Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 21:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe
-
Size
219KB
-
MD5
7a2ce38d15c4a6dbcee13197ec259940
-
SHA1
12920c0073ec55332e8cbe39b2e96fbd62320fb0
-
SHA256
d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29
-
SHA512
ae1ef8c54ea946857985b7f604d44070ef549977239e351f480281b653c1b6afb426a5745230f4904de24c91465060ef2afe04e60b9997ab5e3d6f7e0d62dc53
-
SSDEEP
3072:3YvTywGNKwXvPzwuZkO0aDb/IBPCOQvU6z314EXrjvwSfYrwBt:3YvTnmKyXzDOO0aDD4PCxdXXwSfYrwB
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajhpgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihcfan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jndhddaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggncop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keekeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfaopc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgiobadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblhdkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnjlfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lggbmbfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linoeccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmldji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbdllld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjpnjheg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmkhmfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kniaap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajapoqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fclbgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npdkdjhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfipm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhnjdfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljpqlqmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lppkgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimbbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgiplffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqkqbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfehq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmjjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkckblgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjanfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akjjifji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqdaal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckamihfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpieli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oigmbagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoomai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelnniga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kldlmqml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coehnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhjofbdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gklkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlpmndba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejnqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfdhck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkpcbecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dekeeonn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kninog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flphccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhcoei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqklhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckajqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbejjfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gecklbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oihdjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deljfqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhmjha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njpdiifd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmaoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpooiji.exe -
Executes dropped EXE 64 IoCs
