Analysis
-
max time kernel
110s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
23-09-2024 16:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe
-
Size
245KB
-
MD5
251f1b0112b99f3d4057326f93362f40
-
SHA1
633686afcfef6673c84d2542e31e93059c500eff
-
SHA256
f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaaf
-
SHA512
480f39c7556154cc40e2f5c743c0a3a984bd51c9ce4244c6c1a7f7925be2f6555c6fb6cc6c4e124322642e1f48f79e30f026a5c1ef60ddd40e5b429100b69d5d
-
SSDEEP
1536:1ZxE7Pv5N5LT113EkQvDapsrjInErl6U/4cXeXvubKrFEwMEwKhbArEwKhQL4cX4:1Zydz106Uwago+bAr+Qka
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majfcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcdnpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghndjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkoikcaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbgci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgkokjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olhmnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbaebh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aihmhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfpglkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Polbemck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeommfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clnkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlpdifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffahgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadfbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egchocif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojpqpih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemggm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiichkog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkpekjie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knnagehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qedjib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdpjaga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmahbhei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnkdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caajmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaknmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Angafl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjjebed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqklhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffcdlncp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncblo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icadpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnqen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfjmkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhiiepcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjkgampo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmipmlan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hohhfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Macpcccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbcjfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnicemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhhlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdchifik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdkop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omkidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcofqphi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmklbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnjbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcigjolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djahmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjomlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micnbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noiiaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djahmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcqoec32.exe -
Executes dropped EXE 64 IoCs
pid Process 780 Kkpekjie.exe 276 Knnagehi.exe 2752 Kbljmd32.exe 2196 Kejfio32.exe 2896 Kaagnp32.exe 1136 Kgkokjjd.exe 2732 Laccdp32.exe 792 Lfpllg32.exe 2408 Liohhbno.exe 1260 Lcdmekne.exe 1684 Llpajmkq.exe 2652 Lfeegfkf.exe 3044 Llbnpm32.exe 2792 Lejbhbpn.exe 2156 Lldkem32.exe 2400 Mihkoa32.exe 568 Mlfgkleh.exe 1456 Moecghdl.exe 988 Macpcccp.exe 1560 Mkldli32.exe 1852 Mojmbg32.exe 912 Mahinb32.exe 1452 Micnbe32.exe 2480 Majfcb32.exe 856 Mggoli32.exe 1204 Mmaghc32.exe 1384 Nelkme32.exe 2260 Nglhghgj.exe 2572 Nhmdoq32.exe 2680 Npdlpnnj.exe 1708 Nlkmeo32.exe 2560 Noiiaj32.exe 3020 Necandjo.exe 2816 Nlmjjo32.exe 2188 Najbbepc.exe 1804 Ohdkop32.exe 2252 Onacgf32.exe 1948 Opoocb32.exe 2740 Oncpmf32.exe 1244 Oqaliabh.exe 1240 Ocphembl.exe 1984 Ojjqbg32.exe 2244 Olhmnb32.exe 1300 Ognakk32.exe 1528 Omkidb32.exe 1892 Ogpnakfp.exe 744 Ohajic32.exe 2240 Polbemck.exe 2976 Pkbcjn32.exe 2068 Pcikllja.exe 1580 Pfhghgie.exe 552 Pifcdbhi.exe 