Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-12-2024 10:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe
-
Size
96KB
-
MD5
2dbf71e97335c6bf105153c58b9735f8
-
SHA1
55aae5106c6682394fdf2ab98341dec5c12c7839
-
SHA256
6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509
-
SHA512
53395e3c8a20bf84c21893123102848eb685ec5f31ff31c812ca1a656b8b46c93805cce134cb2fcc6577ebed36ed850d434754c3e9179089f7750c7f4fe3fa6b
-
SSDEEP
1536:QiC84fuXsk7y2AvaZJsc+ia9CnHrOO2Ly7RZObZUUWaegPYA2:QiC/6s2ZiEalTyClUUWae1
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adiaommc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpqcpkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakaaepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhkfnlme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehebbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djmiejji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moenkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnokdaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epnkip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mecglbfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqngcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgecq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doqkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldpnoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okkkoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbobaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcddopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oggeokoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhdfmbjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhaeldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpqcpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdinnqon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecglbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maanab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdjpfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oodjjign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhhiiloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimkbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmqmpdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmnahnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpikik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngbpehpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onamle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paafmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpdhna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhbgpia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moenkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmbqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgnkilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhdfmbjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpdjjil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkghqpb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2788 Kngekdnf.exe 2944 Kbbakc32.exe 2296 Kimjhnnl.exe 2600 Kbenacdm.exe 2668 Kecjmodq.exe 276 Kjpceebh.exe 2028 Lajkbp32.exe 672 Ldhgnk32.exe 1176 Llpoohik.exe 2860 Lophacfl.exe 2084 Laodmoep.exe 2608 Lhimji32.exe 572 Lkgifd32.exe 1716 Lmeebpkd.exe 2080 Ldpnoj32.exe 1976 Lbbnjgik.exe 1284 Lmhbgpia.exe 2060 Lcdjpfgh.exe 2072 Mecglbfl.exe 968 Mlmoilni.exe 1788 Mpikik32.exe 2268 Mokkegmm.exe 2408 Mcggef32.exe 1424 Mlolnllf.exe 1780 Maldfbjn.exe 1504 Miclhpjp.exe 2552 Mopdpg32.exe 2664 Mejmmqpd.exe 2540 Mhhiiloh.exe 2620 Maanab32.exe 912 Meljbqna.exe 348 Mhkfnlme.exe 872 Moenkf32.exe 2968 Nhmbdl32.exe 2896 Njnokdaq.exe 3000 Nphghn32.exe 2760 Nddcimag.exe 1964 Ngbpehpj.exe 1292 Njalacon.exe 2312 Njchfc32.exe 2184 Nqmqcmdh.exe 2264 Nckmpicl.exe 1876 Nggipg32.exe 1700 Njeelc32.exe 1792 Nldahn32.exe 2376 Nflfad32.exe 868 Nhkbmo32.exe 860 Omfnnnhj.exe 2672 Oodjjign.exe 2656 Obcffefa.exe 2700 Ofobgc32.exe 2712 Ohmoco32.exe 2068 Okkkoj32.exe 1712 Onjgkf32.exe 440 Obecld32.exe 2164 Oiokholk.exe 2852 Ogbldk32.exe 2532 Ooidei32.exe 2096 Onldqejb.exe 2856 Obhpad32.exe 112 Oqkpmaif.exe 1992 Oiahnnji.exe 840 Okpdjjil.exe 1192 Ojceef32.exe -
Loads dropped DLL 64 IoCs
