Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-02-2025 02:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe
-
Size
96KB
-
MD5
89a44ea2ae2189ccb2bb6d0eeaec80ee
-
SHA1
f21269d2be8b6bdb14cb96c969224d38bd6da075
-
SHA256
78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8
-
SHA512
de87fed0aceac86069ca3de340995a747597a3adec590b90b0e32572a91b8cee884a11b8eaf19a7ce6daea2834042487411ffca9295d0b1380fcc62e73bf659e
-
SSDEEP
1536:6VA8eWzgseMZkitJ4EMQtESdN2LL7RZObZUUWaegPYAy:9WTeMZksmEMQNALClUUWaev
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Konndhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkhdkgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omkjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmgpoia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihiphln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnpojca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhnjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akfkbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmnbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdhpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffbdadk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hneeilgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acekjjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofnjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foccjood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlmmfef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdkif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffldlne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfoojj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohhna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeggbbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehfkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lahmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgaiobjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okbpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnomp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plijimee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oagoep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliebpfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifelgmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbhmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkoncdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkoncdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfncpcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbohehoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnmpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiogq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdiondb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boljgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdgic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilofhffj.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral1/files/0x000500000001c8f8-1005.dat family_bruteratel behavioral1/files/0x000300000002084d-4961.dat family_bruteratel behavioral1/files/0x00030000000209e4-5436.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 1212 Kncofa32.exe 2720 Kfjggo32.exe 2512 Kobkpdfa.exe 2848 Kqdhhm32.exe 2888 Kkileele.exe 1980 Kqfdnljm.exe 2668 Kceqjhiq.exe 2596 Kqiaclhj.exe 1560 Kgbipf32.exe 2868 Kfeikcfa.exe 2724 Konndhmb.exe 2624 Kgefefnd.exe 1564 Lmbonmll.exe 1796 Lopkjhko.exe 620 Lbogfcjc.exe 2432 Lfjcfb32.exe 1084 Lobgoh32.exe 1192 Lcncpfaf.exe 2232 Lflplbpi.exe 1228 Leopgo32.exe 1572 Lmfhil32.exe 2732 Leammn32.exe 2416 Liminmmk.exe 2308 Lpgajgeg.exe 844 Lahmbo32.exe 2568 Lipecm32.exe 1460 Ljabkeaf.exe 2128 Mcifdj32.exe 2844 Mlpneh32.exe 2492 Mjcoqdoc.exe 2664 Meicnm32.exe 2800 Mjekfd32.exe 2536 Mnaggcej.exe 2956 Mcnpojca.exe 2500 Mhilph32.exe 2412 Mjhhld32.exe 3028 Mpdqdkie.exe 2032 Mfoiqe32.exe 2428 Mjjdacik.exe 748 Mbeiefff.exe 772 Mfaefd32.exe 1852 Medeaaej.exe 2172 Nlnnnk32.exe 1096 Noljjglk.exe 1248 Nfcbldmm.exe 1724 Nianhplq.exe 1704 Nhdocl32.exe 780 Nlpkdkkd.exe 2280 Noogpfjh.exe 1216 Nbjcqe32.exe 2820 Namclbil.exe 2740 Nehomq32.exe 2792 Nhgkil32.exe 2808 Nlbgikia.exe 2388 Nkegeg32.exe 2756 Nblpfepo.exe 2204 Naopaa32.exe 2940 Neklbppb.exe 3036 Nhiholof.exe 2456 Nledoj32.exe 300 Nkhdkgnj.exe 2088 Nmfqgbmm.exe 1968 Naalga32.exe 1320 Ndpicm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2008 78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe 2008 78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe 1212 Kncofa32.exe 1212 Kncofa32.exe 2720 Kfjggo32.exe 2720 Kfjggo32.exe 2512 Kobkpdfa.exe 2512 Kobkpdfa.exe 2848 Kqdhhm32.exe 2848 Kqdhhm32.exe 2888 Kkileele.exe 2888 Kkileele.exe 1980 Kqfdnljm.exe 1980 Kqfdnljm.exe 2668 Kceqjhiq.exe 2668 Kceqjhiq.exe 2596 Kqiaclhj.exe 2596 Kqiaclhj.exe 1560 Kgbipf32.exe 1560 Kgbipf32.exe 2868 Kfeikcfa.exe 2868 Kfeikcfa.exe 2724 Konndhmb.exe 2724 Konndhmb.exe 2624 Kgefefnd.exe 