Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 17:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe
-
Size
96KB
-
MD5
701e2ad1b3b36179ee1f6980fc76a2d0
-
SHA1
4508665bff489c6a416c74538ab2e540da264970
-
SHA256
da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390
-
SHA512
c8065fc6c1faefd9dcd110b936dee9f32b909311c867d0370c27fea8bf7d10723c08cd7af313ef342cc5c6209b3e773c86edd04dee7e41ae7bd16674b44a43ef
-
SSDEEP
1536:9poch45MfOEbXgDoJjLP2LU7RZObZUUWaegPYA2:XoceqOXinUUClUUWae1
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcekfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgngbmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmela32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajehnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeoaffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajqbakc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kadica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknimnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibacbcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibnop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcmmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpggei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lncfcgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokfakl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blinefnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmpolof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcqjfeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injqmdki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhebfck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgfjggll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loclai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekghdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflpgnld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmppehkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnefhpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liipnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njeccjcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiafee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppinkcnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknpadcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlifadkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkojbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojeobm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfalqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efedga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidjdpie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbconkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljigih32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral1/files/0x000500000001c8fc-883.dat family_bruteratel behavioral1/files/0x000400000001d1a6-1507.dat family_bruteratel behavioral1/files/0x000400000001e892-3513.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2964 Jdcpkp32.exe 2652 Jhoklnkg.exe 2056 Joidhh32.exe 2548 Jagpdd32.exe 2476 Jhahanie.exe 2912 Jajmjcoe.exe 864 Jpmmfp32.exe 1628 Kalipcmb.exe 2340 Kdkelolf.exe 2164 Kigndekn.exe 2720 Klfjpa32.exe 316 Kenoifpb.exe 3024 Kijkje32.exe 1992 Kgnkci32.exe 2284 Kilgoe32.exe 1832 Koipglep.exe 956 Kechdf32.exe 1268 Klmqapci.exe 3008 Kkpqlm32.exe 1104 Kajiigba.exe 1940 Ldheebad.exe 1716 Lkbmbl32.exe 2856 Lnqjnhge.exe 3048 Ldjbkb32.exe 1004 Lhfnkqgk.exe 2552 Lkdjglfo.exe 1588 Lncfcgeb.exe 2528 Ljigih32.exe 2452 Laqojfli.exe 2408 Ldokfakl.exe 1492 Lgngbmjp.exe 776 Ldahkaij.exe 1612 Lcdhgn32.exe 2020 Mphiqbon.exe 1160 Mokilo32.exe 2196 Mgbaml32.exe 2372 Mhcmedli.exe 1292 Mciabmlo.exe 2772 Mfgnnhkc.exe 3000 Mopbgn32.exe 1088 Mcknhm32.exe 2400 Mobomnoq.exe 2368 Mbqkiind.exe 1532 Mgmdapml.exe 1944 Modlbmmn.exe 2124 Mimpkcdn.exe 1680 Ngpqfp32.exe 1984 Nqhepeai.exe 2572 Ncfalqpm.exe 2656 Ngbmlo32.exe 2600 Nknimnap.exe 2428 Nmofdf32.exe 2464 Nqjaeeog.exe 1936 Ncinap32.exe 2336 Ngdjaofc.exe 1312 Nmabjfek.exe 840 Nppofado.exe 268 Nggggoda.exe 1480 Nfigck32.exe 444 Njeccjcd.exe 2472 Nqokpd32.exe 920 Ncmglp32.exe 1768 Nbpghl32.exe 2140 Njgpij32.exe -
Loads dropped DLL 64 IoCs