pid Process 2216 Cggcofkf.exe 2632 Clclhmin.exe 2952 Capdpcge.exe 2796 Codeih32.exe 1656 Cgdciiod.exe 2544 Dpmgao32.exe 3036 Dlchfp32.exe 1548 Dncdqcbl.exe 2396 Dlhaaogd.exe 2612 Dbejjfek.exe 3020 Dkmncl32.exe 1160 Ekpkhkji.exe 1128 Ejgeogmn.exe 1668 Egkehllh.exe 2064 Efpbih32.exe 2436 Fgpock32.exe 580 Fcfohlmg.exe 1344 Fichqckn.exe 1736 Fblljhbo.exe 1012 Fbniohpl.exe 1340 Fhkagonc.exe 2444 Feobac32.exe 1448 Gbbbjg32.exe 1612 Glkgcmbg.exe 2032 Gecklbih.exe 2628 Gfdhck32.exe 2680 Gajlac32.exe 1624 Gfgdij32.exe 2652 Gfiaojkq.exe 2940 Heonpf32.exe 2520 Hbboiknb.exe 2868 Hpfoboml.exe 2028 Hlmphp32.exe 2816 Hajhpgag.exe 2924 Hmqieh32.exe 1604 Hginnmml.exe 1312 Ipabfcdm.exe 2844 Iaaoqf32.exe 1532 Iilceh32.exe 1884 Igpdnlgd.exe 752 Iokhcodo.exe 1484 Iloilcci.exe 1732 Jfhmehji.exe 1676 Jclnnmic.exe 1816 Knoaeimg.exe 2276 Kcngcp32.exe 2304 Kmfklepl.exe 2456 Kcpcho32.exe 1556 Kmhhae32.exe 1392 Kpgdnp32.exe 2780 Lgbibb32.exe 2580 Lpiacp32.exe 2504 Liaeleak.exe 2404 Lnnndl32.exe 2576 Lggbmbfc.exe 2568 Lnqkjl32.exe 1952 Lgiobadq.exe 2164 Lpddgd32.exe 2188 Lfnlcnih.exe 968 Lmhdph32.exe 768 Mjlejl32.exe 2488 Mddibb32.exe 1984 Meffjjln.exe 1308 Mbjfcnkg.exe -
Loads dropped DLL 64 IoCs
pid Process 468 d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe 468 d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe 2216 Cggcofkf.exe 2216 Cggcofkf.exe 2632 Clclhmin.exe 2632 Clclhmin.exe 2952 Capdpcge.exe 2952 Capdpcge.exe 2796 Codeih32.exe 2796 Codeih32.exe 1656 Cgdciiod.exe 1656 Cgdciiod.exe 2544 Dpmgao32.exe 2544 Dpmgao32.exe 3036 Dlchfp32.exe 3036 Dlchfp32.exe 1548 Dncdqcbl.exe 1548 Dncdqcbl.exe 2396 Dlhaaogd.exe 2396 Dlhaaogd.exe 2612 Dbejjfek.exe 2612 Dbejjfek.exe 3020 Dkmncl32.exe 3020 Dkmncl32.exe 1160 Ekpkhkji.exe 1160 Ekpkhkji.exe 1128 Ejgeogmn.exe 1128 Ejgeogmn.exe 1668 Egkehllh.exe 1668 Egkehllh.exe 2064 Efpbih32.exe 2064 Efpbih32.exe 2436 Fgpock32.exe 2436 Fgpock32.exe 580 Fcfohlmg.exe 580 Fcfohlmg.exe 1344 Fichqckn.exe 1344 Fichqckn.exe 1736 Fblljhbo.exe 1736 Fblljhbo.exe 1012 Fbniohpl.exe 1012 Fbniohpl.exe 1340 Fhkagonc.exe 1340 Fhkagonc.exe 2444 Feobac32.exe 2444 Feobac32.exe 1448 Gbbbjg32.exe 1448 Gbbbjg32.exe 1612 Glkgcmbg.exe 1612 Glkgcmbg.exe 2032 Gecklbih.exe 2032 Gecklbih.exe 2628 Gfdhck32.exe 2628 Gfdhck32.exe 2680 Gajlac32.exe 2680 Gajlac32.exe 1624 Gfgdij32.exe 1624 Gfgdij32.exe 2652 Gfiaojkq.exe 2652 Gfiaojkq.exe 2940 Heonpf32.exe 2940 Heonpf32.exe 2520 Hbboiknb.exe 2520 Hbboiknb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fiphhoij.dll Immkiodb.exe File opened for modification C:\Windows\SysWOW64\Afcbgd32.exe Acbieing.exe File opened for modification C:\Windows\SysWOW64\Aoilcc32.exe Amfcfk32.exe File created C:\Windows\SysWOW64\Cblniaii.exe Cpkaai32.exe File created C:\Windows\SysWOW64\Fooleekf.dll Iogbllfc.exe File created C:\Windows\SysWOW64\Ffghlcei.exe Feeldk32.exe File created C:\Windows\SysWOW64\Pldnge32.exe Ppnmbd32.exe File created C:\Windows\SysWOW64\Aeljmq32.exe Abnmae32.exe File created C:\Windows\SysWOW64\Jfpegp32.dll Bbannb32.exe File created C:\Windows\SysWOW64\Gkldbf32.dll Dndndbnl.exe File created C:\Windows\SysWOW64\Ihlpqonl.exe Iboghh32.exe File opened for modification C:\Windows\SysWOW64\Kccian32.exe Kqemeb32.exe File created C:\Windows\SysWOW64\Jegphc32.dll Afbpnlcd.exe File created C:\Windows\SysWOW64\Gklkdn32.exe Gacgli32.exe File created C:\Windows\SysWOW64\Acnqen32.exe Aihmhe32.exe File created C:\Windows\SysWOW64\Haenec32.dll Gfgdij32.exe File created C:\Windows\SysWOW64\Kpgdnp32.exe Kmhhae32.exe File created C:\Windows\SysWOW64\Aadakl32.exe Aemafjeg.exe File created C:\Windows\SysWOW64\Hhnnpolk.exe Hjhaob32.exe File created C:\Windows\SysWOW64\Mgopfi32.dll Dbnpcn32.exe File opened for modification C:\Windows\SysWOW64\Feeldk32.exe Flmglfhk.exe File opened for modification C:\Windows\SysWOW64\Hjoiiffo.exe Hmkiobge.exe File opened for modification C:\Windows\SysWOW64\Odanqb32.exe Okijhmcm.exe File opened for modification C:\Windows\SysWOW64\Iniglajj.exe Ipcjje32.exe File opened for modification C:\Windows\SysWOW64\Kbajci32.exe Kemjieol.exe File created C:\Windows\SysWOW64\Ehohbg32.dll Gpfeoqmf.exe File created C:\Windows\SysWOW64\Camqpnel.exe Bdipfi32.exe File opened for modification C:\Windows\SysWOW64\Adppdckh.exe Adncoc32.exe File created C:\Windows\SysWOW64\Eigpmjqg.exe Empphi32.exe File created C:\Windows\SysWOW64\Nqdaal32.exe Nqbdllld.exe File opened for modification C:\Windows\SysWOW64\Hebqbl32.exe Hmdohj32.exe File created C:\Windows\SysWOW64\Ihdpml32.dll Gjnigb32.exe File opened for modification C:\Windows\SysWOW64\Iflmlfcn.exe Inqhhc32.exe File opened for modification C:\Windows\SysWOW64\Jdbhcfjd.exe Jjjdjp32.exe File opened for modification C:\Windows\SysWOW64\Imgija32.exe Igjabj32.exe File created C:\Windows\SysWOW64\Bkmegaaf.exe Bdcmjg32.exe File opened for modification C:\Windows\SysWOW64\Genkhidc.exe Gjhfkqdm.exe File created