2708 Pkeppngm.exe 2600 Poplqm32.exe 2576 Pbohmh32.exe 2580 Pgkqeo32.exe 2088 Pobhfl32.exe 1280 Pbaebh32.exe 2860 Peoanckj.exe 2952 Pgnmjokn.exe 2808 Pnhegi32.exe 2044 Pbcahgjd.exe 1972 Peandcih.exe 1028 Pcdnpp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2840 f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe 2840 f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe 780 Kkpekjie.exe 780 Kkpekjie.exe 276 Knnagehi.exe 276 Knnagehi.exe 2752 Kbljmd32.exe 2752 Kbljmd32.exe 2196 Kejfio32.exe 2196 Kejfio32.exe 2896 Kaagnp32.exe 2896 Kaagnp32.exe 1136 Kgkokjjd.exe 1136 Kgkokjjd.exe 2732 Laccdp32.exe 2732 Laccdp32.exe 792 Lfpllg32.exe 792 Lfpllg32.exe 2408 Liohhbno.exe 2408 Liohhbno.exe 1260 Lcdmekne.exe 1260 Lcdmekne.exe 1684 Llpajmkq.exe 1684 Llpajmkq.exe 2652 Lfeegfkf.exe 2652 Lfeegfkf.exe 3044 Llbnpm32.exe 3044 Llbnpm32.exe 2792 Lejbhbpn.exe 2792 Lejbhbpn.exe 2156 Lldkem32.exe 2156 Lldkem32.exe 2400 Mihkoa32.exe 2400 Mihkoa32.exe 568 Mlfgkleh.exe 568 Mlfgkleh.exe 1456 Moecghdl.exe 1456 Moecghdl.exe 988 Macpcccp.exe 988 Macpcccp.exe 1560 Mkldli32.exe 1560 Mkldli32.exe 1852 Mojmbg32.exe 1852 Mojmbg32.exe 912 Mahinb32.exe 912 Mahinb32.exe 1452 Micnbe32.exe 1452 Micnbe32.exe 2480 Majfcb32.exe 2480 Majfcb32.exe 856 Mggoli32.exe 856 Mggoli32.exe 1604 Ngikaijm.exe 1604 Ngikaijm.exe 1384 Nelkme32.exe 1384 Nelkme32.exe 2260 Nglhghgj.exe 2260 Nglhghgj.exe 2572 Nhmdoq32.exe 2572 Nhmdoq32.exe 2680 Npdlpnnj.exe 2680 Npdlpnnj.exe 1708 Nlkmeo32.exe 1708 Nlkmeo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dklkkoqf.exe Dhnoocab.exe File created C:\Windows\SysWOW64\Fbhhlo32.exe Flnpoe32.exe File created C:\Windows\SysWOW64\Bemnhgen.dll f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe File created C:\Windows\SysWOW64\Hcedjdom.dll Gmklbk32.exe File created C:\Windows\SysWOW64\Hemggm32.exe Hfjglppd.exe File created C:\Windows\SysWOW64\Joagkd32.exe Jlckoh32.exe File created C:\Windows\SysWOW64\Qjacai32.exe Qcgkeonp.exe File created C:\Windows\SysWOW64\Bhiiepcl.exe Bdnmda32.exe File opened for modification C:\Windows\SysWOW64\Gncblo32.exe Glefpd32.exe File opened for modification C:\Windows\SysWOW64\Iccqedfa.exe Idqpjg32.exe File opened for modification C:\Windows\SysWOW64\Joagkd32.exe Jlckoh32.exe File created C:\Windows\SysWOW64\Adbbfabn.dll Jkcoee32.exe File opened for modification C:\Windows\SysWOW64\Laccdp32.exe Kgkokjjd.exe File opened for modification C:\Windows\SysWOW64\Nelkme32.exe Ngikaijm.exe File created C:\Windows\SysWOW64\Hmjoiblj.dll Oqaliabh.exe File created C:\Windows\SysWOW64\Peandcih.exe Pbcahgjd.exe File created C:\Windows\SysWOW64\Cidhcg32.exe Ccjpfmic.exe File created C:\Windows\SysWOW64\Qeaeeg32.dll Igjckcbo.exe File opened for modification C:\Windows\SysWOW64\Micnbe32.exe Mahinb32.exe File opened for modification C:\Windows\SysWOW64\Mggoli32.exe Majfcb32.exe File created C:\Windows\SysWOW64\Knaocm32.dll Nhmdoq32.exe File created C:\Windows\SysWOW64\Edjdel32.dll Nlkmeo32.exe File created C:\Windows\SysWOW64\Mcldnd32.dll Fmnmih32.exe File created C:\Windows\SysWOW64\Kgkokjjd.exe Kaagnp32.exe File created C:\Windows\SysWOW64\Liohhbno.exe Lfpllg32.exe File opened for modification C:\Windows\SysWOW64\Pbcahgjd.exe Pnhegi32.exe File opened for modification C:\Windows\SysWOW64\Aihmhe32.exe Afjplj32.exe File created C:\Windows\SysWOW64\Npdlpnnj.exe Nhmdoq32.exe File created C:\Windows\SysWOW64\Edieng32.exe Ebkibk32.exe File created C:\Windows\SysWOW64\Fjmdgmnl.exe Ffahgn32.exe File created C:\Windows\SysWOW64\Kililk32.dll Pifcdbhi.exe File created C:\Windows\SysWOW64\Egchocif.exe Eddlcgjb.exe File created C:\Windows\SysWOW64\Egglnnil.dll Gncblo32.exe File created C:\Windows\SysWOW64\Jehmda32.dll Iebmaoed.exe File created C:\Windows\SysWOW64\Kjdnqckh.dll Jfdigocb.exe File opened for modification C:\Windows\SysWOW64\Jficbn32.exe Jbmgapgc.exe File created C:\Windows\SysWOW64\Foaekdkd.dll Ghndjd32.exe File created C:\Windows\SysWOW64\Hfmcapna.exe Hoflpbmo.exe File created C:\Windows\SysWOW64\Pbaebh32.exe Pobhfl32.exe File created C:\Windows\SysWOW64\Goepdd32.dll Pbcahgjd.exe File opened for modification C:\Windows\SysWOW64\Bhdpjaga.exe Bakgmgpe.exe File created C:\Windows\SysWOW64\Pfhchf32.dll Bikemiik.exe File created C:\Windows\SysWOW64\Dldndf32.exe Djfagjai.exe File opened for modification C:\Windows\SysWOW64\Docjpa32.exe Dldndf32.exe File created C:\Windows\SysWOW64\Jbmgapgc.exe Jookedhp.exe File opened for modification C:\Windows\SysWOW64\Hhnpih32.exe Hikpnkme.exe File opened for modification C:\Windows\SysWOW64\Qedjib32.exe Qnjbmh32.exe File created C:\Windows\SysWOW64\Ifbalb32.dll Qmoone32.exe File created C:\Windows\SysWOW64\Knjfogkd.dll Eddlcgjb.exe File created C:\Windows\SysWOW64\Fcqoec32.exe Fmffhi32.exe File created C:\Windows\SysWOW64\Doelpf32.dll Genkhidc.exe File opened for modification C:\Windows\SysWOW64\Gibmglep.exe Gjomlp32.exe File