Analysis
-
max time kernel
104s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 23:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe
-
Size
96KB
-
MD5
8fdbeb99b8efaa8a9eb2b74368663c2c
-
SHA1
030530bfb2a4d3619b9273eb7ac2ce4e896e766b
-
SHA256
6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5
-
SHA512
a8a9493b3e468507059bfb0356c7613c9fc3ecbe6078709091b068385fe6bad0fa81790e0c21b6218c7384a84d759e5ffb3d56d183727e86ae0efa4db612d3aa
-
SSDEEP
1536:llPsUFvsttAIbhu6KgvimKyaifcGWE4xVcdZ2JVQBKoC/CKniTCvVAva61hLDnem:lf09l7Uic+4xVqZ2fQkbn1vVAva63Hem
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgdpgqgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbmicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lglnajjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjjghik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nodnmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpdiifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqaliabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcbie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aediaoae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oefmid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjikk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andlmnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfmoidh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogncddpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflpdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omeged32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmejmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llainlje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opkndldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emlhfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpcjfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnglekch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cidklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mflgkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cignlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckgkfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joenaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpqhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppidbidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohgnoeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfanep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijelgemi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimenapo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklnggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkajgonp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chccfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnpek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbjcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimpppoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfaocc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcdmikma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfpnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimmpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeobfgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpfeoqmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agaifnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehmlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eheblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpaikiig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idagdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcmjfiab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphmiokb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcpecdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppemgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjfbikh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jknlfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlddbgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cejhld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkmlk32.exe -
Executes dropped EXE 64 IoCs
pid Process 2952 Kdnlpaln.exe 2908 Kgoebmip.exe 3068 Lmlnjcgg.exe 2920 Lgabgl32.exe 2808 Lkcgapjl.exe 1236 Lbplciof.exe 2648 Lbbiii32.exe 2032 Mnijnjbh.exe 3000 Mganfp32.exe 484 Mmcpjfcj.exe 2368 Nljjqbfp.exe 964 Nlocka32.exe 2004 Noplmlok.exe 472 Odanqb32.exe 2112 Omjbihpn.exe 2064 Panehkaj.exe 1860 Pcmabnhm.exe 2008 Pkmobp32.exe 1688 Pgdpgqgg.exe 2544 Qcmnaaji.exe 2076 Afnfcl32.exe 112 Akmlacdn.exe 1740 Aeepjh32.exe 1496 Aaondi32.exe 2820 Bmhkojab.exe 436 Bfppgohb.exe 2676 Behinlkh.exe 2696 Cpmmkdkn.exe 2700 Celbik32.exe 1932 Cjikaa32.exe 340 Cmjdcm32.exe 968 Chohqebq.exe 2656 Cmlqimph.exe 3040 Dhaefepn.exe 1732 Dpmjjhmi.exe 1096 Dmajdl32.exe 1088 Dkekmp32.exe 2128 Dlfgehqk.exe 2356 Dmecokhm.exe 1328 Dgnhhq32.exe 1504 Dpflqfeo.exe 1044 Eagiho32.exe 2632 Ecgeba32.exe 2252 Ekbjgd32.exe 1288 Edkopifk.exe 1008 Eopcmb32.exe 2556 Edmkei32.exe 2092 Enepnoji.exe 2748 Edohki32.exe 1664 Fnhlcn32.exe 2888 Fjomhonj.exe 2776 Fcgaae32.exe 2868 Fcingdbh.exe 2708 Fhfgokap.exe 1304 Fbnkha32.exe 524 Fmdpejgf.exe 1988 Gfldno32.exe 3008 Gkimff32.exe 2204 Gqfeom32.exe 2380 Gimmpj32.exe 1756 Gjqfmb32.exe 2084 Ggdfff32.exe 1148 Gmaoomld.exe 2408 Gggclfkj.exe -