pid Process 2812 da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe 2812 da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe 2964 Jdcpkp32.exe 2964 Jdcpkp32.exe 2652 Jhoklnkg.exe 2652 Jhoklnkg.exe 2056 Joidhh32.exe 2056 Joidhh32.exe 2548 Jagpdd32.exe 2548 Jagpdd32.exe 2476 Jhahanie.exe 2476 Jhahanie.exe 2912 Jajmjcoe.exe 2912 Jajmjcoe.exe 864 Jpmmfp32.exe 864 Jpmmfp32.exe 1628 Kalipcmb.exe 1628 Kalipcmb.exe 2340 Kdkelolf.exe 2340 Kdkelolf.exe 2164 Kigndekn.exe 2164 Kigndekn.exe 2720 Klfjpa32.exe 2720 Klfjpa32.exe 316 Kenoifpb.exe 316 Kenoifpb.exe 3024 Kijkje32.exe 3024 Kijkje32.exe 1992 Kgnkci32.exe 1992 Kgnkci32.exe 2284 Kilgoe32.exe 2284 Kilgoe32.exe 1832 Koipglep.exe 1832 Koipglep.exe 956 Kechdf32.exe 956 Kechdf32.exe 1268 Klmqapci.exe 1268 Klmqapci.exe 3008 Kkpqlm32.exe 3008 Kkpqlm32.exe 1104 Kajiigba.exe 1104 Kajiigba.exe 1940 Ldheebad.exe 1940 Ldheebad.exe 1716 Lkbmbl32.exe 1716 Lkbmbl32.exe 2856 Lnqjnhge.exe 2856 Lnqjnhge.exe 3048 Ldjbkb32.exe 3048 Ldjbkb32.exe 1004 Lhfnkqgk.exe 1004 Lhfnkqgk.exe 2552 Lkdjglfo.exe 2552 Lkdjglfo.exe 1588 Lncfcgeb.exe 1588 Lncfcgeb.exe 2528 Ljigih32.exe 2528 Ljigih32.exe 2452 Laqojfli.exe 2452 Laqojfli.exe 2408 Ldokfakl.exe 2408 Ldokfakl.exe 1492 Lgngbmjp.exe 1492 Lgngbmjp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Glnhjjml.exe Ghbljk32.exe File created C:\Windows\SysWOW64\Injqmdki.exe Iogpag32.exe File created C:\Windows\SysWOW64\Jimdcqom.exe Jfohgepi.exe File created C:\Windows\SysWOW64\Ppdbln32.dll Loclai32.exe File created C:\Windows\SysWOW64\Nqjaeeog.exe Nmofdf32.exe File created C:\Windows\SysWOW64\Dcoaml32.dll Aclpaali.exe File created C:\Windows\SysWOW64\Cfoaho32.exe Ccpeld32.exe File opened for modification C:\Windows\SysWOW64\Epbbkf32.exe Elgfkhpi.exe File created C:\Windows\SysWOW64\Kigndekn.exe Kdkelolf.exe File created C:\Windows\SysWOW64\Dmlqdp32.dll Mimpkcdn.exe File opened for modification C:\Windows\SysWOW64\Kkojbf32.exe Kgcnahoo.exe File opened for modification C:\Windows\SysWOW64\Omhhke32.exe Oeaqig32.exe File created C:\Windows\SysWOW64\Fkaamgeg.dll Injqmdki.exe File created C:\Windows\SysWOW64\Igebkiof.exe Icifjk32.exe File created C:\Windows\SysWOW64\Aiomcb32.dll Keioca32.exe File created C:\Windows\SysWOW64\Jfehcipm.dll Koipglep.exe File created C:\Windows\SysWOW64\Ckkhdaei.dll Giolnomh.exe File opened for modification C:\Windows\SysWOW64\Hadcipbi.exe Hnhgha32.exe File created C:\Windows\SysWOW64\Faibdo32.dll Hnkdnqhm.exe File created C:\Windows\SysWOW64\Dkdmfe32.exe Difqji32.exe File created C:\Windows\SysWOW64\Pdbampij.dll Eeojcmfi.exe File opened for modification C:\Windows\SysWOW64\Jpepkk32.exe Jmfcop32.exe File created C:\Windows\SysWOW64\Jbclgf32.exe Jpepkk32.exe File opened for modification C:\Windows\SysWOW64\Kipmhc32.exe Kfaalh32.exe File opened for modification C:\Windows\SysWOW64\Aognbnkm.exe Aklabp32.exe File created C:\Windows\SysWOW64\Apmcefmf.exe Alageg32.exe File created C:\Windows\SysWOW64\Iogpag32.exe Ikldqile.exe File created C:\Windows\SysWOW64\Caefjg32.dll Kekkiq32.exe File created C:\Windows\SysWOW64\Aacmij32.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Ikdngobg.dll Fihfnp32.exe File created C:\Windows\SysWOW64\Aonalffc.dll Iocgfhhc.exe File created C:\Windows\SysWOW64\Aehlpleg.dll Kijkje32.exe File created C:\Windows\SysWOW64\Dijdkh32.dll Emoldlmc.exe File opened for modification C:\Windows\SysWOW64\Lhiddoph.exe Lekghdad.exe File created C:\Windows\SysWOW64\Ngdjaofc.exe Ncinap32.exe File created C:\Windows\SysWOW64\Bfcodkcb.exe Bbhccm32.exe File opened for modification C:\Windows\SysWOW64\Hgciff32.exe Hddmjk32.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Klecfkff.exe File opened for modification C:\Windows\SysWOW64\Ldokfakl.exe Laqojfli.exe File created C:\Windows\SysWOW64\Bipalg32.dll Mfgnnhkc.exe File created C:\Windows\SysWOW64\Olkifaen.exe Omhhke32.exe File created C:\Windows\SysWOW64\Dggajf32.dll Olkifaen.exe File opened for modification C:\Windows\SysWOW64\Coicfd32.exe Cmkfji32.exe File created C:\Windows\SysWOW64\Ikgkei32.exe Hjfnnajl.exe File opened for modification C:\Windows\SysWOW64\Dncibp32.exe Dkdmfe32.exe File opened for modification C:\Windows\SysWOW64\Dgnjqe32.exe Deondj32.exe File created C:\Windows\SysWOW64\Hgqlafap.exe Hdbpekam.exe File created C:\Windows\SysWOW64\Kadica32.exe Koflgf32.exe File created C:\Windows\SysWOW64\Jlhdnf32.dll Pddjlb32.exe File created C:\Windows\SysWOW64\Paocnkph.exe Popgboae.exe File created C:\Windows\SysWOW64\Ahmefdcp.exe Aacmij32.exe File created C:\Windows\SysWOW64\Qhihii32.dll Cdmepgce.exe File opened for modification C:\Windows\SysWOW64\Ladebd32.exe Lofifi32.exe File created C:\Windows\SysWOW64\Ckpckece.exe Cjogcm32.exe File opened for modification C:\Windows\SysWOW64\Eemnnn32.exe Efjmbaba.exe File created C:\Windows\SysWOW64\Mobomnoq.exe Mcknhm32.exe File created C:\Windows\SysWOW64\Mkehop32.dll Kjeglh32.exe File created C:\Windows\SysWOW64\Nidjhoea.dll Fhdmph32.exe File opened for modification C:\Windows\SysWOW64\Gdkjdl32.exe Gamnhq32.exe File created C:\Windows\SysWOW64\Eplpdepa.dll Jbhebfck.exe File created C:\Windows\SysWOW64\Mflcaaja.dll Mphiqbon.exe File opened for modification C:\Windows\SysWOW64\Nknimnap.exe Ngbmlo32.exe File created C:\Windows\SysWOW64\Nekkhdgo.dll Nqjaeeog.exe File opened for modification C:\Windows\SysWOW64\Dnefhpma.exe Dlgjldnm.