41⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ndhdde32.exeC:\Windows\system32\Ndhdde32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4840 -
C:\Windows\SysWOW64\Nckepbgf.exeC:\Windows\system32\Nckepbgf.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Ngfqqa32.exeC:\Windows\system32\Ngfqqa32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Neialnfj.exeC:\Windows\system32\Neialnfj.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3396 -
C:\Windows\SysWOW64\Nidmml32.exeC:\Windows\system32\Nidmml32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3504 -
C:\Windows\SysWOW64\Nlciih32.exeC:\Windows\system32\Nlciih32.exe47⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Npoeif32.exeC:\Windows\system32\Npoeif32.exe48⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ndjajeni.exeC:\Windows\system32\Ndjajeni.exe49⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Nghmfqmm.exeC:\Windows\system32\Nghmfqmm.exe50⤵
- Executes dropped EXE
PID:4772 -
C:\Windows\SysWOW64\Neknam32.exeC:\Windows\system32\Neknam32.exe51⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Nnbebk32.exeC:\Windows\system32\Nnbebk32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Nlefngkd.exeC:\Windows\system32\Nlefngkd.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Npabof32.exeC:\Windows\system32\Npabof32.exe54⤵
- Executes dropped EXE
PID:5040 -
C:\Windows\SysWOW64\Nconka32.exeC:\Windows\system32\Nconka32.exe55⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Ngkjlpkj.exeC:\Windows\system32\Ngkjlpkj.exe56⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Njifhljn.exeC:\Windows\system32\Njifhljn.exe57⤵
- Executes dropped EXE
PID:3772 -
C:\Windows\SysWOW64\Nnebhj32.exeC:\Windows\system32\Nnebhj32.exe58⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Nlhbdgia.exeC:\Windows\system32\Nlhbdgia.exe59⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Npcodf32.exeC:\Windows\system32\Npcodf32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Windows\SysWOW64\Ncakqaqo.exeC:\Windows\system32\Ncakqaqo.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4276 -
C:\Windows\SysWOW64\Ngmgap32.exeC:\Windows\system32\Ngmgap32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3960 -
C:\Windows\SysWOW64\Njlcmk32.exeC:\Windows\system32\Njlcmk32.exe63⤵
- Executes dropped EXE
PID:244 -
C:\Windows\SysWOW64\Nngonjqd.exeC:\Windows\system32\Nngonjqd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Npekjeph.exeC:\Windows\system32\Npekjeph.exe65⤵
- Executes dropped EXE
PID:4752 -
C:\Windows\SysWOW64\Ndagjd32.exeC:\Windows\system32\Ndagjd32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1832 -
C:\Windows\SysWOW64\Ncdgfaol.exeC:\Windows\system32\Ncdgfaol.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1000 -
C:\Windows\SysWOW64\Nfbdblnp.exeC:\Windows\system32\Nfbdblnp.exe68⤵PID:2528
-
C:\Windows\SysWOW64\Njnpck32.exeC:\Windows\system32\Njnpck32.exe69⤵PID:3224
-
C:\Windows\SysWOW64\Nnilcjnb.exeC:\Windows\system32\Nnilcjnb.exe70⤵PID:4072
-
C:\Windows\SysWOW64\Ophhpene.exeC:\Windows\system32\Ophhpene.exe71⤵PID:4436
-
C:\Windows\SysWOW64\Ocfdlqmi.exeC:\Windows\system32\Ocfdlqmi.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4532 -
C:\Windows\SysWOW64\Ogbploeb.exeC:\Windows\system32\Ogbploeb.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Ofeqhl32.exeC:\Windows\system32\Ofeqhl32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Onlhii32.exeC:\Windows\system32\Onlhii32.exe75⤵
- Drops file in System32 directory
PID:4888 -
C:\Windows\SysWOW64\Oloidfcj.exeC:\Windows\system32\Oloidfcj.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4216 -
C:\Windows\SysWOW64\Opjeee32.exeC:\Windows\system32\Opjeee32.exe77⤵PID:2192
-
C:\Windows\SysWOW64\Ociaap32.exeC:\Windows\system32\Ociaap32.exe78⤵PID:2552
-
