Analysis
-
max time kernel
46s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-02-2025 15:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe
-
Size
96KB
-
MD5
6a532394ab96329560be6d45d00e057d
-
SHA1
f3043741081f7c089f260fa0eaa10525ad5d1069
-
SHA256
7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15
-
SHA512
c2ccba4a6078016e24b59ee4509dcd80210fbe3ea45607f3f19321c9f16e87973710f40389633b046c54cf7842626ed9dfa25e0bdaeaef06c34f50ca7c2996cb
-
SSDEEP
1536:zEedhlFQxcyq2VYstMLt6h0T8XAhSjjCn0sSsLkP2Le7RZObZUUWaegPYAS:zXpzyExGjwSsLkUeClUUWae/
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeggbbci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfdopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Felajbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdkoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknajh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkqmoma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkfbfjdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daipqhdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdhcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkfocaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchmkkkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpbdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necogkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfognic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidfdofi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfliim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bleeioil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcaimgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcllbhdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkhndca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npmphinm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhgpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhckfkbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghmmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noljjglk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqnlhpfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbpbpkpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnmgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcnakpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofbhgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoblnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkoobhhg.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 4 IoCs
resource yara_rule behavioral1/files/0x0003000000020848-4911.dat family_bruteratel behavioral1/files/0x000300000002084b-4919.dat family_bruteratel behavioral1/files/0x00030000000216f1-10851.dat family_bruteratel behavioral1/files/0x0003000000021b52-13016.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 1736 Jjomgo32.exe 2344 Jlmicj32.exe 2800 Jjaimn32.exe 2728 Jkbfdfbm.exe 2636 Jblnaq32.exe 2712 Jhffnk32.exe 2676 Jkebjf32.exe 1760 Kncofa32.exe 1436 Kdmgclfk.exe 2588 Khiccj32.exe 2992 Kqdhhm32.exe 2184 Khkpijma.exe 2548 Kjllab32.exe 2424 Kdbpnk32.exe 3036 Kgpmjf32.exe 324 Kmmebm32.exe 2216 Kcgmoggn.exe 1708 Kfeikcfa.exe 328 Kmobhmnn.exe 1020 Kqknil32.exe 2328 Kgefefnd.exe 1920 Lmbonmll.exe 2116 Lopkjhko.exe 2528 Lclgjg32.exe 3068 Ljfogake.exe 2408 Lihobnap.exe 1520 Lbackc32.exe 2104 Lmfhil32.exe 2872 Leammn32.exe 2792 Liminmmk.exe 2772 Lnjafd32.exe 2672 Lipecm32.exe 2188 Mbhjlbbh.exe 2972 Meffhnal.exe 2948 Mmakmp32.exe 2984 Meicnm32.exe 2304 Mfjoeeeh.exe 2016 Mnaggcej.exe 1612 Mhilph32.exe 3032 Mjhhld32.exe 980 Mbcmpfhi.exe 2020 Mjjdacik.exe 836 Mimemp32.exe 680 Mlkail32.exe 888 Mfaefd32.exe 1900 Mioabp32.exe 2484 Noljjglk.exe 1780 Nbhfke32.exe 1928 Nfcbldmm.exe 2896 Nianhplq.exe 1624 Nlpkdkkd.exe 2824 Nplfdj32.exe 2880 Nbjcqe32.exe 3012 Nehomq32.exe 2620 Nidkmojn.exe 2296 Nlbgikia.exe 1236 Noacef32.exe 2900 Nblpfepo.exe 1768 Neklbppb.exe 1884 Ndnlnm32.exe 952 Nledoj32.exe 1016 Nocpkf32.exe 2236 Nmfqgbmm.exe 1448 Nemhhpmp.exe -
Loads dropped DLL 64 IoCs