created C:\Windows\SysWOW64\Ekcmkamj.exe Eclejclg.exe File opened for modification C:\Windows\SysWOW64\Fjkgampo.exe Fglkeaqk.exe File created C:\Windows\SysWOW64\Chkgnh32.dll Necandjo.exe File created C:\Windows\SysWOW64\Opoocb32.exe Onacgf32.exe File created C:\Windows\SysWOW64\Pcikllja.exe Pkbcjn32.exe File created C:\Windows\SysWOW64\Ceidfi32.dll Pgnmjokn.exe File created C:\Windows\SysWOW64\Bmfamg32.exe Bikemiik.exe File created C:\Windows\SysWOW64\Djahmk32.exe Djahmk32.exe File created C:\Windows\SysWOW64\Hbfalpab.exe Hkoikcaq.exe File created C:\Windows\SysWOW64\Finqaibj.dll Hkoikcaq.exe File opened for modification C:\Windows\SysWOW64\Ihgcof32.exe Ippkni32.exe File opened for modification C:\Windows\SysWOW64\Ghndjd32.exe Gdchifik.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3452 4056 WerFault.exe 302 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlkmeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbcjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afojgiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpldjajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdchifik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlgdecf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cleaebna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkpchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjjoeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnpih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbaebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihmhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjbgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohhfbkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegjnkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqaliabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apbeeppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmbmkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqpfchka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedmhlqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclejclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghndjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdigocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ognakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghekobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlckoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccqedfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjqbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amalcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djahmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmnloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnoiqpqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glefpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macpcccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgehfodh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklgjbca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpliec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdfgojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipbgci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcmkamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhebij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibqhibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genkhidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnagehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peoanckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coqaknog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocnanmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhnoocab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffahgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaknmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippkni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmdoq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdlpnnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfokb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkokjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhghgie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddodd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcckjb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgabh32.dll" Ohdkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajojpafh.dll" Qjofljho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Docjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjjcqpbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amalcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcldnd32.dll" Fmnmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghjjoeei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfjglppd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoflpbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlfgkleh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppopgcbc.dll" Bhdpjaga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cleaebna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klhniing.dll" Cgnbepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmaphoqe.dll" Gdedoegh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jchjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdnmda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpggnfap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlpdifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mahinb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogpnakfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bikemiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcibnmm.dll" Hemggm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jficbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmaghc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nelkme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdlpnnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojjqbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anlkakqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbalb32.dll" Qmoone32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqjddlfd.dll" Bbcjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bimbbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbmdcf32.dll" Blkoocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnjaegb.dll" Ebfpglkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjpgin32.dll" Iedmhlqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnmih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfpllg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moecghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdbdfeg.dll" Cocnanmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dklkkoqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmkdanef.dll" Dlgjie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcckjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdjgbloo.dll" Ffahgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbmbgngb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Genkhidc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipbgci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlckoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcdmekne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahpfoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eojpqpih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpledf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpledf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkoikcaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laccdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apbeeppo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjomlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npphimpc.dll" Ghcmedmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Micnbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cleaebna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbejabln.dll" Flnpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obbdgajq.dll" Gjmpfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdedoegh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hikpnkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emdjbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefhfe32.dll" Ngikaijm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2840 wrote to memory of 780 2840 f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe 29 PID 2840 wrote to memory of 780 2840 f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe 29 PID 2840 wrote to memory of 780 2840 f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe 29 PID 2840 wrote to memory of 780 2840 f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe 29 PID 780 wrote to memory of 276 780 Kkpekjie.exe 30 PID 780 wrote to memory of 276 780 Kkpekjie.exe 30 PID 780 wrote to memory of 276 780 Kkpekjie.exe 30 PID 780 wrote to memory of 276 780 Kkpekjie.exe 30 PID 276 wrote to memory of 2752 276 Knnagehi.exe 31 PID 276 wrote to memory of 2752 276 Knnagehi.exe 31 PID 276 wrote to memory of 2752 276 Knnagehi.exe 31 PID 276 wrote to memory of 2752 276 Knnagehi.exe 31 PID 2752 wrote to memory of 2196 2752 Kbljmd32.exe 32 PID 2752 wrote to memory of 2196 2752 Kbljmd32.exe 32 PID 2752 wrote to memory of 2196 2752 Kbljmd32.exe 32 PID 2752 wrote to memory of 2196 2752 Kbljmd32.exe 32 PID 2196 wrote to memory of 2896 2196 Kejfio32.exe 33 PID 2196 wrote to memory of 2896 2196 Kejfio32.exe 33 PID 2196 wrote to memory of 2896 2196 Kejfio32.exe 33 PID 2196 wrote to memory of 2896 2196 Kejfio32.exe 33 PID 2896 wrote to memory of 1136 2896 Kaagnp32.exe 34 PID 2896 wrote to memory of 1136 2896 Kaagnp32.exe 34 PID 2896 wrote to memory of 1136 2896 Kaagnp32.exe 34 PID 2896 wrote to memory of 1136 2896 