Loads dropped DLL 64 IoCs
pid Process 1620 6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe 1620 6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe 2952 Kdnlpaln.exe 2952 Kdnlpaln.exe 2908 Kgoebmip.exe 2908 Kgoebmip.exe 3068 Lmlnjcgg.exe 3068 Lmlnjcgg.exe 2920 Lgabgl32.exe 2920 Lgabgl32.exe 2808 Lkcgapjl.exe 2808 Lkcgapjl.exe 1236 Lbplciof.exe 1236 Lbplciof.exe 2648 Lbbiii32.exe 2648 Lbbiii32.exe 2032 Mnijnjbh.exe 2032 Mnijnjbh.exe 3000 Mganfp32.exe 3000 Mganfp32.exe 484 Mmcpjfcj.exe 484 Mmcpjfcj.exe 2368 Nljjqbfp.exe 2368 Nljjqbfp.exe 964 Nlocka32.exe 964 Nlocka32.exe 2004 Noplmlok.exe 2004 Noplmlok.exe 472 Odanqb32.exe 472 Odanqb32.exe 2112 Omjbihpn.exe 2112 Omjbihpn.exe 2064 Panehkaj.exe 2064 Panehkaj.exe 1860 Pcmabnhm.exe 1860 Pcmabnhm.exe 2008 Pkmobp32.exe 2008 Pkmobp32.exe 1688 Pgdpgqgg.exe 1688 Pgdpgqgg.exe 2544 Qcmnaaji.exe 2544 Qcmnaaji.exe 2076 Afnfcl32.exe 2076 Afnfcl32.exe 112 Akmlacdn.exe 112 Akmlacdn.exe 2372 Akbelbpi.exe 2372 Akbelbpi.exe 1496 Aaondi32.exe 1496 Aaondi32.exe 2820 Bmhkojab.exe 2820 Bmhkojab.exe 436 Bfppgohb.exe 436 Bfppgohb.exe 2676 Behinlkh.exe 2676 Behinlkh.exe 2696 Cpmmkdkn.exe 2696 Cpmmkdkn.exe 2700 Celbik32.exe 2700 Celbik32.exe 1932 Cjikaa32.exe 1932 Cjikaa32.exe 340 Cmjdcm32.exe 340 Cmjdcm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cmbghgdg.exe Cgeopqfp.exe File created C:\Windows\SysWOW64\Oljagk32.dll Jmkmlk32.exe File opened for modification C:\Windows\SysWOW64\Gaahmd32.exe Gflcplhh.exe File opened for modification C:\Windows\SysWOW64\Lfanep32.exe Lmhjlj32.exe File opened for modification C:\Windows\SysWOW64\Ffomjgoj.exe Process not Found File created C:\Windows\SysWOW64\Eagiho32.exe Dpflqfeo.exe File opened for modification C:\Windows\SysWOW64\Ohhcokmp.exe Nbljfdoh.exe File opened for modification C:\Windows\SysWOW64\Ojgokflc.exe Ohhcokmp.exe File created C:\Windows\SysWOW64\Dnlolhoo.exe Dedkbb32.exe File opened for modification C:\Windows\SysWOW64\Fpkdca32.exe Folhio32.exe File opened for modification C:\Windows\SysWOW64\Ikfdmogp.exe Ifikehii.exe File created C:\Windows\SysWOW64\Nqkkea32.dll Qfedhb32.exe File opened for modification C:\Windows\SysWOW64\Egedebgc.exe Enmplm32.exe File opened for modification C:\Windows\SysWOW64\Cipaqqli.exe Bjjdpdga.exe File created C:\Windows\SysWOW64\Akmjae32.dll Ibejfffo.exe File created C:\Windows\SysWOW64\Dgoikhhk.dll Apbblg32.exe File created C:\Windows\SysWOW64\Fccffm32.dll Glmckikf.exe File opened for modification C:\Windows\SysWOW64\Hnllcoed.exe Hkkcbdhc.exe File created C:\Windows\SysWOW64\Iklajp32.exe Ibqmen32.exe File created C:\Windows\SysWOW64\Khmamhek.exe Jodmdboj.exe File created C:\Windows\SysWOW64\Clllno32.dll Ijmdql32.exe File opened for modification C:\Windows\SysWOW64\Odgchjhl.exe Ollncgjq.exe File created C:\Windows\SysWOW64\Dgmfbf32.dll Ahjcqcdm.exe File opened for modification C:\Windows\SysWOW64\Bbkkbpjc.exe Akpfmnmh.exe File opened for modification C:\Windows\SysWOW64\Ojhdmgkl.exe Ooncljom.exe File created C:\Windows\SysWOW64\Fbjeao32.exe Fibqhibd.exe File opened for modification C:\Windows\SysWOW64\Gnphfppi.exe Gdgcnj32.exe File created C:\Windows\SysWOW64\Qmlbaipp.dll Plheil32.exe File created C:\Windows\SysWOW64\Dkookd32.exe Djnbdlla.exe File opened for modification C:\Windows\SysWOW64\Meaiia32.exe Macpcccp.exe File created C:\Windows\SysWOW64\Nblmfl32.dll Kigkmmql.exe File opened for modification C:\Windows\SysWOW64\Jpjpmqjl.exe Process not Found File created C:\Windows\SysWOW64\Hhedee32.dll Bmhkojab.exe File opened for modification C:\Windows\SysWOW64\Ahjcqcdm.exe Abmkhmfe.exe File opened for modification C:\Windows\SysWOW64\Jimodo32.exe Jbbgge32.exe File created C:\Windows\SysWOW64\Aepcmk32.dll Mknaahhn.exe File created C:\Windows\SysWOW64\Cjliihgg.dll Lceond32.exe File opened for modification C:\Windows\SysWOW64\Pahjgb32.exe Pknakhig.exe File created C:\Windows\SysWOW64\Dpbenpqh.exe Dbneekan.exe File created C:\Windows\SysWOW64\Ekmmmb32.dll Gjahfkfg.exe File created C:\Windows\SysWOW64\Jabeia32.dll Mfhcknpf.exe File opened for modification C:\Windows\SysWOW64\Effidg32.exe Eibikc32.exe File opened for modification C:\Windows\SysWOW64\Ceclmc32.exe Bilkhbcl.exe File created C:\Windows\SysWOW64\Dgjdjghf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jklnggjm.exe Joenaf32.exe File