pid Process 2684 7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe 2684 7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe 1736 Jjomgo32.exe 1736 Jjomgo32.exe 2344 Jlmicj32.exe 2344 Jlmicj32.exe 2800 Jjaimn32.exe 2800 Jjaimn32.exe 2728 Jkbfdfbm.exe 2728 Jkbfdfbm.exe 2636 Jblnaq32.exe 2636 Jblnaq32.exe 2712 Jhffnk32.exe 2712 Jhffnk32.exe 2676 Jkebjf32.exe 2676 Jkebjf32.exe 1760 Kncofa32.exe 1760 Kncofa32.exe 1436 Kdmgclfk.exe 1436 Kdmgclfk.exe 2588 Khiccj32.exe 2588 Khiccj32.exe 2992 Kqdhhm32.exe 2992 Kqdhhm32.exe 2184 Khkpijma.exe 2184 Khkpijma.exe 2548 Kjllab32.exe 2548 Kjllab32.exe 2424 Kdbpnk32.exe 2424 Kdbpnk32.exe 3036 Kgpmjf32.exe 3036 Kgpmjf32.exe 324 Kmmebm32.exe 324 Kmmebm32.exe 2216 Kcgmoggn.exe 2216 Kcgmoggn.exe 1708 Kfeikcfa.exe 1708 Kfeikcfa.exe 328 Kmobhmnn.exe 328 Kmobhmnn.exe 1020 Kqknil32.exe 1020 Kqknil32.exe 2328 Kgefefnd.exe 2328 Kgefefnd.exe 1920 Lmbonmll.exe 1920 Lmbonmll.exe 2116 Lopkjhko.exe 2116 Lopkjhko.exe 2528 Lclgjg32.exe 2528 Lclgjg32.exe 3068 Ljfogake.exe 3068 Ljfogake.exe 2692 Lobgoh32.exe 2692 Lobgoh32.exe 1520 Lbackc32.exe 1520 Lbackc32.exe 2104 Lmfhil32.exe 2104 Lmfhil32.exe 2872 Leammn32.exe 2872 Leammn32.exe 2792 Liminmmk.exe 2792 Liminmmk.exe 2772 Lnjafd32.exe 2772 Lnjafd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mfnqeb32.dll Process not Found File created C:\Windows\SysWOW64\Faffik32.dll Process not Found File created C:\Windows\SysWOW64\Hbnmienj.exe Process not Found File created C:\Windows\SysWOW64\Kkidapal.dll Nmhmlbkk.exe File created C:\Windows\SysWOW64\Aoagccfn.exe Agjobffl.exe File opened for modification C:\Windows\SysWOW64\Cmfmojcb.exe Process not Found File created C:\Windows\SysWOW64\Oeiligca.dll Nplfdj32.exe File created C:\Windows\SysWOW64\Kbfheikj.dll Process not Found File created C:\Windows\SysWOW64\Adfqgl32.exe Amohfo32.exe File created C:\Windows\SysWOW64\Aojabdlf.exe Allefimb.exe File created C:\Windows\SysWOW64\Lpdonf32.dll Kgnbnpkp.exe File created C:\Windows\SysWOW64\Mffbkj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Olophhjd.exe Ohcdhi32.exe File created C:\Windows\SysWOW64\Hqfaldbo.exe Hnheohcl.exe File created C:\Windows\SysWOW64\Bjibgc32.dll Mmbmeifk.exe File opened for modification C:\Windows\SysWOW64\Mikjpiim.exe Mfmndn32.exe File created C:\Windows\SysWOW64\Flocfmnl.exe Eipgjaoi.exe File created C:\Windows\SysWOW64\Jelfdc32.exe Process not Found File created C:\Windows\SysWOW64\Nokhie32.dll Process not Found File created C:\Windows\SysWOW64\Dchmkkkj.exe Dhbhmb32.exe File created C:\Windows\SysWOW64\Pknbhi32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fjlmpfhg.exe Fgnadkic.exe File created C:\Windows\SysWOW64\Ciokijfd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Nbhfke32.exe Noljjglk.exe File created C:\Windows\SysWOW64\Pojhbfni.dll Process not Found File opened for modification C:\Windows\SysWOW64\Qkghgpfi.exe Process not Found File created C:\Windows\SysWOW64\Bpokhmqh.dll Nblpfepo.exe File created C:\Windows\SysWOW64\Nbmaon32.exe Nnafnopi.exe File created C:\Windows\SysWOW64\Dhbggodl.dll Dljmlj32.exe File created C:\Windows\SysWOW64\Ehjkan32.dll Dgeaoinb.exe File created C:\Windows\SysWOW64\Hejcbh32.dll Lkdhoc32.exe File created C:\Windows\SysWOW64\Niedqnen.exe Nfghdcfj.exe File opened for modification C:\Windows\SysWOW64\Gfhgpg32.exe Gnaooi32.exe File opened for modification C:\Windows\SysWOW64\Aebmjo32.exe Accqnc32.exe File created C:\Windows\SysWOW64\Kpgionie.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lipecm32.exe Lnjafd32.exe File created C:\Windows\SysWOW64\Obobnb32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Keeeje32.exe Process not Found File created C:\Windows\SysWOW64\Mfglep32.exe Mchoid32.exe File created C:\Windows\SysWOW64\Jkmeoa32.exe Jaeafklf.exe File opened for modification C:\Windows\SysWOW64\Hbggif32.exe Hkmollme.exe File created C:\Windows\SysWOW64\Bhmaeg32.exe Process not Found File created C:\Windows\SysWOW64\Abhkfg32.exe Acekjjmk.exe File opened for modification C:\Windows\SysWOW64\Imlhebfc.exe Process not Found File created C:\Windows\SysWOW64\Dbabho32.exe Process not Found File created C:\Windows\SysWOW64\Gmemln32.dll Process not Found File created C:\Windows\SysWOW64\Oncobd32.dll Kaajei32.exe File opened for modification C:\Windows\SysWOW64\Anjnnk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Libjncnc.exe Process not Found File created C:\Windows\SysWOW64\Pdnldmfb.dll Klehgh32.exe File opened for modification C:\Windows\SysWOW64\Kkpqlm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cfoaho32.exe Process not Found File created C:\Windows\SysWOW64\Fdiqpigl.exe Process not Found File created C:\Windows\SysWOW64\Fhgkakgl.dll Eeiheo32.exe File created C:\Windows\SysWOW64\Bibjaofg.dll Pkmlmbcd.exe File created C:\Windows\SysWOW64\Fnbkfl32.dll Cbdiia32.exe File opened for modification C:\Windows\SysWOW64\Dacpkc32.exe Doecog32.exe File created C:\Windows\SysWOW64\Odikqa32.dll Fbpbpkpj.exe File opened for modification C:\Windows\SysWOW64\Ldllgiek.exe Lbnpkmfg.exe File opened for modification C:\Windows\SysWOW64\Oehdan32.exe Omqlpp32.exe File created C:\Windows\SysWOW64\Plolgk32.exe Piqpkpml.exe File created C:\Windows\SysWOW64\Panaeb32.exe Pckajebj.exe File created C:\Windows\SysWOW64\Kaajei32.exe Kocmim32.exe File