C:\Windows\SysWOW64\Lqnmhm32.dll Kqemeb32.exe File created C:\Windows\SysWOW64\Geolck32.dll Pejcab32.exe File opened for modification C:\Windows\SysWOW64\Kbmahjbk.exe Kffpcilf.exe File created C:\Windows\SysWOW64\Genkhidc.exe Gjhfkqdm.exe File opened for modification C:\Windows\SysWOW64\Efgnfi32.exe Eqjenb32.exe File created C:\Windows\SysWOW64\Bllomg32.exe Bafkookd.exe File created C:\Windows\SysWOW64\Cpijenld.dll Phocfd32.exe File created C:\Windows\SysWOW64\Bmldji32.exe Bjlkhn32.exe File opened for modification C:\Windows\SysWOW64\Cccgni32.exe Cjkcedgp.exe File created C:\Windows\SysWOW64\Jmhkdnfp.exe Jbbgge32.exe File created C:\Windows\SysWOW64\Bpbfom32.dll Jomnpdjb.exe File opened for modification C:\Windows\SysWOW64\Pamlel32.exe Ojfcdo32.exe File created C:\Windows\SysWOW64\Ibadnhmb.exe Ihlpqonl.exe File created C:\Windows\SysWOW64\Hilakcna.dll Emkfmioh.exe File opened for modification C:\Windows\SysWOW64\Glgqlkdl.exe Gbolce32.exe File opened for modification C:\Windows\SysWOW64\Aeofcpjj.exe Aeljmq32.exe File opened for modification C:\Windows\SysWOW64\Efeaqi32.exe Ejnqkh32.exe File created C:\Windows\SysWOW64\Capdpcge.exe Clclhmin.exe File created C:\Windows\SysWOW64\Kcngcp32.exe Knoaeimg.exe File opened for modification C:\Windows\SysWOW64\Jgmlmj32.exe Jndhddaf.exe File created C:\Windows\SysWOW64\Oinbglkm.exe Opennf32.exe File created C:\Windows\SysWOW64\Kbgfmkep.dll Fagcnmie.exe File opened for modification C:\Windows\SysWOW64\Moecghdl.exe Lldkem32.exe File created C:\Windows\SysWOW64\Kepgjk32.dll Mbjfcnkg.exe File created C:\Windows\SysWOW64\Becmcind.dll Fhfgokap.exe File opened for modification C:\Windows\SysWOW64\Ckajqo32.exe Cegbce32.exe File created C:\Windows\SysWOW64\Ngpfbjkg.dll Pbppqf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2852 4028 WerFault.exe 932 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmnljc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfeoqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfcdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpoofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbhmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqlfjfni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adppdckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcpkldh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkpjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjblboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgclpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmcpqfba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnoqbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibejfffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpffhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfookk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbihmcqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldkem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcdlncp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfoleio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qakmghbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaajfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moecghdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaomf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giakoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhkagonc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naihdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlbpman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdincdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opennf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfdjphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmknko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkheal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilceh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgdmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peakkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopeagip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhenccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkgdmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfghagio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajapoqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfjhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqopmbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffpcilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphbhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clclhmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjanfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfgnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikooghn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcccglnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgiplffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcfak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beplcfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdaal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbfpafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcakbjpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgnphgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlnjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oceaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpebq32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdinjj32.dll" Ajibckpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kblhdkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmnphna.dll" Mpgdaqmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lggbmbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klijjnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibhmmobd.dll" Pfobjdoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Linoeccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggnlj32.dll" Lmfjcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hafjcm32.dll" Degobhjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiphmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmejaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompgqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgpjjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdmphmlf.dll" Nmkklflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccjpfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibofgebi.dll" Ndaaclac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iamjghnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpncbjqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfkdi32.dll" Imifpagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kchfpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekpkhkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knmmkb32.dll" Hhjgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbmcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpnioi32.dll" Igdqmeke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aghidl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjlnkheo.dll" Iboghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngnenojn.dll" Bkmegaaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbnpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mddibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddbolkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejhdhpb.dll" Jndhddaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Homfboco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Licpki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcccglnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlbgkgcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kknklg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncbdjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgffck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kggomknp.dll" Abkqle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqngjcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjonihkc.dll" Cfghagio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqkqbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngnlaehe.dll" Fkpeojha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iahckl32.dll" Eedijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbdcjgi.dll" Gipqpplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Encchoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjkcedgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmbfoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgdijk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmjdnop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmlbgc32.dll" Akpkok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chmlfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nchiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dopdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdaaokbn.dll" Beplcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nldgdpjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjdgjhi.dll" Pgpjpnhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eogckqkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nanlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maabcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmdaho32.dll" Agcekn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohdkop32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 