Kaagnp32.exe 34 PID 1136 wrote to memory of 2732 1136 Kgkokjjd.exe 35 PID 1136 wrote to memory of 2732 1136 Kgkokjjd.exe 35 PID 1136 wrote to memory of 2732 1136 Kgkokjjd.exe 35 PID 1136 wrote to memory of 2732 1136 Kgkokjjd.exe 35 PID 2732 wrote to memory of 792 2732 Laccdp32.exe 36 PID 2732 wrote to memory of 792 2732 Laccdp32.exe 36 PID 2732 wrote to memory of 792 2732 Laccdp32.exe 36 PID 2732 wrote to memory of 792 2732 Laccdp32.exe 36 PID 792 wrote to memory of 2408 792 Lfpllg32.exe 37 PID 792 wrote to memory of 2408 792 Lfpllg32.exe 37 PID 792 wrote to memory of 2408 792 Lfpllg32.exe 37 PID 792 wrote to memory of 2408 792 Lfpllg32.exe 37 PID 2408 wrote to memory of 1260 2408 Liohhbno.exe 38 PID 2408 wrote to memory of 1260 2408 Liohhbno.exe 38 PID 2408 wrote to memory of 1260 2408 Liohhbno.exe 38 PID 2408 wrote to memory of 1260 2408 Liohhbno.exe 38 PID 1260 wrote to memory of 1684 1260 Lcdmekne.exe 39 PID 1260 wrote to memory of 1684 1260 Lcdmekne.exe 39 PID 1260 wrote to memory of 1684 1260 Lcdmekne.exe 39 PID 1260 wrote to memory of 1684 1260 Lcdmekne.exe 39 PID 1684 wrote to memory of 2652 1684 Llpajmkq.exe 40 PID 1684 wrote to memory of 2652 1684 Llpajmkq.exe 40 PID 1684 wrote to memory of 2652 1684 Llpajmkq.exe 40 PID 1684 wrote to memory of 2652 1684 Llpajmkq.exe 40 PID 2652 wrote to memory of 3044 2652 Lfeegfkf.exe 41 PID 2652 wrote to memory of 3044 2652 Lfeegfkf.exe 41 PID 2652 wrote to memory of 3044 2652 Lfeegfkf.exe 41 PID 2652 wrote to memory of 3044 2652 Lfeegfkf.exe 41 PID 3044 wrote to memory of 2792 3044 Llbnpm32.exe 42 PID 3044 wrote to memory of 2792 3044 Llbnpm32.exe 42 PID 3044 wrote to memory of 2792 3044 Llbnpm32.exe 42 PID 3044 wrote to memory of 2792 3044 Llbnpm32.exe 42 PID 2792 wrote to memory of 2156 2792 Lejbhbpn.exe 43 PID 2792 wrote to memory of 2156 2792 Lejbhbpn.exe 43 PID 2792 wrote to memory of 2156 2792 Lejbhbpn.exe 43 PID 2792 wrote to memory of 2156 2792 Lejbhbpn.exe 43 PID 2156 wrote to memory of 2400 2156 Lldkem32.exe 44 PID 2156 wrote to memory of 2400 2156 Lldkem32.exe 44 PID 2156 wrote to memory of 2400 2156 Lldkem32.exe 44 PID 2156 wrote to memory of 2400 2156 Lldkem32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe"C:\Users\Admin\AppData\Local\Temp\f98841b2fc900fd094b591c125fcaf37552037eafce48318777ba6f0f935aaafN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Kaagnp32.exeC:\Windows\system32\Kaagnp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Kgkokjjd.exeC:\Windows\system32\Kgkokjjd.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Laccdp32.exeC:\Windows\system32\Laccdp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:792 -
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Lcdmekne.exeC:\Windows\system32\Lcdmekne.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Lldkem32.exeC:\Windows\system32\Lldkem32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Moecghdl.exeC:\Windows\system32\Moecghdl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:988 -
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1560 -
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:912 -
C:\Windows\SysWOW64\Micnbe32.exeC:\Windows\system32\Micnbe32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1452 -
C:\Windows\SysWOW64\Majfcb32.exeC:\Windows\system32\Majfcb32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Mmaghc32.exeC:\Windows\system32\Mmaghc32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:1204 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe28⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Nhmdoq32.exeC:\Windows\system32\Nhmdoq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Npdlpnnj.exeC:\Windows\system32\Npdlpnnj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Noiiaj32.exeC:\Windows\system32\Noiiaj32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Nlmjjo32.exeC:\Windows\system32\Nlmjjo32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe37⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Onacgf32.exeC:\Windows\system32\Onacgf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2252 -
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe40⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Oncpmf32.exeC:\Windows\system32\Oncpmf32.exe41⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Oqaliabh.exeC:\Windows\system32\Oqaliabh.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1244 -