pid Process 2640 6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe 2640 6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe 2788 Kngekdnf.exe 2788 Kngekdnf.exe 2944 Kbbakc32.exe 2944 Kbbakc32.exe 2296 Kimjhnnl.exe 2296 Kimjhnnl.exe 2600 Kbenacdm.exe 2600 Kbenacdm.exe 2668 Kecjmodq.exe 2668 Kecjmodq.exe 276 Kjpceebh.exe 276 Kjpceebh.exe 2028 Lajkbp32.exe 2028 Lajkbp32.exe 672 Ldhgnk32.exe 672 Ldhgnk32.exe 1176 Llpoohik.exe 1176 Llpoohik.exe 2860 Lophacfl.exe 2860 Lophacfl.exe 2084 Laodmoep.exe 2084 Laodmoep.exe 2608 Lhimji32.exe 2608 Lhimji32.exe 572 Lkgifd32.exe 572 Lkgifd32.exe 1716 Lmeebpkd.exe 1716 Lmeebpkd.exe 2080 Ldpnoj32.exe 2080 Ldpnoj32.exe 1976 Lbbnjgik.exe 1976 Lbbnjgik.exe 1284 Lmhbgpia.exe 1284 Lmhbgpia.exe 2060 Lcdjpfgh.exe 2060 Lcdjpfgh.exe 2072 Mecglbfl.exe 2072 Mecglbfl.exe 968 Mlmoilni.exe 968 Mlmoilni.exe 1788 Mpikik32.exe 1788 Mpikik32.exe 2268 Mokkegmm.exe 2268 Mokkegmm.exe 2408 Mcggef32.exe 2408 Mcggef32.exe 1424 Mlolnllf.exe 1424 Mlolnllf.exe 1780 Maldfbjn.exe 1780 Maldfbjn.exe 1504 Miclhpjp.exe 1504 Miclhpjp.exe 2552 Mopdpg32.exe 2552 Mopdpg32.exe 2664 Mejmmqpd.exe 2664 Mejmmqpd.exe 2540 Mhhiiloh.exe 2540 Mhhiiloh.exe 2620 Maanab32.exe 2620 Maanab32.exe 912 Meljbqna.exe 912 Meljbqna.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nhgmklgh.dll Ogbldk32.exe File opened for modification C:\Windows\SysWOW64\Oqkpmaif.exe Obhpad32.exe File created C:\Windows\SysWOW64\Amjpgdik.exe Ajldkhjh.exe File opened for modification C:\Windows\SysWOW64\Ajnqphhe.exe Afcdpi32.exe File created C:\Windows\SysWOW64\Ecgjdong.exe Dqinhcoc.exe File created C:\Windows\SysWOW64\Odljflhj.dll Njchfc32.exe File created C:\Windows\SysWOW64\Pcdldknm.exe Piohgbng.exe File created C:\Windows\SysWOW64\Djqdbbek.dll Pmmqmpdm.exe File opened for modification C:\Windows\SysWOW64\Albjnplq.exe Amoibc32.exe File created C:\Windows\SysWOW64\Lgdojnle.dll Bceeqi32.exe File created C:\Windows\SysWOW64\Ekghcq32.exe Eiilge32.exe File created C:\Windows\SysWOW64\Mofapq32.dll Elieipej.exe File opened for modification C:\Windows\SysWOW64\Fllaopcg.exe Einebddd.exe File created C:\Windows\SysWOW64\Eocmkdfd.dll Onjgkf32.exe File opened for modification C:\Windows\SysWOW64\Ppdfimji.exe Paafmp32.exe File created C:\Windows\SysWOW64\Bflpbe32.dll Pfnoegaf.exe File created C:\Windows\SysWOW64\Aifjgdkj.exe Afgnkilf.exe File created C:\Windows\SysWOW64\Cpdhna32.exe Cjjpag32.exe File opened for modification C:\Windows\SysWOW64\Ddbmcb32.exe Djmiejji.exe File created C:\Windows\SysWOW64\Jhpgpkho.dll Enhaeldn.exe File created C:\Windows\SysWOW64\Phahme32.dll Oggeokoq.exe File opened for modification C:\Windows\SysWOW64\Pbglpg32.exe Pcdldknm.exe File created C:\Windows\SysWOW64\Igkdaemk.dll Cglcek32.exe File created C:\Windows\SysWOW64\Cpokpklp.dll Ecgjdong.exe File created C:\Windows\SysWOW64\Ejabqi32.exe Egcfdn32.exe File created C:\Windows\SysWOW64\Ompjookk.dll Mhkfnlme.exe File opened for modification C:\Windows\SysWOW64\Dkbbinig.exe Dhdfmbjc.exe File opened for modification C:\Windows\SysWOW64\Qldjdlgb.exe Qifnhaho.exe File opened for modification C:\Windows\SysWOW64\Omfnnnhj.exe Nhkbmo32.exe File created C:\Windows\SysWOW64\Neplhe32.dll Ppkmjlca.exe File created C:\Windows\SysWOW64\Plbmom32.exe Phgannal.exe File created C:\Windows\SysWOW64\Ngeogk32.dll Bhdjno32.exe File created C:\Windows\SysWOW64\Cglcek32.exe Cdngip32.exe File created C:\Windows\SysWOW64\Clnehado.exe Cjoilfek.exe File created C:\Windows\SysWOW64\Dhgccbhp.exe Ddkgbc32.exe File opened for modification C:\Windows\SysWOW64\Njnokdaq.exe Nhmbdl32.exe File opened for modification C:\Windows\SysWOW64\Fpgnoo32.exe Fllaopcg.exe File created C:\Windows\SysWOW64\Eccjdobp.dll Ejfllhao.exe File created C:\Windows\SysWOW64\Olqdoelc.dll Amoibc32.exe File opened for modification C:\Windows\SysWOW64\Adiaommc.exe Albjnplq.exe File created C:\Windows\SysWOW64\Njohaaaf.dll Abnopj32.exe File created C:\Windows\SysWOW64\Ghbakjma.dll Bakaaepk.exe File created C:\Windows\SysWOW64\Cgkqcb32.dll Camnge32.exe File created C:\Windows\SysWOW64\Maldfbjn.exe Mlolnllf.exe File created C:\Windows\SysWOW64\Jenndm32.dll Onamle32.exe File opened for modification C:\Windows\SysWOW64\Ahngomkd.exe Aeokba32.exe File created C:\Windows\SysWOW64\Ogaceogh.dll Ajldkhjh.exe File opened for modification C:\Windows\SysWOW64\Onjgkf32.exe Okkkoj32.exe File created C:\Windows\SysWOW64\Iclafh32.dll Pglojj32.exe File created C:\Windows\SysWOW64\Ajmqgkiq.dll