468 wrote to memory of 2216 468 d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe 30 PID 468 wrote to memory of 2216 468 d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe 30 PID 468 wrote to memory of 2216 468 d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe 30 PID 468 wrote to memory of 2216 468 d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe 30 PID 2216 wrote to memory of 2632 2216 Cggcofkf.exe 31 PID 2216 wrote to memory of 2632 2216 Cggcofkf.exe 31 PID 2216 wrote to memory of 2632 2216 Cggcofkf.exe 31 PID 2216 wrote to memory of 2632 2216 Cggcofkf.exe 31 PID 2632 wrote to memory of 2952 2632 Clclhmin.exe 32 PID 2632 wrote to memory of 2952 2632 Clclhmin.exe 32 PID 2632 wrote to memory of 2952 2632 Clclhmin.exe 32 PID 2632 wrote to memory of 2952 2632 Clclhmin.exe 32 PID 2952 wrote to memory of 2796 2952 Capdpcge.exe 33 PID 2952 wrote to memory of 2796 2952 Capdpcge.exe 33 PID 2952 wrote to memory of 2796 2952 Capdpcge.exe 33 PID 2952 wrote to memory of 2796 2952 Capdpcge.exe 33 PID 2796 wrote to memory of 1656 2796 Codeih32.exe 34 PID 2796 wrote to memory of 1656 2796 Codeih32.exe 34 PID 2796 wrote to memory of 1656 2796 Codeih32.exe 34 PID 2796 wrote to memory of 1656 2796 Codeih32.exe 34 PID 1656 wrote to memory of 2544 1656 Cgdciiod.exe 35 PID 1656 wrote to memory of 2544 1656 Cgdciiod.exe 35 PID 1656 wrote to memory of 2544 1656 Cgdciiod.exe 35 PID 1656 wrote to memory of 2544 1656 Cgdciiod.exe 35 PID 2544 wrote to memory of 3036 2544 Dpmgao32.exe 36 PID 2544 wrote to memory of 3036 2544 Dpmgao32.exe 36 PID 2544 wrote to memory of 3036 2544 Dpmgao32.exe 36 PID 2544 wrote to memory of 3036 2544 Dpmgao32.exe 36 PID 3036 wrote to memory of 1548 3036 Dlchfp32.exe 37 PID 3036 wrote to memory of 1548 3036 Dlchfp32.exe 37 PID 3036 wrote to memory of 1548 3036 Dlchfp32.exe 37 PID 3036 wrote to memory of 1548 3036 Dlchfp32.exe 37 PID 1548 wrote to memory of 2396 1548 Dncdqcbl.exe 38 PID 1548 wrote to memory of 2396 1548 Dncdqcbl.exe 38 PID 1548 wrote to memory of 2396 1548 Dncdqcbl.exe 38 PID 1548 wrote to memory of 2396 1548 Dncdqcbl.exe 38 PID 2396 wrote to memory of 2612 2396 Dlhaaogd.exe 39 PID 2396 wrote to memory of 2612 2396 Dlhaaogd.exe 39 PID 2396 wrote to memory of 2612 2396 Dlhaaogd.exe 39 PID 2396 wrote to memory of 2612 2396 Dlhaaogd.exe 39 PID 2612 wrote to memory of 3020 2612 Dbejjfek.exe 40 PID 2612 wrote to memory of 3020 2612 Dbejjfek.exe 40 PID 2612 wrote to memory of 3020 2612 Dbejjfek.exe 40 PID 2612 wrote to memory of 3020 2612 Dbejjfek.exe 40 PID 3020 wrote to memory of 1160 3020 Dkmncl32.exe 41 PID 3020 wrote to memory of 1160 3020 Dkmncl32.exe 41 PID 3020 wrote to memory of 1160 3020 Dkmncl32.exe 41 PID 3020 wrote to memory of 1160 3020 Dkmncl32.exe 41 PID 1160 wrote to memory of 1128 1160 Ekpkhkji.exe 42 PID 1160 wrote to memory of 1128 1160 Ekpkhkji.exe 42 PID 1160 wrote to memory of 1128 1160 Ekpkhkji.exe 42 PID 1160 wrote to memory of 1128 1160 Ekpkhkji.exe 42 PID 1128 wrote to memory of 1668 1128 Ejgeogmn.exe 43 PID 1128 wrote to memory of 1668 1128 Ejgeogmn.exe 43 PID 1128 wrote to memory of 1668 1128 Ejgeogmn.exe 43 PID 1128 wrote to memory of 1668 1128 Ejgeogmn.exe 43 PID 1668 wrote to memory of 2064 1668 Egkehllh.exe 44 PID 1668 wrote to memory of 2064 1668 Egkehllh.exe 44 PID 1668 wrote to memory of 2064 1668 Egkehllh.exe 44 PID 1668 wrote to memory of 2064 1668 Egkehllh.exe 44 PID 2064 wrote to memory of 2436 2064 Efpbih32.exe 45 PID 2064 wrote to memory of 2436 2064 Efpbih32.exe 45 PID 2064 wrote to memory of 2436 2064 Efpbih32.exe 45 PID 2064 wrote to memory of 2436 2064 