2624 Kgefefnd.exe 1564 Lmbonmll.exe 1564 Lmbonmll.exe 1796 Lopkjhko.exe 1796 Lopkjhko.exe 620 Lbogfcjc.exe 620 Lbogfcjc.exe 2432 Lfjcfb32.exe 2432 Lfjcfb32.exe 1084 Lobgoh32.exe 1084 Lobgoh32.exe 1192 Lcncpfaf.exe 1192 Lcncpfaf.exe 2232 Lflplbpi.exe 2232 Lflplbpi.exe 1228 Leopgo32.exe 1228 Leopgo32.exe 1572 Lmfhil32.exe 1572 Lmfhil32.exe 2732 Leammn32.exe 2732 Leammn32.exe 2416 Liminmmk.exe 2416 Liminmmk.exe 2308 Lpgajgeg.exe 2308 Lpgajgeg.exe 844 Lahmbo32.exe 844 Lahmbo32.exe 2568 Lipecm32.exe 2568 Lipecm32.exe 1460 Ljabkeaf.exe 1460 Ljabkeaf.exe 2128 Mcifdj32.exe 2128 Mcifdj32.exe 2844 Mlpneh32.exe 2844 Mlpneh32.exe 2492 Mjcoqdoc.exe 2492 Mjcoqdoc.exe 2664 Meicnm32.exe 2664 Meicnm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oekhacbn.exe Oghhfg32.exe File opened for modification C:\Windows\SysWOW64\Pjcckf32.exe Pgegok32.exe File created C:\Windows\SysWOW64\Diibag32.exe Dgjfek32.exe File created C:\Windows\SysWOW64\Jabdql32.exe Jodhdp32.exe File created C:\Windows\SysWOW64\Pbgiha32.dll Gmpcgace.exe File created C:\Windows\SysWOW64\Pidfdofi.exe Pgfjhcge.exe File opened for modification C:\Windows\SysWOW64\Qgmpibam.exe Qcachc32.exe File created C:\Windows\SysWOW64\Jopijcli.dll Nfcbldmm.exe File created C:\Windows\SysWOW64\Qcqaok32.exe Qoeeolig.exe File created C:\Windows\SysWOW64\Lhmlombo.dll Ajhiei32.exe File created C:\Windows\SysWOW64\Cjoffbmm.dll Eolmip32.exe File created C:\Windows\SysWOW64\Gljpncgc.exe Gmgpbf32.exe File created C:\Windows\SysWOW64\Hpomfdnk.dll Jpogbgmi.exe File opened for modification C:\Windows\SysWOW64\Gbhbdi32.exe Goiehm32.exe File created C:\Windows\SysWOW64\Mfmndn32.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Hfjljina.dll Nledoj32.exe File opened for modification C:\Windows\SysWOW64\Chlfnp32.exe Cemjae32.exe File created C:\Windows\SysWOW64\Cebcmdlg.exe Cbdgqimc.exe File created C:\Windows\SysWOW64\Ipbimmel.dll Hinqgg32.exe File created C:\Windows\SysWOW64\Lqqpgj32.exe Lbnpkmfg.exe File created C:\Windows\SysWOW64\Qnebjc32.exe Qkffng32.exe File opened for modification C:\Windows\SysWOW64\Cjlheehe.exe Cfpldf32.exe File created C:\Windows\SysWOW64\Hadlijdb.dll Cpkmcldj.exe File created C:\Windows\SysWOW64\Cbfhib32.dll Qfonkfqd.exe File opened for modification C:\Windows\SysWOW64\Amkbnp32.exe Aipfmane.exe File created C:\Windows\SysWOW64\Cgekkhbb.dll Ooicid32.exe File opened for modification C:\Windows\SysWOW64\Lboiol32.exe Lclicpkm.exe File created C:\Windows\SysWOW64\Oplelf32.exe Omnipjni.exe File created C:\Windows\SysWOW64\Fqliblhd.dll Omnipjni.exe File opened for modification C:\Windows\SysWOW64\Mhilph32.exe Mcnpojca.exe File created C:\Windows\SysWOW64\Nehomq32.exe Namclbil.exe File created C:\Windows\SysWOW64\Bdclgn32.dll Cljodo32.exe File created C:\Windows\SysWOW64\Ciffggmh.dll Mclebc32.exe File opened for modification C:\Windows\SysWOW64\Mmgfqh32.exe Mikjpiim.exe File opened for modification C:\Windows\SysWOW64\Olbfagca.exe Ompefj32.exe File created C:\Windows\SysWOW64\Qqeagm32.dll Omkjbb32.exe File created C:\Windows\SysWOW64\Qabkpdke.dll Egmojnlf.exe File created C:\Windows\SysWOW64\Mdcagkgd.dll Halbai32.exe File opened for modification C:\Windows\SysWOW64\Ibmgpoia.exe Ioakoq32.exe File created C:\Windows\SysWOW64\Jlamphei.dll Cgkocj32.exe File created C:\Windows\SysWOW64\Dejbqb32.exe Cblfdg32.exe File created C:\Windows\SysWOW64\Qmfpeb32.dll Fqalaa32.exe File opened for modification C:\Windows\SysWOW64\Qgjccb32.exe Qcogbdkg.exe File created C:\Windows\SysWOW64\Liminmmk.exe Leammn32.exe File created C:\Windows\SysWOW64\Nkegeg32.exe Nlbgikia.exe File created C:\Windows\SysWOW64\Pdddkijo.dll Anahqh32.exe File created C:\Windows\SysWOW64\Iplnnd32.exe Ilabmedg.exe File created C:\Windows\SysWOW64\Mhmdim32.dll Pcghof32.exe File opened for modification C:\Windows\SysWOW64\Aqmamm32.exe Anneqafn.exe File created C:\Windows\SysWOW64\Ooabmbbe.exe Opnbbe32.exe File opened for modification C:\Windows\SysWOW64\Kgbipf32.exe Kqiaclhj.exe File created C:\Windows\SysWOW64\Dpccjn32.dll Mnaggcej.exe File opened for modification C:\Windows\SysWOW64\Nmhmlbkk.exe Noemqe32.exe File created C:\Windows\SysWOW64\Ehebki32.dll Oklnff32.exe File created C:\Windows\SysWOW64\Dmdiia32.dll Cbdgqimc.exe File created C:\Windows\SysWOW64\Ggogki32.dll Ohagbj32.exe File created C:\Windows\SysWOW64\Cafngogd.dll Elkmmodo.exe File created C:\Windows\SysWOW64\Hfegij32.exe Hgbfnngi.exe File created C:\Windows\SysWOW64\Jmfafgbd.exe Jikeeh32.exe File created C:\Windows\SysWOW64\Oibmpl32.exe Ofcqcp32.exe File opened for modification C:\Windows\SysWOW64\Afdiondb.exe Acfmcc32.exe File created C:\Windows\SysWOW64\Lkknbejg.dll Bgoime32.exe File created C:\Windows\SysWOW64\Ogdjhp32.dll Bkegah32.exe File opened for modification C:\Windows\SysWOW64\Nhdocl32.exe Nianhplq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9624 9556 WerFault.exe 1034 