Lajkbp32.exe File created C:\Windows\SysWOW64\Godgdfic.dll Pimkbbpi.exe File opened for modification C:\Windows\SysWOW64\Boleejag.exe Blniinac.exe File opened for modification C:\Windows\SysWOW64\Kimjhnnl.exe Kbbakc32.exe File created C:\Windows\SysWOW64\Nelafe32.dll Cnabffeo.exe File opened for modification C:\Windows\SysWOW64\Ojceef32.exe Okpdjjil.exe File opened for modification C:\Windows\SysWOW64\Mhkfnlme.exe Meljbqna.exe File created C:\Windows\SysWOW64\Omcngamh.exe Onamle32.exe File created C:\Windows\SysWOW64\Paafmp32.exe Pmfjmake.exe File opened for modification C:\Windows\SysWOW64\Qhkkim32.exe Qemomb32.exe File opened for modification C:\Windows\SysWOW64\Eikimeff.exe Eepmlf32.exe File created C:\Windows\SysWOW64\Llpoohik.exe Ldhgnk32.exe File created C:\Windows\SysWOW64\Pjlgle32.exe Pbepkh32.exe File opened for modification C:\Windows\SysWOW64\Qifnhaho.exe Qaofgc32.exe File created C:\Windows\SysWOW64\Gbmiha32.dll Epcddopf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3888 3876 WerFault.exe 240 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbnjgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddppmclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njchfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpgnoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdjpfgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbchkime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkkim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngekdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjpceebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdldknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdfimji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikcbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpqcpkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimkbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhcad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclcon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nddcimag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahnnji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camnge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebappk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejmmqpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgnkilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbobaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecgjdong.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbenacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elieipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmhbgpia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlgle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onamle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnehado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apilcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofobgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pglojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meljbqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfnnnhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnqjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmqmpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqmmbqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ammmlcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amoibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklpjlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maanab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egebjmdn.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bimphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljamifd.dll" Cdpdnpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpidibpf.dll" Kngekdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okkkoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbjifgcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgihifq.dll" Qbobaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcdpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klalgq32.dll" Ldhgnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdkakc.dll" Clnehado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogadek32.dll" Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epcddopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjpceebh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldpnoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogbldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjkn32.dll" Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajnqphhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jacgio32.dll" Enmnahnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfdfc32.dll" Mpikik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igooceih.dll" Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkghqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhibakgh.dll" Cjjpag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faijggao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbbnjgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnabffeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjond32.dll" Djmiejji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpgpkho.dll" Enhaeldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkljm32.dll" Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmmbge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiepfnbn.dll" Kbbakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdccacf.dll" Lophacfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfkpqnm.dll" Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngbpehpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjlgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbiffmpn.dll" Phgannal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lophacfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neplhe32.dll" Ppkmjlca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmekdl32.dll" Apilcoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bceeqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fipbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omfnnnhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onldqejb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjhnqfla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piadma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhkkim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dljfocan.dll" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjcmdmiq.dll" Dhgccbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdpbking.dll" Embkbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgalk32.dll" Lmeebpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlolnllf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdkcda32.dll" Pcdldknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djqdbbek.dll" Pmmqmpdm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2788 2640 6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe 30 PID 2640 wrote to memory of 2788 2640 6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe 30 PID 2640 wrote to memory of 2788 2640 6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe 30 PID 2640 wrote to memory of 2788 2640 6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe 30 PID 2788 wrote to memory of 2944 2788 Kngekdnf.exe 31 PID 2788 wrote to memory of 2944 2788 Kngekdnf.exe 31 PID 2788 wrote to memory of 2944 2788 Kngekdnf.exe 31 PID 2788 wrote to memory of 2944 2788 Kngekdnf.exe 31 PID 2944 wrote to memory of 2296 2944 Kbbakc32.exe 32 PID 2944 wrote to memory of 2296 2944 Kbbakc32.exe 32 PID 2944 wrote to memory of 2296 2944 Kbbakc32.exe 32 PID 2944 wrote to memory of 2296 2944 Kbbakc32.exe 32 PID 2296 wrote to memory of 2600 2296 Kimjhnnl.exe 33 PID 2296 wrote to memory of 2600 2296 Kimjhnnl.exe 33 PID 2296 wrote to memory of 2600 2296 Kimjhnnl.exe 33 PID 2296 wrote to memory of 2600 2296 Kimjhnnl.exe 33 PID 2600 wrote to memory of 2668 2600 Kbenacdm.exe 34 PID 2600 wrote to memory of 2668 2600 Kbenacdm.exe 34 PID 2600 wrote to memory of 2668 2600 Kbenacdm.exe 34 PID 2600 wrote to memory of 2668 2600 Kbenacdm.exe 34 PID 2668 wrote to memory of 276 2668 Kecjmodq.exe 35 PID 2668 wrote to memory of 276 2668 Kecjmodq.exe 35 PID 2668 wrote to memory of 276 2668 Kecjmodq.exe 35 PID 2668 wrote to memory of 276 2668 Kecjmodq.exe 35 PID 276 wrote to memory of 2028 276 Kjpceebh.exe 36 PID 276 wrote to memory of 2028 276 Kjpceebh.exe 36 PID 276 wrote to memory of 2028 276 Kjpceebh.exe 36 PID 276 wrote to memory of 2028 276 Kjpceebh.exe 36 PID 2028 wrote to memory of 672 2028 Lajkbp32.exe 37 PID 2028 wrote to memory of 672 2028 