created C:\Windows\SysWOW64\Nnnbni32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 3916 3556 Process not Found 1487 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foojop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnljqic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncpef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmeccao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjophem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcoce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhnifmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locjhqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgpmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmhaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjphcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjklenpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibhndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmqpam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plolgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemhhpmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdekgjno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbfdfbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfqgbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfglep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qinjgbpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doecog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqombic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeieced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioohokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foojop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahnac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlddkmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akqpom32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgmpnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgnein32.dll" Cadjgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iphecepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afffenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlhjdd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enghee32.dll" Lclgjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjlg32.dll" Idgglb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoojnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbcen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odchbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhmlombo.dll" Akeijlfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmdiia32.dll" Cbdgqimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjfcpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbobli32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbampij.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lclgjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckndebll.dll" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lblcfnhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafqii32.dll" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfamefoo.dll" Fchijone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfiaojk.dll" Gpabcbdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgfcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfjhpemb.dll" Nlbgikia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapbpm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogekpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjakccop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emgioakg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbdehdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gblakg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neeoep32.dll" Meffhnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnaggcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbaonni.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddoqj32.dll" Mklcadfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahkbf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knhjjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkifia32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giiglhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkggbgh.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcppidk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2684 wrote to memory of 1736 2684 7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe 30 PID 2684 wrote to memory of 1736 2684 7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe 30 PID 2684 wrote to memory of 1736 2684 7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe 30 PID 2684 wrote to memory of 1736 2684 7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe 30 PID 1736 wrote to memory of 2344 1736 Jjomgo32.exe 31 PID 1736 wrote to memory of 2344 1736 Jjomgo32.exe 31 PID 1736 wrote to memory of 2344 1736 Jjomgo32.exe 31 PID 1736 wrote to memory of 2344 1736 Jjomgo32.exe 31 PID 2344 wrote to memory of 2800 2344 Jlmicj32.exe 32 PID 2344 wrote to memory of 2800 2344 Jlmicj32.exe 32 PID 2344 wrote to memory of 2800 2344 Jlmicj32.exe 32 PID 2344 wrote to memory of 2800 2344 Jlmicj32.exe 32 PID 2800 wrote to memory of 2728 2800 Jjaimn32.exe 33 PID 2800 wrote to memory of 2728 2800 Jjaimn32.exe 33 PID 2800 wrote to memory of 2728 2800 Jjaimn32.exe 33 PID 2800 wrote to memory of 2728 2800 Jjaimn32.exe 33 PID 2728 wrote to memory of 2636 2728 Jkbfdfbm.exe 34 PID 2728 wrote to memory of 2636 2728 Jkbfdfbm.exe 34 PID 2728 wrote to memory of 2636 2728 Jkbfdfbm.exe 34 PID 2728 wrote to memory of 2636 2728 Jkbfdfbm.exe 34 PID 2636 wrote to memory of 2712 2636 Jblnaq32.exe 35 PID 2636 wrote to memory of 2712 2636 Jblnaq32.exe 35 PID 2636 wrote to memory of 2712 2636 Jblnaq32.exe 35 PID 2636 wrote to memory of 2712 2636 Jblnaq32.exe 35 PID 2712 wrote to memory of 2676 2712 Jhffnk32.exe 36 PID 2712 wrote to memory of 2676 2712 Jhffnk32.exe 36 PID 2712 wrote to memory of 2676 2712 Jhffnk32.exe 36 PID 2712 wrote to memory of 2676 2712 Jhffnk32.exe 36 PID 2676 wrote to memory of 1760 2676 Jkebjf32.exe 37 PID 2676 wrote to memory of 1760 2676 Jkebjf32.exe 37 PID 2676 wrote to memory of 1760 2676 Jkebjf32.exe 37 PID 2676 wrote to memory of 1760 2676 Jkebjf32.exe 37 PID 1760 wrote to memory of 1436 1760 Kncofa32.exe 38 PID 1760 wrote to memory of 1436 1760 Kncofa32.exe 38 PID 1760 wrote to memory of 1436 1760 Kncofa32.exe 38 PID 1760 wrote to memory of 1436 1760 Kncofa32.exe 38 PID 1436 wrote to memory of 2588 1436 Kdmgclfk.exe 39 PID 1436 wrote to memory of 2588 1436 Kdmgclfk.exe 39 PID 1436 wrote to memory of 2588 1436 Kdmgclfk.exe 39 PID 1436 wrote to memory of 2588 1436 Kdmgclfk.exe 39 PID 2588 wrote to memory of 2992 2588 Khiccj32.exe 40 PID 2588 wrote to memory of 2992 2588 Khiccj32.exe 40 PID 2588 wrote to memory of 2992 2588 Khiccj32.exe 40 PID 2588 wrote to memory of 2992 2588 Khiccj32.exe 40 PID 2992 wrote to memory of 2184 2992 Kqdhhm32.exe 41 PID 2992 wrote to memory of 2184 2992 Kqdhhm32.exe 41 PID 2992 wrote to memory of 2184 2992 Kqdhhm32.exe 41 PID 2992 wrote to memory of 2184 2992 Kqdhhm32.exe 41 PID 2184 wrote to memory of 2548 2184 Khkpijma.exe 42 PID 2184 wrote to memory of 2548 2184 Khkpijma.exe 42 PID 2184 wrote to memory of 2548 2184 Khkpijma.exe 42 PID 2184 wrote to memory of 2548 2184 Khkpijma.exe 42 PID 2548 wrote to memory of 2424 2548 Kjllab32.exe 43 PID 2548 wrote to memory of 2424 2548 Kjllab32.exe 43 PID 2548 wrote to memory of 2424 2548 Kjllab32.exe 43 PID 2548 wrote to memory of 2424 2548 Kjllab32.exe 43 PID 2424 wrote to memory of 3036 2424 Kdbpnk32.exe 44 PID 2424 wrote to memory of 3036 2424 Kdbpnk32.exe 44 PID 2424 wrote to memory of 3036 2424 Kdbpnk32.exe 44 PID 2424 wrote to memory of 3036 2424 Kdbpnk32.exe 44 PID 3036 wrote to memory of 324 3036 Kgpmjf32.exe 45 PID 3036 wrote to memory of 324 3036 Kgpmjf32.exe 45 PID 3036 wrote to memory of 324 3036 Kgpmjf32.exe 45 PID 3036 wrote to memory of 324 3036 Kgpmjf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe"C:\Users\Admin\AppData\Local\Temp\7491ff0033f659a50581565995a94b93d2bf6d09c0effca9d978f0f1b6f89a15.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Jlmicj32.exeC:\Windows\system32\Jlmicj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Khkpijma.exeC:\Windows\system32\Khkpijma.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:328 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Lclgjg32.exeC:\Windows\system32\Lclgjg32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe27⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Lnjafd32.exeC:\Windows\system32\Lnjafd32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe34⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe35⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe37⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe38⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe39⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe41⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe42⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe43⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe44⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe45⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe46⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe47⤵