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5020 4768 WerFault.exe 426 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpgfeao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebckmaec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goldfelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncfcgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmabjfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpglbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbpkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhbgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifolhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iknafhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqhepeai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciokijfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmppehkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflpgnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoeamo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbdabog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiddoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajiigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldhkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdkhjgeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coicfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpklkgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfalqpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gecpnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popgboae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgknkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadcipbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponklpcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfaeme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nggggoda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhabndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaagcpdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibacbcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppofado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmcefmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnlkgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdppqbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgmpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljigih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpdbohb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hailie32.dll" Qdompf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Dgknkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngohbhce.dll" Ngbmlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liefaj32.dll" Nppofado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdbmfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmppehkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll" Lghgmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moibemdg.dll" Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnllhjif.dll" Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdiedagc.dll" Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofqmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnebcjoe.dll" Pehcij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll" Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll" Kenhopmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhiddoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heloek32.dll" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcijlpq.dll" Hgciff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lekghdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggajf32.dll" Olkifaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjcccnbp.dll" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfjolf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfaeme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhahanie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhdhefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdofg32.dll" Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpnghhmn.dll" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggioi32.dll" Fmdbnnlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckfklnl.dll" Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qndhjl32.dll" Ebqngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imggplgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkcfefdg.dll" Qobdgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnifd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljphmekn.dll" Lhiddoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehlpleg.dll" Kijkje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpbaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll" Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iknafhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfalqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkidliln.dll" Ncinap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pehcij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjedmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difqji32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2812 