Efpbih32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe"C:\Users\Admin\AppData\Local\Temp\d4ced21c9e1eedffb08909a4c6c62b762a7fc50721baec6e9300a780039f1d29N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Codeih32.exeC:\Windows\system32\Codeih32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Dpmgao32.exeC:\Windows\system32\Dpmgao32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Dlchfp32.exeC:\Windows\system32\Dlchfp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\SysWOW64\Dlhaaogd.exeC:\Windows\system32\Dlhaaogd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Dkmncl32.exeC:\Windows\system32\Dkmncl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Ejgeogmn.exeC:\Windows\system32\Ejgeogmn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Fgpock32.exeC:\Windows\system32\Fgpock32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Fcfohlmg.exeC:\Windows\system32\Fcfohlmg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Fblljhbo.exeC:\Windows\system32\Fblljhbo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Fbniohpl.exeC:\Windows\system32\Fbniohpl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Fhkagonc.exeC:\Windows\system32\Fhkagonc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Feobac32.exeC:\Windows\system32\Feobac32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Gfdhck32.exeC:\Windows\system32\Gfdhck32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Gajlac32.exeC:\Windows\system32\Gajlac32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Gfgdij32.exeC:\Windows\system32\Gfgdij32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Gfiaojkq.exeC:\Windows\system32\Gfiaojkq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Heonpf32.exeC:\Windows\system32\Heonpf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Hbboiknb.exeC:\Windows\system32\Hbboiknb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Hpfoboml.exeC:\Windows\system32\Hpfoboml.exe33⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Hlmphp32.exeC:\Windows\system32\Hlmphp32.exe34⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Hajhpgag.exeC:\Windows\system32\Hajhpgag.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Hmqieh32.exeC:\Windows\system32\Hmqieh32.exe36⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Hginnmml.exeC:\Windows\system32\Hginnmml.exe37⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Ipabfcdm.exeC:\Windows\system32\Ipabfcdm.exe38⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Iaaoqf32.exeC:\Windows\system32\Iaaoqf32.exe39⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Iilceh32.exeC:\Windows\system32\Iilceh32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Igpdnlgd.exeC:\Windows\system32\Igpdnlgd.exe41⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe42⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Iloilcci.exeC:\Windows\system32\Iloilcci.exe43⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe44⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Jclnnmic.exeC:\Windows\system32\Jclnnmic.exe45⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Knoaeimg.exeC:\Windows\system32\Knoaeimg.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Kcngcp32.exeC:\Windows\system32\Kcngcp32.exe47⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Kmfklepl.exeC:\Windows\system32\Kmfklepl.exe48⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Kcpcho32.exeC:\Windows\system32\Kcpcho32.exe49⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Kmhhae32.exeC:\Windows\system32\Kmhhae32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Kpgdnp32.exeC:\Windows\system32\Kpgdnp32.exe51⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Lgbibb32.exeC:\Windows\system32\Lgbibb32.exe52⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Lpiacp32.exeC:\Windows\system32\Lpiacp32.exe53⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Liaeleak.exeC:\Windows\system32\Liaeleak.exe54⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Lnnndl32.exeC:\Windows\system32\Lnnndl32.exe55⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Lnqkjl32.exeC:\Windows\system32\Lnqkjl32.exe57⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Lgiobadq.exeC:\Windows\system32\Lgiobadq.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe59⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Lfnlcnih.exeC:\Windows\system32\Lfnlcnih.exe60⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Lmhdph32.exeC:\Windows\system32\Lmhdph32.exe61⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Mjlejl32.exeC:\Windows\system32\Mjlejl32.exe62⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Mddibb32.exeC:\Windows\system32\Mddibb32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Meffjjln.exeC:\Windows\system32\Meffjjln.exe64⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Mbjfcnkg.exeC:\Windows\system32\Mbjfcnkg.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe66⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Mhikae32.exeC:\Windows\system32\Mhikae32.exe67⤵PID:2284