- Executes dropped EXE
PID:888 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe48⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe50⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe51⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe52⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe53⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Nplfdj32.exeC:\Windows\system32\Nplfdj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe55⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe56⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe57⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe59⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe61⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe62⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe63⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe64⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe67⤵
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe68⤵PID:1656
-
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe69⤵
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe70⤵PID:3004
-
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe71⤵PID:2380
-
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe72⤵PID:2884
-
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe73⤵PID:2828
-
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe74⤵PID:2252
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe75⤵PID:2744
-
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe76⤵PID:2160
-
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe77⤵PID:2064
-
C:\Windows\SysWOW64\Okojkf32.exeC:\Windows\system32\Okojkf32.exe78⤵PID:2776
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe79⤵PID:3000
-
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe80⤵PID:1816
-
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe81⤵PID:1048
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe82⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe83⤵
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe84⤵PID:236
-
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe85⤵PID:840
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe86⤵PID:2052
-
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe87⤵PID:988
-
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe88⤵PID:1720
-
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe89⤵PID:1992
-
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe90⤵PID:2752
-
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe91⤵PID:2624
-
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe92⤵PID:1608
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe93⤵PID:1552
-
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe94⤵PID:2848
-
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe95⤵PID:1564
-
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe96⤵PID:2968
-
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe97⤵PID:1188
-
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe98⤵PID:1840
-
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe99⤵PID:1888
-
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe100⤵PID:1784
-
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe101⤵PID:1764
-
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe102⤵PID:1976
-
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe103⤵PID:2832
-
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe104⤵PID:2628
-
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe105⤵PID:2388
-
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe106⤵PID:1388
-
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe107⤵PID:2132
-
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe108⤵PID:1620
-
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe109⤵PID:2092
-
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1512 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe111⤵PID:2888
-
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe112⤵PID:1772
-
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe113⤵PID:1416
-
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe114⤵PID:2164
-
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe115⤵PID:2760
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe116⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe117⤵PID:2892
-
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe118⤵PID:1728
-
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe119⤵PID:1972
-
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe120⤵PID:1676
-
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe121⤵PID:2316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-