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qglmpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfkpknkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookpodkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibejdjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohkpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgpbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpamde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaimk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peoalc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plijimee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcifdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdnbecj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabhah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqmamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oadkej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegnahjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohjnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblcfnhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilfpqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlili32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcdjoaee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhdkdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbofgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcqcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcbldmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpnaca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabcggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndlem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljghjpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddpobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdlad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egjbdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjhdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necogkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpneh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjcic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaqcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfnomde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcfpel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abegfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfaefd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnmgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogqaehak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflkibka.dll" Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blgdjk32.dll" Egokonjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopjkjhh.dll" Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjdhh32.dll" Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmiajbpa.dll" Idcacc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pilfpqaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmclfnqb.dll" Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnqmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hejcbh32.dll" Lghlndfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnjcomcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmldop32.dll" Neqnqofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omqlpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekbgfpm.dll" Cillkbac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcdnhoac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meoell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlkjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iplfej32.dll" Hihlqeib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doempm32.dll" Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhiplmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhejnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idbfpfoc.dll" Ibhndp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfejjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meicnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkkjkemj.dll" Mfaefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jofejpmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmnaak32.dll" Knbhlkkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obgkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlbhgd32.dll" Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoiaho32.dll" Oalhqohl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbdcic32.dll" Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjhmfekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlhjg32.dll" Qmifhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dakmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkofeknc.dll" Mfglep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Palepb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobdahei.dll" Lonpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfpkkdgb.dll" Leopgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjhmfekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgaiobjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoiiijcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcbecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoomoin.dll" Kceqjhiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkkeeecj.dll" Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpigma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdnldmfb.dll" Kpadhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idgglb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2008 