Analysis
-
max time kernel
33s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 03:47
Behavioral task
behavioral1
Sample
2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe
-
Size
93KB
-
MD5
83d498ed48f4e1fdf8a32cd3c44ccfc0
-
SHA1
0a21caafc7f2ea2dc6c836a38520bd876cf9771f
-
SHA256
2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633ae
-
SHA512
7bab72dbf3bf4321ca6e7079c39ddda2ef5d8656dc51a52693ed1054d3832b7f331f7c5fed6fc5e5822e64705d2e0683fe404fc86caa3171947ac1c1a30048ec
-
SSDEEP
1536:mT1mQLlTSFjnZXwDC8gaqrzbx1DaYfMZRWuLsV+1L:I1mQ5eBSDcvxgYfc0DV+1L
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobfgdcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adlcfjgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egjbdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjbeofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffodjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkfbfjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhdihkcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikhgqbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgqcjlhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcejm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgibnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlkail32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egahen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heikgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idcacc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqeqqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imiigiab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgimqhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahmbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbeiefff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endjaief.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabhah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnoiio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgpmjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpqpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmbfbgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfcbldmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlgfnal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kopokehd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiogq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogmcjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hebnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcigco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illbhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkail32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbajkiof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgkocj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgllgedi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjlaplk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmdgbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehklddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdlkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbdko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkfddc32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2724 Fcbbjcif.exe 2704 Fpicodoj.exe 2792 Ffcllo32.exe 2620 Gbjlaplk.exe 2700 Gejebk32.exe 2796 Gppipc32.exe 376 Ghkndf32.exe 2224 Gbqbaofc.exe 2848 Ghmkjedk.exe 1560 Gmjcblbb.exe 2028 Hhpgpebh.exe 2396 Hpkldg32.exe 1488 Hajinjff.exe 1868 Hifmbmda.exe 876 Hdkape32.exe 2296 Hmcfhkjg.exe 1324 Heokmmgb.exe 1908 Ilicig32.exe 1552 Iimcclni.exe 1124 Iknpkd32.exe 556 Ibehla32.exe 2372 Idfdcijh.exe 1228 Imoilo32.exe 2340 Idiaii32.exe 2336 Iggned32.exe 2492 Ippbnjni.exe 2876 Ihfjognl.exe 1572 Iaonhm32.exe 2856 Jcbhee32.exe 2744 Jeadap32.exe 2596 Jjomgo32.exe 2204 Jlmicj32.exe 776 Jolepe32.exe 2516 Jhdihkcj.exe 2956 Jhffnk32.exe 1532 Kopokehd.exe 2920 Kobkpdfa.exe 2400 Kbaglpee.exe 1956 Kqfdnljm.exe 1160 Kgpmjf32.exe 2108 Knmamp32.exe 824 Kqknil32.exe 1884 Kcijeg32.exe 828 Lqmjnk32.exe 1204 Ljfogake.exe 684 Lmdkcl32.exe 3064 Lobgoh32.exe 2444 Lbackc32.exe 272 Leopgo32.exe 2504 Lmfhil32.exe 2728 Lkihdioa.exe 3000 Lnhdqdnd.exe 2740 Liminmmk.exe 2932 Lklejh32.exe 2288 Lahmbo32.exe 2052 Lgbeoibb.exe 2144 Mbhjlbbh.exe 2940 Meffhnal.exe 2976 Mmakmp32.exe 2100 Mamgmofp.exe 1152 Mclcijfd.exe 2088 Mfjoeeeh.exe 348 Mmdgbp32.exe 1864 Mcnpojca.exe -
Loads dropped DLL 64 IoCs