wrote to memory of 2964 2812 da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe 29 PID 2812 wrote to memory of 2964 2812 da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe 29 PID 2812 wrote to memory of 2964 2812 da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe 29 PID 2812 wrote to memory of 2964 2812 da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe 29 PID 2964 wrote to memory of 2652 2964 Jdcpkp32.exe 30 PID 2964 wrote to memory of 2652 2964 Jdcpkp32.exe 30 PID 2964 wrote to memory of 2652 2964 Jdcpkp32.exe 30 PID 2964 wrote to memory of 2652 2964 Jdcpkp32.exe 30 PID 2652 wrote to memory of 2056 2652 Jhoklnkg.exe 31 PID 2652 wrote to memory of 2056 2652 Jhoklnkg.exe 31 PID 2652 wrote to memory of 2056 2652 Jhoklnkg.exe 31 PID 2652 wrote to memory of 2056 2652 Jhoklnkg.exe 31 PID 2056 wrote to memory of 2548 2056 Joidhh32.exe 32 PID 2056 wrote to memory of 2548 2056 Joidhh32.exe 32 PID 2056 wrote to memory of 2548 2056 Joidhh32.exe 32 PID 2056 wrote to memory of 2548 2056 Joidhh32.exe 32 PID 2548 wrote to memory of 2476 2548 Jagpdd32.exe 33 PID 2548 wrote to memory of 2476 2548 Jagpdd32.exe 33 PID 2548 wrote to memory of 2476 2548 Jagpdd32.exe 33 PID 2548 wrote to memory of 2476 2548 Jagpdd32.exe 33 PID 2476 wrote to memory of 2912 2476 Jhahanie.exe 34 PID 2476 wrote to memory of 2912 2476 Jhahanie.exe 34 PID 2476 wrote to memory of 2912 2476 Jhahanie.exe 34 PID 2476 wrote to memory of 2912 2476 Jhahanie.exe 34 PID 2912 wrote to memory of 864 2912 Jajmjcoe.exe 35 PID 2912 wrote to memory of 864 2912 Jajmjcoe.exe 35 PID 2912 wrote to memory of 864 2912 Jajmjcoe.exe 35 PID 2912 wrote to memory of 864 2912 Jajmjcoe.exe 35 PID 864 wrote to memory of 1628 864 Jpmmfp32.exe 36 PID 864 wrote to memory of 1628 864 Jpmmfp32.exe 36 PID 864 wrote to memory of 1628 864 Jpmmfp32.exe 36 PID 864 wrote to memory of 1628 864 Jpmmfp32.exe 36 PID 1628 wrote to memory of 2340 1628 Kalipcmb.exe 37 PID 1628 wrote to memory of 2340 1628 Kalipcmb.exe 37 PID 1628 wrote to memory of 2340 1628 Kalipcmb.exe 37 PID 1628 wrote to memory of 2340 1628 Kalipcmb.exe 37 PID 2340 wrote to memory of 2164 2340 Kdkelolf.exe 38 PID 2340 wrote to memory of 2164 2340 Kdkelolf.exe 38 PID 2340 wrote to memory of 2164 2340 Kdkelolf.exe 38 PID 2340 wrote to memory of 2164 2340 Kdkelolf.exe 38 PID 2164 wrote to memory of 2720 2164 Kigndekn.exe 39 PID 2164 wrote to memory of 2720 2164 Kigndekn.exe 39 PID 2164 wrote to memory of 2720 2164 Kigndekn.exe 39 PID 2164 wrote to memory of 2720 2164 Kigndekn.exe 39 PID 2720 wrote to memory of 316 2720 Klfjpa32.exe 40 PID 2720 wrote to memory of 316 2720 Klfjpa32.exe 40 PID 2720 wrote to memory of 316 2720 Klfjpa32.exe 40 PID 2720 wrote to memory of 316 2720 Klfjpa32.exe 40 PID 316 wrote to memory of 3024 316 Kenoifpb.exe 41 PID 316 wrote to memory of 3024 316 Kenoifpb.exe 41 PID 316 wrote to memory of 3024 316 Kenoifpb.exe 41 PID 316 wrote to memory of 3024 316 Kenoifpb.exe 41 PID 3024 wrote to memory of 1992 3024 Kijkje32.exe 42 PID 3024 wrote to memory of 1992 3024 Kijkje32.exe 42 PID 3024 wrote to memory of 1992 3024 Kijkje32.exe 42 PID 3024 wrote to memory of 1992 3024 Kijkje32.exe 42 PID 1992 wrote to memory of 2284 1992 Kgnkci32.exe 43 PID 1992 wrote to memory of 2284 1992 Kgnkci32.exe 43 PID 1992 wrote to memory of 2284 1992 Kgnkci32.exe 43 PID 1992 wrote to memory of 2284 1992 Kgnkci32.exe 43 PID 2284 wrote to memory of 1832 2284 Kilgoe32.exe 44 PID 2284 wrote to memory of 1832 2284 Kilgoe32.exe 44 PID 2284 wrote to memory of 1832 2284 Kilgoe32.exe 44 PID 2284 wrote to memory of 1832 2284 Kilgoe32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe"C:\Users\Admin\AppData\Local\Temp\da703e846917281284bdf1fd770b44a27a6f895339fea583e060f54163042390.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Joidhh32.exeC:\Windows\system32\Joidhh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Koipglep.exeC:\Windows\system32\Koipglep.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1268 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Lhfnkqgk.exeC:\Windows\system32\Lhfnkqgk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe33⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe34⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe37⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe38⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe39⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Mopbgn32.exeC:\Windows\system32\Mopbgn32.exe41⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe43⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe44⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe45⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe48⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Ncfalqpm.exeC:\Windows\system32\Ncfalqpm.