wrote to memory of 1212 2008 78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe 30 PID 2008 wrote to memory of 1212 2008 78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe 30 PID 2008 wrote to memory of 1212 2008 78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe 30 PID 2008 wrote to memory of 1212 2008 78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe 30 PID 1212 wrote to memory of 2720 1212 Kncofa32.exe 31 PID 1212 wrote to memory of 2720 1212 Kncofa32.exe 31 PID 1212 wrote to memory of 2720 1212 Kncofa32.exe 31 PID 1212 wrote to memory of 2720 1212 Kncofa32.exe 31 PID 2720 wrote to memory of 2512 2720 Kfjggo32.exe 32 PID 2720 wrote to memory of 2512 2720 Kfjggo32.exe 32 PID 2720 wrote to memory of 2512 2720 Kfjggo32.exe 32 PID 2720 wrote to memory of 2512 2720 Kfjggo32.exe 32 PID 2512 wrote to memory of 2848 2512 Kobkpdfa.exe 33 PID 2512 wrote to memory of 2848 2512 Kobkpdfa.exe 33 PID 2512 wrote to memory of 2848 2512 Kobkpdfa.exe 33 PID 2512 wrote to memory of 2848 2512 Kobkpdfa.exe 33 PID 2848 wrote to memory of 2888 2848 Kqdhhm32.exe 34 PID 2848 wrote to memory of 2888 2848 Kqdhhm32.exe 34 PID 2848 wrote to memory of 2888 2848 Kqdhhm32.exe 34 PID 2848 wrote to memory of 2888 2848 Kqdhhm32.exe 34 PID 2888 wrote to memory of 1980 2888 Kkileele.exe 35 PID 2888 wrote to memory of 1980 2888 Kkileele.exe 35 PID 2888 wrote to memory of 1980 2888 Kkileele.exe 35 PID 2888 wrote to memory of 1980 2888 Kkileele.exe 35 PID 1980 wrote to memory of 2668 1980 Kqfdnljm.exe 36 PID 1980 wrote to memory of 2668 1980 Kqfdnljm.exe 36 PID 1980 wrote to memory of 2668 1980 Kqfdnljm.exe 36 PID 1980 wrote to memory of 2668 1980 Kqfdnljm.exe 36 PID 2668 wrote to memory of 2596 2668 Kceqjhiq.exe 37 PID 2668 wrote to memory of 2596 2668 Kceqjhiq.exe 37 PID 2668 wrote to memory of 2596 2668 Kceqjhiq.exe 37 PID 2668 wrote to memory of 2596 2668 Kceqjhiq.exe 37 PID 2596 wrote to memory of 1560 2596 Kqiaclhj.exe 38 PID 2596 wrote to memory of 1560 2596 Kqiaclhj.exe 38 PID 2596 wrote to memory of 1560 2596 Kqiaclhj.exe 38 PID 2596 wrote to memory of 1560 2596 Kqiaclhj.exe 38 PID 1560 wrote to memory of 2868 1560 Kgbipf32.exe 39 PID 1560 wrote to memory of 2868 1560 Kgbipf32.exe 39 PID 1560 wrote to memory of 2868 1560 Kgbipf32.exe 39 PID 1560 wrote to memory of 2868 1560 Kgbipf32.exe 39 PID 2868 wrote to memory of 2724 2868 Kfeikcfa.exe 40 PID 2868 wrote to memory of 2724 2868 Kfeikcfa.exe 40 PID 2868 wrote to memory of 2724 2868 Kfeikcfa.exe 40 PID 2868 wrote to memory of 2724 2868 Kfeikcfa.exe 40 PID 2724 wrote to memory of 2624 2724 Konndhmb.exe 41 PID 2724 wrote to memory of 2624 2724 Konndhmb.exe 41 PID 2724 wrote to memory of 2624 2724 Konndhmb.exe 41 PID 2724 wrote to memory of 2624 2724 Konndhmb.exe 41 PID 2624 wrote to memory of 1564 2624 Kgefefnd.exe 42 PID 2624 wrote to memory of 1564 2624 Kgefefnd.exe 42 PID 2624 wrote to memory of 1564 2624 Kgefefnd.exe 42 PID 2624 wrote to memory of 1564 2624 Kgefefnd.exe 42 PID 1564 wrote to memory of 1796 1564 Lmbonmll.exe 43 PID 1564 wrote to memory of 1796 1564 Lmbonmll.exe 43 PID 1564 wrote to memory of 1796 1564 Lmbonmll.exe 43 PID 1564 wrote to memory of 1796 1564 Lmbonmll.exe 43 PID 1796 wrote to memory of 620 1796 Lopkjhko.exe 44 PID 1796 wrote to memory of 620 1796 Lopkjhko.exe 44 PID 1796 wrote to memory of 620 1796 Lopkjhko.exe 44 PID 1796 wrote to memory of 620 1796 Lopkjhko.exe 44 PID 620 wrote to memory of 2432 620 Lbogfcjc.exe 45 PID 620 wrote to memory of 2432 620 Lbogfcjc.exe 45 PID 620 wrote to memory of 2432 620 Lbogfcjc.exe 45 PID 620 wrote to memory of 2432 620 Lbogfcjc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe"C:\Users\Admin\AppData\Local\Temp\78a5ab242c247f0d4835e0a5a8bca2472f21fbe296a2a6e9492dfcc6232769d8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Kgbipf32.exeC:\Windows\system32\Kgbipf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Liminmmk.exeC:\Windows\system32\Liminmmk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe33⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Mnaggcej.exeC:\Windows\system32\Mnaggcej.