pid Process 2316 2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe 2316 2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe 2724 Fcbbjcif.exe 2724 Fcbbjcif.exe 2704 Fpicodoj.exe 2704 Fpicodoj.exe 2792 Ffcllo32.exe 2792 Ffcllo32.exe 2620 Gbjlaplk.exe 2620 Gbjlaplk.exe 2700 Gejebk32.exe 2700 Gejebk32.exe 2796 Gppipc32.exe 2796 Gppipc32.exe 376 Ghkndf32.exe 376 Ghkndf32.exe 2224 Gbqbaofc.exe 2224 Gbqbaofc.exe 2848 Ghmkjedk.exe 2848 Ghmkjedk.exe 1560 Gmjcblbb.exe 1560 Gmjcblbb.exe 2028 Hhpgpebh.exe 2028 Hhpgpebh.exe 2396 Hpkldg32.exe 2396 Hpkldg32.exe 1488 Hajinjff.exe 1488 Hajinjff.exe 1868 Hifmbmda.exe 1868 Hifmbmda.exe 876 Hdkape32.exe 876 Hdkape32.exe 2296 Hmcfhkjg.exe 2296 Hmcfhkjg.exe 1324 Heokmmgb.exe 1324 Heokmmgb.exe 1908 Ilicig32.exe 1908 Ilicig32.exe 1552 Iimcclni.exe 1552 Iimcclni.exe 1124 Iknpkd32.exe 1124 Iknpkd32.exe 556 Ibehla32.exe 556 Ibehla32.exe 2372 Idfdcijh.exe 2372 Idfdcijh.exe 1228 Imoilo32.exe 1228 Imoilo32.exe 2340 Idiaii32.exe 2340 Idiaii32.exe 2336 Iggned32.exe 2336 Iggned32.exe 2492 Ippbnjni.exe 2492 Ippbnjni.exe 2876 Ihfjognl.exe 2876 Ihfjognl.exe 1572 Iaonhm32.exe 1572 Iaonhm32.exe 2856 Jcbhee32.exe 2856 Jcbhee32.exe 2744 Jeadap32.exe 2744 Jeadap32.exe 2596 Jjomgo32.exe 2596 Jjomgo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lmdkcl32.exe Ljfogake.exe File created C:\Windows\SysWOW64\Jjndlebb.dll Jofejpmc.exe File created C:\Windows\SysWOW64\Mqdkdffe.dll Qobbofgn.exe File created C:\Windows\SysWOW64\Ajnpecbj.exe Qhmcmk32.exe File opened for modification C:\Windows\SysWOW64\Koaqcn32.exe Khghgchk.exe File created C:\Windows\SysWOW64\Cagienkb.exe Cpfmmf32.exe File created C:\Windows\SysWOW64\Fphoebme.dll Cmmagpef.exe File opened for modification C:\Windows\SysWOW64\Ekjgpm32.exe Eccpoo32.exe File opened for modification C:\Windows\SysWOW64\Ggcaiqhj.exe Gqiimfam.exe File created C:\Windows\SysWOW64\Lmkcam32.dll Qaqnkafa.exe File created C:\Windows\SysWOW64\Gqiimfam.exe Gjpqpl32.exe File created C:\Windows\SysWOW64\Lkakicam.exe Kdhcli32.exe File created C:\Windows\SysWOW64\Opaebkmc.exe Omcifpnp.exe File opened for modification C:\Windows\SysWOW64\Eaeipfei.exe Eogmcjef.exe File opened for modification C:\Windows\SysWOW64\Piicpk32.exe Obokcqhk.exe File opened for modification C:\Windows\SysWOW64\Bgcbhd32.exe Boljgg32.exe File opened for modification C:\Windows\SysWOW64\Jolepe32.exe Jlmicj32.exe File created C:\Windows\SysWOW64\Iphhqinm.dll Bbmapj32.exe File created C:\Windows\SysWOW64\Eacpijip.dll Ekjgpm32.exe File created C:\Windows\SysWOW64\Mnifja32.exe Mhonngce.exe File created C:\Windows\SysWOW64\Nadimacd.exe Noemqe32.exe File created C:\Windows\SysWOW64\Kgckfd32.dll Bibpad32.exe File created C:\Windows\SysWOW64\Eccpoo32.exe Epecbd32.exe File created C:\Windows\SysWOW64\Lilfnc32.dll Ohfqmi32.exe File created C:\Windows\SysWOW64\Ikmpacaf.dll Eoepnk32.exe File created C:\Windows\SysWOW64\Oeopijom.dll Cinafkkd.exe File created C:\Windows\SysWOW64\Hbefdnjd.dll Caaggpdh.exe File opened for modification C:\Windows\SysWOW64\Golbnm32.exe Gkpfmnlb.exe File opened for modification C:\Windows\SysWOW64\Hgpjhn32.exe Hebnlb32.exe File created C:\Windows\SysWOW64\Kheoph32.dll Nfahomfd.exe File created C:\Windows\SysWOW64\Bgcbhd32.exe Boljgg32.exe File created C:\Windows\SysWOW64\Coacbfii.exe Bigkel32.exe File opened for modification C:\Windows\SysWOW64\Ieomef32.exe Hbaaik32.exe File created C:\Windows\SysWOW64\Pkmlmbcd.exe Pljlbf32.exe File created C:\Windows\SysWOW64\Oijoab32.dll Lkihdioa.exe File created C:\Windows\SysWOW64\Ljecmgch.dll Acekjjmk.exe File created C:\Windows\SysWOW64\Cohkpj32.exe Cljodo32.exe File created C:\Windows\SysWOW64\Lqncaj32.exe Lomgjb32.exe File opened for modification C:\Windows\SysWOW64\Miehak32.exe Mfglep32.exe File created C:\Windows\SysWOW64\Ffodjh32.exe Fdmhbplb.exe File created C:\Windows\SysWOW64\Fglmnmlc.dll Dkfbfjdf.exe File created C:\Windows\SysWOW64\Homdlljo.dll Kjleflod.exe File opened for modification C:\Windows\SysWOW64\Mioabp32.exe Mbeiefff.exe File opened for modification C:\Windows\SysWOW64\Hnmeen32.exe Hloiib32.exe File opened for modification C:\Windows\SysWOW64\Kdpfadlm.exe Kaajei32.exe File created C:\Windows\SysWOW64\Bmibgd32.exe Bnfblgca.exe File created C:\Windows\SysWOW64\Nogobaio.dll Kghpoa32.exe File created C:\Windows\SysWOW64\Fkfklboi.dll Mhonngce.exe File opened for modification C:\Windows\SysWOW64\Pdgmlhha.exe Pojecajj.exe File created C:\Windows\SysWOW64\Bjkhdacm.exe Bgllgedi.exe File opened for modification C:\Windows\SysWOW64\Cheido32.exe Cpnaca32.exe File created C:\Windows\SysWOW64\Ffphgohm.dll Gjpqpl32.exe File created C:\Windows\SysWOW64\Ingkfk32.dll Amaelomh.exe File opened for modification C:\Windows\SysWOW64\Filgbdfd.exe Fdpkbf32.exe File created C:\Windows\SysWOW64\Ggcaiqhj.exe Gqiimfam.exe File created C:\Windows\SysWOW64\Jlckbh32.exe Jnpkflne.exe File opened for modification C:\Windows\SysWOW64\Jampjian.exe Jkchmo32.exe File created C:\Windows\SysWOW64\Oklnff32.exe Nadimacd.exe File created C:\Windows\SysWOW64\Achdqg32.dll Pojbkh32.exe File created C:\Windows\SysWOW64\Hphidanj.exe Hmjlhfof.exe File created C:\Windows\SysWOW64\Mkddnf32.exe Miehak32.exe File created C:\Windows\SysWOW64\Pfkhoe32.dll Bkpeci32.exe File created C:\Windows\SysWOW64\Gdfaom32.dll Jhffnk32.exe File created C:\Windows\SysWOW64\Epkpbiah.dll Pgnjde32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7184 7068 WerFault.exe 717 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkkpmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhdkgnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdnlhco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfblgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imiigiab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmmfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgnaehm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jofejpmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnneb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmjhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khghgchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfogake.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlddkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaifdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjicfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibejdjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkldg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlelhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqlpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkhhjei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobbofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcnojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafbadcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Debplg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnihdemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkchmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhdqdnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjoeeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcifpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhiholof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocllehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdhcli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieajkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikhgqbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcokiaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicalakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jampjian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbefcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpigma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgmlhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paknelgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifmbmda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cifelgmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidkmojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpkbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olophhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edibhmml.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikepamg.dll" Ajcipc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmojkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkijnbae.dll" Mfjoeeeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaffbqaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amnocpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekfndmfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncobd32.dll" Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclnhnji.dll" Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfbbc32.dll" Aababceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Popnbp32.dll" Elldgehk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nenakoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckboie32.dll" Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebmjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlbgikia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecfldoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknlofim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfmndn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcinhie.dll" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eijdkcgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ianinp32.dll" Pakllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amnocpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppkhhjei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akcldl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iocnkj32.dll" Mkndhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeadap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlhhndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piicpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boljgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nplfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoohekal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbofjnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiegdegb.dll" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkhabhbn.dll" Bnihdemo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhocpkj.dll" Nkhdkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phnnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baigca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egikjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" Opnbbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmljgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhiomn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkbcbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmbalfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llkcqmgj.dll" Nfkapb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehklddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajgbkbjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmpkqklh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgpmjf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2724 2316 2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe 30 PID 2316 wrote to memory of 2724 2316 2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe 30 PID 2316 wrote to memory of 2724 2316 2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe 30 PID 2316 wrote to memory of 2724 2316 2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe 30 PID 2724 wrote to memory of 2704 2724 Fcbbjcif.exe 31 PID 2724 wrote to memory of 2704 2724 Fcbbjcif.exe 31 PID 2724 wrote to memory of 2704 2724 Fcbbjcif.exe 31 PID 2724 wrote to memory of 2704 2724 Fcbbjcif.exe 31 PID 2704 wrote to memory of 2792 2704 Fpicodoj.exe 32 PID 2704 wrote to memory of 2792 2704 Fpicodoj.exe 32 PID 2704 wrote to memory of 2792 2704 Fpicodoj.exe 32 PID 2704 wrote to memory of 2792 2704 Fpicodoj.exe 32 PID 2792 wrote to memory of 2620 2792 Ffcllo32.exe 33 PID 2792 wrote to memory of 2620 2792 Ffcllo32.exe 33 PID 2792 wrote to memory of 2620 2792 Ffcllo32.exe 33 PID 2792 wrote to memory of 2620 2792 Ffcllo32.exe 33 PID 2620 wrote to memory of 2700 2620 Gbjlaplk.exe 34 PID 2620 wrote to memory of 2700 2620 Gbjlaplk.exe 34 PID 2620 wrote to memory of 2700 2620 Gbjlaplk.exe 34 PID 2620 wrote to memory of 2700 2620 Gbjlaplk.exe 34 PID 2700 wrote to memory of 2796 2700 Gejebk32.exe 35 PID 2700 wrote to memory of 2796 2700 Gejebk32.exe 35 PID 2700 wrote to memory of 2796 2700 Gejebk32.exe 35 PID 2700 wrote to memory of 2796 2700 Gejebk32.exe 35 PID 2796 wrote to memory of 376 2796 Gppipc32.exe 36 PID 2796 wrote to memory of 376 2796 Gppipc32.exe 36 PID 2796 wrote to memory of 376 2796 Gppipc32.exe 36 PID 2796 wrote to memory of 376 2796 Gppipc32.exe 36 PID 376 wrote to memory of 2224 376 Ghkndf32.exe 37 PID 376 wrote to memory of 2224 376 Ghkndf32.exe 37 PID 376 wrote to memory of 2224 376 Ghkndf32.exe 37 PID 376 wrote to memory of 2224 376 Ghkndf32.exe 37 PID 2224 wrote to memory of 2848 2224 Gbqbaofc.exe 38 PID 2224 wrote to memory of 2848 2224 Gbqbaofc.exe 38 PID 2224 wrote to memory of 2848 2224 Gbqbaofc.exe 38 PID 2224 wrote to memory of 2848 2224 Gbqbaofc.exe 38 PID 2848 wrote to memory of 1560 2848 Ghmkjedk.exe 39 PID 2848 wrote to memory of 1560 2848 Ghmkjedk.exe 39 PID 2848 wrote to memory of 1560 2848 Ghmkjedk.exe 39 PID 2848 wrote to memory of 1560 2848 Ghmkjedk.exe 39 PID 1560 wrote to memory of 2028 1560 Gmjcblbb.exe 40 PID 1560 wrote to memory of 2028 1560 Gmjcblbb.exe 40 PID 1560 wrote to memory of 2028 1560 Gmjcblbb.exe 40 PID 1560 wrote to memory of 2028 1560 Gmjcblbb.exe 40 PID 2028 wrote to memory of 2396 2028 Hhpgpebh.exe 41 PID 2028 wrote to memory of 2396 2028 Hhpgpebh.exe 41 PID 2028 wrote to memory of 2396 2028 Hhpgpebh.exe 41 PID 2028 wrote to memory of 2396 2028 Hhpgpebh.exe 41 PID 2396 wrote to memory of 1488 2396 Hpkldg32.exe 42 PID 2396 wrote to memory of 1488 2396 Hpkldg32.exe 42 PID 2396 wrote to memory of 1488 2396 Hpkldg32.exe 42 PID 2396 wrote to memory of 1488 2396 Hpkldg32.exe 42 PID 1488 wrote to memory of 1868 1488 Hajinjff.exe 43 PID 1488 wrote to memory of 1868 1488 Hajinjff.exe 43 PID 1488 wrote to memory of 1868 1488 Hajinjff.exe 43 PID 1488 wrote to memory of 1868 1488 Hajinjff.exe 43 PID 1868 wrote to memory of 876 1868 Hifmbmda.exe 44 PID 1868 wrote to memory of 876 1868 Hifmbmda.exe 44 PID 1868 wrote to memory of 876 1868 Hifmbmda.exe 44 PID 1868 wrote to memory of 876 1868 Hifmbmda.exe 44 PID 876 wrote to memory of 2296 876 Hdkape32.exe 45 PID 876 wrote to memory of 2296 876 Hdkape32.exe 45 PID 876 wrote to memory of 2296 876 Hdkape32.exe 45 PID 876 wrote to memory of 2296 876 Hdkape32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe"C:\Users\Admin\AppData\Local\Temp\2884d1c5591487a6bb3a76f18f152aa67fd768b0a7ebaa8804024c23a1a633aeN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:376 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Hhpgpebh.exeC:\Windows\system32\Hhpgpebh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1228 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Iaonhm32.exeC:\Windows\system32\Iaonhm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe34⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe38⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe39⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe40⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1160 -