Lajkbp32.exe 37 PID 2028 wrote to memory of 672 2028 Lajkbp32.exe 37 PID 2028 wrote to memory of 672 2028 Lajkbp32.exe 37 PID 672 wrote to memory of 1176 672 Ldhgnk32.exe 38 PID 672 wrote to memory of 1176 672 Ldhgnk32.exe 38 PID 672 wrote to memory of 1176 672 Ldhgnk32.exe 38 PID 672 wrote to memory of 1176 672 Ldhgnk32.exe 38 PID 1176 wrote to memory of 2860 1176 Llpoohik.exe 39 PID 1176 wrote to memory of 2860 1176 Llpoohik.exe 39 PID 1176 wrote to memory of 2860 1176 Llpoohik.exe 39 PID 1176 wrote to memory of 2860 1176 Llpoohik.exe 39 PID 2860 wrote to memory of 2084 2860 Lophacfl.exe 40 PID 2860 wrote to memory of 2084 2860 Lophacfl.exe 40 PID 2860 wrote to memory of 2084 2860 Lophacfl.exe 40 PID 2860 wrote to memory of 2084 2860 Lophacfl.exe 40 PID 2084 wrote to memory of 2608 2084 Laodmoep.exe 41 PID 2084 wrote to memory of 2608 2084 Laodmoep.exe 41 PID 2084 wrote to memory of 2608 2084 Laodmoep.exe 41 PID 2084 wrote to memory of 2608 2084 Laodmoep.exe 41 PID 2608 wrote to memory of 572 2608 Lhimji32.exe 42 PID 2608 wrote to memory of 572 2608 Lhimji32.exe 42 PID 2608 wrote to memory of 572 2608 Lhimji32.exe 42 PID 2608 wrote to memory of 572 2608 Lhimji32.exe 42 PID 572 wrote to memory of 1716 572 Lkgifd32.exe 43 PID 572 wrote to memory of 1716 572 Lkgifd32.exe 43 PID 572 wrote to memory of 1716 572 Lkgifd32.exe 43 PID 572 wrote to memory of 1716 572 Lkgifd32.exe 43 PID 1716 wrote to memory of 2080 1716 Lmeebpkd.exe 44 PID 1716 wrote to memory of 2080 1716 Lmeebpkd.exe 44 PID 1716 wrote to memory of 2080 1716 Lmeebpkd.exe 44 PID 1716 wrote to memory of 2080 1716 Lmeebpkd.exe 44 PID 2080 wrote to memory of 1976 2080 Ldpnoj32.exe 45 PID 2080 wrote to memory of 1976 2080 Ldpnoj32.exe 45 PID 2080 wrote to memory of 1976 2080 Ldpnoj32.exe 45 PID 2080 wrote to memory of 1976 2080 Ldpnoj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe"C:\Users\Admin\AppData\Local\Temp\6254d20b2509ee51eb7efd1844b4c989467b91a327cdbd50184de12d0af2e509.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Kimjhnnl.exeC:\Windows\system32\Kimjhnnl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Llpoohik.exeC:\Windows\system32\Llpoohik.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Laodmoep.exeC:\Windows\system32\Laodmoep.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Lhimji32.exeC:\Windows\system32\Lhimji32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Lkgifd32.exeC:\Windows\system32\Lkgifd32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Lbbnjgik.exeC:\Windows\system32\Lbbnjgik.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Lcdjpfgh.exeC:\Windows\system32\Lcdjpfgh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Mecglbfl.exeC:\Windows\system32\Mecglbfl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:968 -
C:\Windows\SysWOW64\Mpikik32.exeC:\Windows\system32\Mpikik32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Mlolnllf.exeC:\Windows\system32\Mlolnllf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Maanab32.exeC:\Windows\system32\Maanab32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Meljbqna.exeC:\Windows\system32\Meljbqna.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Njalacon.exeC:\Windows\system32\Njalacon.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1292 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Nqmqcmdh.exeC:\Windows\system32\Nqmqcmdh.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Nckmpicl.exeC:\Windows\system32\Nckmpicl.exe43⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1876 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe45⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Nldahn32.exeC:\Windows\system32\Nldahn32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Nflfad32.exeC:\Windows\system32\Nflfad32.exe47⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:868 -