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe36⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe37⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe38⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe39⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe40⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe41⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe43⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe45⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Nfcbldmm.exeC:\Windows\system32\Nfcbldmm.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1724 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe48⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe49⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe50⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe51⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Nehomq32.exeC:\Windows\system32\Nehomq32.exe53⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe54⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe56⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe57⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe58⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe59⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe60⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Nmfqgbmm.exeC:\Windows\system32\Nmfqgbmm.exe63⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe64⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ndpicm32.exeC:\Windows\system32\Ndpicm32.exe65⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe66⤵PID:2104
-
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe67⤵PID:956
-
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe68⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe69⤵PID:2552
-
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe70⤵PID:2072
-
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe71⤵PID:2832
-
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe72⤵PID:2676
-
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe73⤵
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe74⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe76⤵PID:3004
-
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe77⤵PID:3032
-
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe78⤵PID:2020
-
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe79⤵PID:984
-
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe80⤵PID:1016
-
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe81⤵PID:448
-
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe82⤵PID:980
-
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe83⤵PID:1476
-
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe84⤵PID:1376
-
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe85⤵PID:2504
-
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe86⤵PID:1680
-
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe88⤵PID:2488
-
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe89⤵PID:2644
-
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe90⤵
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe91⤵PID:1404
-
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe92⤵PID:3012
-
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe93⤵PID:1368
-
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe94⤵PID:468
-
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe95⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe96⤵PID:908
-
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe97⤵PID:2212
-
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe98⤵PID:3064
-
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe99⤵PID:1648
-
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe100⤵PID:2788
-
C:\Windows\SysWOW64\Peoalc32.exeC:\Windows\system32\Peoalc32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe102⤵PID:2700
-
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe104⤵PID:2936
-
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe105⤵PID:2112
-
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe106⤵PID:2024
-
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe107⤵PID:2880
-
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe108⤵PID:1904
-
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe109⤵PID:2376
-
C:\Windows\SysWOW64\Pdgkco32.exeC:\Windows\system32\Pdgkco32.exe110⤵PID:2400
-
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe111⤵
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe112⤵PID:1624
-
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe113⤵PID:2784
-
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe114⤵PID:2960
-
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe115⤵PID:1932
-
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe116⤵PID:1444
-
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe117⤵PID:1712
-
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe118⤵PID:2284
-
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe119⤵PID:1860
-
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe120⤵PID:600
-
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe121⤵PID:548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-