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe42⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe43⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe44⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe45⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1204 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe47⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe48⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe49⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe50⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe51⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe54⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe55⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe57⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe58⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe59⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe60⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe61⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe62⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe65⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe67⤵PID:1288
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe68⤵PID:2376
-
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe69⤵PID:2140
-
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1508 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe72⤵PID:2712
-
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe73⤵PID:1708
-
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe75⤵PID:1528
-
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe76⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe77⤵PID:2896
-
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe78⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe79⤵
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe80⤵PID:1856
-
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe81⤵
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe83⤵PID:1220
-
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe84⤵
- System Location Discovery: System Language Discovery
PID:344 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe85⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe86⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe87⤵PID:1828
-
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe88⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe89⤵PID:2584
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe90⤵PID:2716
-
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe91⤵PID:2208
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe92⤵PID:2168
-
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe94⤵PID:2800
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe95⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe96⤵PID:1776
-
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe97⤵PID:1480
-
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe98⤵
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe99⤵PID:1036
-
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe100⤵PID:740
-
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe101⤵PID:2324
-
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe102⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe103⤵PID:2840
-
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe104⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe105⤵PID:2652
-
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe106⤵PID:640
-
C:\Windows\SysWOW64\Pojbkh32.exeC:\Windows\system32\Pojbkh32.exe107⤵
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe108⤵PID:2912
-
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe109⤵PID:2256
-
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe110⤵PID:3012
-
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe111⤵
- Modifies registry class
PID:948 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe112⤵PID:1852
-
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe113⤵PID:1876
-
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe114⤵PID:2380
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe115⤵PID:2844
-
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe116⤵PID:2996
-
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe117⤵PID:2196
-
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe118⤵PID:1412
-
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe119⤵PID:1516
-
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe120⤵PID:604
-
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe121⤵PID:1816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-