-
C:\Windows\SysWOW64\Mhkhgd32.exeC:\Windows\system32\Mhkhgd32.exe68⤵PID:3064
-
C:\Windows\SysWOW64\Nacmpj32.exeC:\Windows\system32\Nacmpj32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Ngcanq32.exeC:\Windows\system32\Ngcanq32.exe70⤵PID:2732
-
C:\Windows\SysWOW64\Ndgbgefh.exeC:\Windows\system32\Ndgbgefh.exe71⤵PID:2712
-
C:\Windows\SysWOW64\Nlbgkgcc.exeC:\Windows\system32\Nlbgkgcc.exe72⤵
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Nggkipci.exeC:\Windows\system32\Nggkipci.exe73⤵PID:2312
-
C:\Windows\SysWOW64\Npppaejj.exeC:\Windows\system32\Npppaejj.exe74⤵PID:2588
-
C:\Windows\SysWOW64\Oihdjk32.exeC:\Windows\system32\Oihdjk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Ooemcb32.exeC:\Windows\system32\Ooemcb32.exe76⤵PID:2636
-
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe77⤵PID:2592
-
C:\Windows\SysWOW64\Oojfnakl.exeC:\Windows\system32\Oojfnakl.exe78⤵PID:2156
-
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe79⤵PID:608
-
C:\Windows\SysWOW64\Oajopl32.exeC:\Windows\system32\Oajopl32.exe80⤵PID:1236
-
C:\Windows\SysWOW64\Ojfcdo32.exeC:\Windows\system32\Ojfcdo32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe82⤵PID:1672
-
C:\Windows\SysWOW64\Pkepnalk.exeC:\Windows\system32\Pkepnalk.exe83⤵PID:748
-
C:\Windows\SysWOW64\Pcqebd32.exeC:\Windows\system32\Pcqebd32.exe84⤵PID:2608
-
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Pjmjdnop.exeC:\Windows\system32\Pjmjdnop.exe86⤵
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Pfcjiodd.exeC:\Windows\system32\Pfcjiodd.exe87⤵PID:2828
-
C:\Windows\SysWOW64\Pkpcbecl.exeC:\Windows\system32\Pkpcbecl.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2728 -
C:\Windows\SysWOW64\Qkbpgeai.exeC:\Windows\system32\Qkbpgeai.exe89⤵PID:2584
-
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe90⤵PID:2344
-
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Aemafjeg.exeC:\Windows\system32\Aemafjeg.exe92⤵
- Drops file in System32 directory
PID:1148 -
C:\Windows\SysWOW64\Aadakl32.exeC:\Windows\system32\Aadakl32.exe93⤵PID:2960
-
C:\Windows\SysWOW64\Ajmfca32.exeC:\Windows\system32\Ajmfca32.exe94⤵PID:1472
-
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe95⤵PID:1972
-
C:\Windows\SysWOW64\Ajapoqmf.exeC:\Windows\system32\Ajapoqmf.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe97⤵PID:892
-
C:\Windows\SysWOW64\Ambhpljg.exeC:\Windows\system32\Ambhpljg.exe98⤵PID:2204
-
C:\Windows\SysWOW64\Biiiempl.exeC:\Windows\system32\Biiiempl.exe99⤵PID:2716
-
C:\Windows\SysWOW64\Bbannb32.exeC:\Windows\system32\Bbannb32.exe100⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Blibghmm.exeC:\Windows\system32\Blibghmm.exe101⤵PID:1648
-
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe102⤵
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe103⤵PID:2992
-
C:\Windows\SysWOW64\Bdgcaj32.exeC:\Windows\system32\Bdgcaj32.exe104⤵PID:1880
-
C:\Windows\SysWOW64\Bmohjooe.exeC:\Windows\system32\Bmohjooe.exe105⤵PID:2840
-
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe106⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Camqpnel.exeC:\Windows\system32\Camqpnel.exe107⤵PID:1616
-
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe108⤵PID:1576
-
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe109⤵PID:2256
-
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe110⤵PID:1740
-
C:\Windows\SysWOW64\Dndndbnl.exeC:\Windows\system32\Dndndbnl.exe111⤵
- Drops file in System32 directory
PID:1592 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Dabfjp32.exeC:\Windows\system32\Dabfjp32.exe113⤵PID:1856
-
C:\Windows\SysWOW64\Dgoobg32.exeC:\Windows\system32\Dgoobg32.exe114⤵PID:928
-
C:\Windows\SysWOW64\Ddbolkac.exeC:\Windows\system32\Ddbolkac.exe115⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Elndpnnn.exeC:\Windows\system32\Elndpnnn.exe116⤵PID:2464
-
C:\Windows\SysWOW64\Enmqjq32.exeC:\Windows\system32\Enmqjq32.exe117⤵PID:1192
-
C:\Windows\SysWOW64\Eoomai32.exeC:\Windows\system32\Eoomai32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1632 -
C:\Windows\SysWOW64\Efhenccl.exeC:\Windows\system32\Efhenccl.exe119⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Elbmkm32.exeC:\Windows\system32\Elbmkm32.exe120⤵PID:3052
-
C:\Windows\SysWOW64\Ebofcd32.exeC:\Windows\system32\Ebofcd32.exe121⤵PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-