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Nmofdf32.exeC:\Windows\system32\Nmofdf32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe56⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1312 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:268 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe60⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Ncmglp32.exeC:\Windows\system32\Ncmglp32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe65⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Nmflee32.exeC:\Windows\system32\Nmflee32.exe66⤵PID:1528
-
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe67⤵PID:2764
-
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe68⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Oeaqig32.exeC:\Windows\system32\Oeaqig32.exe69⤵
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe70⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Olkifaen.exeC:\Windows\system32\Olkifaen.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Oniebmda.exeC:\Windows\system32\Oniebmda.exe72⤵
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe73⤵
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe74⤵PID:1436
-
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Obgnhkkh.exeC:\Windows\system32\Obgnhkkh.exe76⤵PID:1784
-
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe77⤵PID:816
-
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1520 -
C:\Windows\SysWOW64\Olpbaa32.exeC:\Windows\system32\Olpbaa32.exe79⤵
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe80⤵PID:1596
-
C:\Windows\SysWOW64\Objjnkie.exeC:\Windows\system32\Objjnkie.exe81⤵PID:2988
-
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe82⤵PID:1040
-
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe83⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1456 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe85⤵PID:2448
-
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe86⤵PID:2684
-
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe87⤵PID:2916
-
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe88⤵PID:2348
-
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1032 -
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe90⤵PID:2776
-
C:\Windows\SysWOW64\Paaddgkj.exeC:\Windows\system32\Paaddgkj.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1788 -
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe92⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Pfnmmn32.exeC:\Windows\system32\Pfnmmn32.exe93⤵PID:2624
-
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe94⤵PID:1344
-
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe95⤵PID:2952
-
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe96⤵
- Modifies registry class
PID:1980 -
C:\Windows\SysWOW64\Pfpibn32.exeC:\Windows\system32\Pfpibn32.exe97⤵PID:692
-
C:\Windows\SysWOW64\Pjleclph.exeC:\Windows\system32\Pjleclph.exe98⤵PID:3040
-
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe99⤵PID:2892
-
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1952 -
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe101⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe102⤵PID:1368
-
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe103⤵PID:1760
-
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe104⤵PID:2392
-
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe105⤵
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1752 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Phfoee32.exeC:\Windows\system32\Phfoee32.exe108⤵
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe109⤵PID:2664
-
C:\Windows\SysWOW64\Popgboae.exeC:\Windows\system32\Popgboae.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe111⤵PID:2384
-
C:\Windows\SysWOW64\Qiflohqk.exeC:\Windows\system32\Qiflohqk.exe112⤵PID:1816
-
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe113⤵
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Qobdgo32.exeC:\Windows\system32\Qobdgo32.exe114⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Qaapcj32.exeC:\Windows\system32\Qaapcj32.exe115⤵PID:2268
-
C:\Windows\SysWOW64\Qdompf32.exeC:\Windows\system32\Qdompf32.exe116⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe117⤵PID:2112
-
C:\Windows\SysWOW64\Qlfdac32.exeC:\Windows\system32\Qlfdac32.exe118⤵PID:900
-
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe120⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Ahmefdcp.exeC:\Windows\system32\Ahmefdcp.exe121⤵PID:1792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-