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe43⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Ojjqbg32.exeC:\Windows\system32\Ojjqbg32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Omkidb32.exeC:\Windows\system32\Omkidb32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe49⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe52⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Pfhghgie.exeC:\Windows\system32\Pfhghgie.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe55⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Poplqm32.exeC:\Windows\system32\Poplqm32.exe56⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Pbohmh32.exeC:\Windows\system32\Pbohmh32.exe57⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe58⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Peoanckj.exeC:\Windows\system32\Peoanckj.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Pbcahgjd.exeC:\Windows\system32\Pbcahgjd.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe65⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Pcdnpp32.exeC:\Windows\system32\Pcdnpp32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Qjofljho.exeC:\Windows\system32\Qjofljho.exe67⤵
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe70⤵
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe71⤵PID:2512
-
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Ajcpgi32.exeC:\Windows\system32\Ajcpgi32.exe74⤵PID:2692
-
C:\Windows\SysWOW64\Amalcd32.exeC:\Windows\system32\Amalcd32.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Apphpp32.exeC:\Windows\system32\Apphpp32.exe76⤵PID:2568
-
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe77⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:284 -
C:\Windows\SysWOW64\Apbeeppo.exeC:\Windows\system32\Apbeeppo.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Acnqen32.exeC:\Windows\system32\Acnqen32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1836 -
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Aliejq32.exeC:\Windows\system32\Aliejq32.exe82⤵PID:2448
-
C:\Windows\SysWOW64\Angafl32.exeC:\Windows\system32\Angafl32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2168 -
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe84⤵
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Ahpfoa32.exeC:\Windows\system32\Ahpfoa32.exe85⤵
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Anjnllbd.exeC:\Windows\system32\Anjnllbd.exe86⤵PID:2508
-
C:\Windows\SysWOW64\Abejlj32.exeC:\Windows\system32\Abejlj32.exe87⤵PID:2344
-
C:\Windows\SysWOW64\Ahbcda32.exeC:\Windows\system32\Ahbcda32.exe88⤵PID:1900
-
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe89⤵
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Bakgmgpe.exeC:\Windows\system32\Bakgmgpe.exe90⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Bhdpjaga.exeC:\Windows\system32\Bhdpjaga.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Bjclfmfe.exeC:\Windows\system32\Bjclfmfe.exe92⤵PID:2784
-
C:\Windows\SysWOW64\Bmahbhei.exeC:\Windows\system32\Bmahbhei.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Bdkpob32.exeC:\Windows\system32\Bdkpob32.exe94⤵PID:2608
-
C:\Windows\SysWOW64\Bfjmkn32.exeC:\Windows\system32\Bfjmkn32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe96⤵PID:1660
-
C:\Windows\SysWOW64\Bmdehgcf.exeC:\Windows\system32\Bmdehgcf.exe97⤵PID:952
-
C:\Windows\SysWOW64\Bdnmda32.exeC:\Windows\system32\Bdnmda32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2632 -
C:\Windows\SysWOW64\Bikemiik.exeC:\Windows\system32\Bikemiik.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Bmfamg32.exeC:\Windows\system32\Bmfamg32.exe101⤵PID:2948
-
C:\Windows\SysWOW64\Bpdnjb32.exeC:\Windows\system32\Bpdnjb32.exe102⤵PID:376
-
C:\Windows\SysWOW64\Bbcjfn32.exeC:\Windows\system32\Bbcjfn32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Bkjbgk32.exeC:\Windows\system32\Bkjbgk32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Bimbbhgh.exeC:\Windows\system32\Bimbbhgh.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe106⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Bbegkn32.exeC:\Windows\system32\Bbegkn32.exe107⤵PID:1328
-
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe108⤵PID:1032
-
C:\Windows\SysWOW64\Clnkdc32.exeC:\Windows\system32\Clnkdc32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Cbhcankf.exeC:\Windows\system32\Cbhcankf.exe110⤵PID:2216
-
C:\Windows\SysWOW64\Cgcoal32.exeC:\Windows\system32\Cgcoal32.exe111⤵PID:2704
-
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe112⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Ccjpfmic.exeC:\Windows\system32\Ccjpfmic.exe113⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Cidhcg32.exeC:\Windows\system32\Cidhcg32.exe114⤵PID:2552
-
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe115⤵PID:2396
-
C:\Windows\SysWOW64\Coqaknog.exeC:\Windows\system32\Coqaknog.exe116⤵
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe117⤵PID:996
-
C:\Windows\SysWOW64\Cekihh32.exeC:\Windows\system32\Cekihh32.exe118⤵PID:2348
-
C:\Windows\SysWOW64\Cdnicemo.exeC:\Windows\system32\Cdnicemo.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2404 -
C:\Windows\SysWOW64\Cleaebna.exeC:\Windows\system32\Cleaebna.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Cocnanmd.exeC:\Windows\system32\Cocnanmd.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-