C:\Windows\SysWOW64\Omfnnnhj.exeC:\Windows\system32\Omfnnnhj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Oodjjign.exeC:\Windows\system32\Oodjjign.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe51⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Ofobgc32.exeC:\Windows\system32\Ofobgc32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Okkkoj32.exeC:\Windows\system32\Okkkoj32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Onjgkf32.exeC:\Windows\system32\Onjgkf32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Obecld32.exeC:\Windows\system32\Obecld32.exe56⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe57⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ogbldk32.exeC:\Windows\system32\Ogbldk32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Ooidei32.exeC:\Windows\system32\Ooidei32.exe59⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe62⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Oiahnnji.exeC:\Windows\system32\Oiahnnji.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Okpdjjil.exeC:\Windows\system32\Okpdjjil.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:840 -
C:\Windows\SysWOW64\Ojceef32.exeC:\Windows\system32\Ojceef32.exe65⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Oqmmbqgd.exeC:\Windows\system32\Oqmmbqgd.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2308 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Onamle32.exeC:\Windows\system32\Onamle32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Omcngamh.exeC:\Windows\system32\Omcngamh.exe70⤵PID:2832
-
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe72⤵PID:1828
-
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe73⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Pmfjmake.exeC:\Windows\system32\Pmfjmake.exe74⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Paafmp32.exeC:\Windows\system32\Paafmp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Pfnoegaf.exeC:\Windows\system32\Pfnoegaf.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe80⤵PID:2496
-
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe81⤵PID:2440
-
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe82⤵
- Drops file in System32 directory
PID:780 -
C:\Windows\SysWOW64\Pjlgle32.exeC:\Windows\system32\Pjlgle32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe84⤵
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe85⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe86⤵PID:3032
-
C:\Windows\SysWOW64\Piadma32.exeC:\Windows\system32\Piadma32.exe87⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Pmmqmpdm.exeC:\Windows\system32\Pmmqmpdm.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe90⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Pehebbbh.exeC:\Windows\system32\Pehebbbh.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2828 -
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Plbmom32.exeC:\Windows\system32\Plbmom32.exe93⤵PID:2980
-
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe94⤵
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe95⤵
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe96⤵
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe97⤵
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe98⤵
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Qemomb32.exeC:\Windows\system32\Qemomb32.exe100⤵
- Drops file in System32 directory
PID:2624 -
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe102⤵PID:480
-
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Amhcad32.exeC:\Windows\system32\Amhcad32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe105⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe106⤵PID:2380
-
C:\Windows\SysWOW64\Ajldkhjh.exeC:\Windows\system32\Ajldkhjh.exe107⤵
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Amjpgdik.exeC:\Windows\system32\Amjpgdik.exe108⤵PID:264
-
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Ajnqphhe.exeC:\Windows\system32\Ajnqphhe.exe111⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe112⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Aahimb32.exeC:\Windows\system32\Aahimb32.exe113⤵PID:1632
-
C:\Windows\SysWOW64\Adgein32.exeC:\Windows\system32\Adgein32.exe114⤵PID:2144
-
C:\Windows\SysWOW64\Afeaei32.exeC:\Windows\system32\Afeaei32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Amoibc32.exeC:\Windows\system32\Amoibc32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1148 -
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:616 -
C:\Windows\SysWOW64\Afgnkilf.exeC:\Windows\system32\Afgnkilf.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1072 -
C:\Windows\SysWOW64\Aifjgdkj.exeC:\Windows\system32\Aifjgdkj.exe120⤵PID:2688
-
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe121⤵PID:2792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-