C:\Windows\SysWOW64\Ogdmaocp.exeC:\Windows\system32\Ogdmaocp.exe79⤵PID:3640
-
C:\Windows\SysWOW64\Ofgmml32.exeC:\Windows\system32\Ofgmml32.exe80⤵PID:1920
-
C:\Windows\SysWOW64\Onneoi32.exeC:\Windows\system32\Onneoi32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Windows\SysWOW64\Olaejfag.exeC:\Windows\system32\Olaejfag.exe82⤵PID:1552
-
C:\Windows\SysWOW64\Odhmkcbi.exeC:\Windows\system32\Odhmkcbi.exe83⤵PID:3076
-
C:\Windows\SysWOW64\Ockngp32.exeC:\Windows\system32\Ockngp32.exe84⤵PID:3704
-
C:\Windows\SysWOW64\Ogfjgo32.exeC:\Windows\system32\Ogfjgo32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Ojefcj32.exeC:\Windows\system32\Ojefcj32.exe86⤵PID:420
-
C:\Windows\SysWOW64\Onqbdihj.exeC:\Windows\system32\Onqbdihj.exe87⤵PID:2740
-
C:\Windows\SysWOW64\Oqonpdgn.exeC:\Windows\system32\Oqonpdgn.exe88⤵PID:1860
-
C:\Windows\SysWOW64\Odjjqc32.exeC:\Windows\system32\Odjjqc32.exe89⤵PID:1040
-
C:\Windows\SysWOW64\Ocmjlpfa.exeC:\Windows\system32\Ocmjlpfa.exe90⤵PID:2252
-
C:\Windows\SysWOW64\Oflfhkee.exeC:\Windows\system32\Oflfhkee.exe91⤵
- Drops file in System32 directory
PID:3608 -
C:\Windows\SysWOW64\Ojgbij32.exeC:\Windows\system32\Ojgbij32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4520 -
C:\Windows\SysWOW64\Olfoee32.exeC:\Windows\system32\Olfoee32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4152 -
C:\Windows\SysWOW64\Oqakfdek.exeC:\Windows\system32\Oqakfdek.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1368 -
C:\Windows\SysWOW64\Odmgfb32.exeC:\Windows\system32\Odmgfb32.exe95⤵
- Modifies registry class
PID:3088 -
C:\Windows\SysWOW64\Ogkcbn32.exeC:\Windows\system32\Ogkcbn32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Ofncnkcb.exeC:\Windows\system32\Ofncnkcb.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Ojjooilk.exeC:\Windows\system32\Ojjooilk.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Omhlkeko.exeC:\Windows\system32\Omhlkeko.exe99⤵PID:1128
-
C:\Windows\SysWOW64\Pqcgkc32.exeC:\Windows\system32\Pqcgkc32.exe100⤵PID:3048
-
C:\Windows\SysWOW64\Pcbdgo32.exeC:\Windows\system32\Pcbdgo32.exe101⤵
- Drops file in System32 directory
PID:712 -
C:\Windows\SysWOW64\Pgnphnke.exeC:\Windows\system32\Pgnphnke.exe102⤵PID:4084
-
C:\Windows\SysWOW64\Pfqpcj32.exeC:\Windows\system32\Pfqpcj32.exe103⤵PID:972
-
C:\Windows\SysWOW64\Pnghdh32.exeC:\Windows\system32\Pnghdh32.exe104⤵PID:4716
-
C:\Windows\SysWOW64\Pmjhpdil.exeC:\Windows\system32\Pmjhpdil.exe105⤵PID:3288
-
C:\Windows\SysWOW64\Pqfdac32.exeC:\Windows\system32\Pqfdac32.exe106⤵
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Pcdqmo32.exeC:\Windows\system32\Pcdqmo32.exe107⤵
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Pgplnmib.exeC:\Windows\system32\Pgplnmib.exe108⤵PID:4736
-
C:\Windows\SysWOW64\Pgbicm32.exeC:\Windows\system32\Pgbicm32.exe109⤵PID:2468
-
C:\Windows\SysWOW64\Pjqeoh32.exeC:\Windows\system32\Pjqeoh32.exe110⤵PID:1772
-
C:\Windows\SysWOW64\Pnlapgnl.exeC:\Windows\system32\Pnlapgnl.exe111⤵PID:2708
-
C:\Windows\SysWOW64\Pfgfdikg.exeC:\Windows\system32\Pfgfdikg.exe112⤵PID:3240
-
C:\Windows\SysWOW64\Pqmjab32.exeC:\Windows\system32\Pqmjab32.exe113⤵PID:984
-
C:\Windows\SysWOW64\Pckfnn32.exeC:\Windows\system32\Pckfnn32.exe114⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Pfjcji32.exeC:\Windows\system32\Pfjcji32.exe115⤵PID:3812
-
C:\Windows\SysWOW64\Pjeojhbn.exeC:\Windows\system32\Pjeojhbn.exe116⤵PID:1840
-
C:\Windows\SysWOW64\Qmdkfcaa.exeC:\Windows\system32\Qmdkfcaa.exe117⤵PID:3544
-
C:\Windows\SysWOW64\Qdkcgqad.exeC:\Windows\system32\Qdkcgqad.exe118⤵PID:4952
-
C:\Windows\SysWOW64\Qcnccm32.exeC:\Windows\system32\Qcnccm32.exe119⤵PID:4584
-
C:\Windows\SysWOW64\Qcppimfl.exeC:\Windows\system32\Qcppimfl.exe120⤵PID:448
-
C:\Windows\SysWOW64\Qgllil32.exeC:\Windows\system32\Qgllil32.exe121⤵PID:4268
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-