created C:\Windows\SysWOW64\Hngngo32.exe Hbpmbndm.exe File created C:\Windows\SysWOW64\Dbneekan.exe Dmalmdcg.exe File created C:\Windows\SysWOW64\Enliaf32.exe Eddeia32.exe File created C:\Windows\SysWOW64\Fcbjon32.exe Eijffhjd.exe File created C:\Windows\SysWOW64\Bjehlldb.exe Bdkpob32.exe File opened for modification C:\Windows\SysWOW64\Dddodd32.exe Dklkkoqf.exe File opened for modification C:\Windows\SysWOW64\Hfjglppd.exe Hlebog32.exe File created C:\Windows\SysWOW64\Iflkcl32.dll Cdooongp.exe File opened for modification C:\Windows\SysWOW64\Ggfgoo32.exe Fmabaf32.exe File opened for modification C:\Windows\SysWOW64\Nebgoa32.exe Nnhobgag.exe File created C:\Windows\SysWOW64\Cngfqi32.exe Ceoagcld.exe File opened for modification C:\Windows\SysWOW64\Hpehje32.exe Hepdml32.exe File created C:\Windows\SysWOW64\Ekgfbh32.dll Mbfbfe32.exe File created C:\Windows\SysWOW64\Nqbdllld.exe Mfhcknpf.exe File opened for modification C:\Windows\SysWOW64\Bofbih32.exe Bfnnpbnn.exe File created C:\Windows\SysWOW64\Fncddc32.exe Eapcjo32.exe File opened for modification C:\Windows\SysWOW64\Kfccmini.exe Jgnflmia.exe File created C:\Windows\SysWOW64\Jdnkjn32.dll Jimodo32.exe File created C:\Windows\SysWOW64\Klhniing.dll Chkbjc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1152 2264 Process not Found 1109 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pildih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emcqpjhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjkgbhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cejhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbenpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddmkkpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocnanmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifjnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbldbgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofbih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chickknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iicoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbdpena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqfeom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mginjnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljndga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomhkgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainhln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofjjghik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjefmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdngpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhkbmco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfppfcmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idagdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmjjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nicfnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibqhibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lceond32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhaefepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkbccdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekkaanh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojaceln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlppf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jficbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmdpejgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpjiik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhigo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khmamhek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjdfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpffhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlebog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmabaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohnpcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfkefad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjblboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edokna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfppgohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoalpaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjofljho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdgolml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbaqfep.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nifjnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kapbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgemgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmlofhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lehfcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlkmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khfdcgmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odanqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncpgeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhkoaij.dll" Bpfhfjgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebjfiboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najbbepc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldamfd32.dll" Ckhdihlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iceiibef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibkkjpb.dll" Cmbiap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlcekgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfabkg32.dll" Momqbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cipaqqli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldmcknm.dll" Goodpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaeacppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noagionb.dll" Ocoobngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgjllm32.dll" Choejien.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlmjjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpomdmqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paihgboc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhkojab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qamleagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agchdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppbfmdfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plkchdiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlokegib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfnpgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaiehjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igiqqgkc.dll" Lfaocc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iljkofkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maeljf32.dll" Emailhfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iglkoaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfhqiegh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkifld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhhhjhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajnlqgfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjnkl32.dll" Lbmicc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lilehl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjkgbhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifehecg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iomhkgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cblmfa32.dll" Kgoebmip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbpmbndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchjjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Almmlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeiakl32.dll" Bhiglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddmkkpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njqlopmg.dll" Ccamabgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnefpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaoddodf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joenaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ledcahkp.dll" Ljndga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcfioj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idagdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lagknhgp.dll" Bdiciboh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 2952 1620 6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe 30 PID 1620 wrote to memory of 2952 1620 6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe 30 PID 1620 wrote to memory of 2952 1620 6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe 30 PID 1620 wrote to memory of 2952 1620 6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe 30 PID 2952 wrote to memory of 2908 2952 Kdnlpaln.exe 31 PID 2952 wrote to memory of 2908 2952 Kdnlpaln.exe 31 PID 2952 wrote to memory of 2908 2952 Kdnlpaln.exe 31 PID 2952 wrote to memory of 2908 2952 Kdnlpaln.exe 31 PID 2908 wrote to memory of 3068 2908 Kgoebmip.exe 32 PID 2908 wrote to memory of 3068 2908 Kgoebmip.exe 32 PID 2908 wrote to memory of 3068 2908 Kgoebmip.exe 32 PID 2908 wrote to memory of 3068 2908 Kgoebmip.exe 32 PID 3068 wrote to memory of 2920 3068 Lmlnjcgg.exe 33 PID 3068 wrote to memory of 2920 3068 Lmlnjcgg.exe 33 PID 3068 wrote to memory of 2920 3068 Lmlnjcgg.exe 33 PID 3068 wrote to memory of 2920 3068 Lmlnjcgg.exe 33 PID 2920 wrote to memory of 2808 2920 Lgabgl32.exe 34 PID 2920 wrote to memory of 2808 2920 Lgabgl32.exe 34 PID 2920 wrote to memory of 2808 2920 Lgabgl32.exe 34 PID 2920 wrote to memory of 2808 2920 Lgabgl32.exe 34 PID 2808 wrote to memory of 1236 2808 Lkcgapjl.exe 35 PID 2808 wrote to memory of 1236 2808 Lkcgapjl.exe 35 PID 2808 wrote to memory of 1236 2808 Lkcgapjl.exe 35 PID 2808 wrote to memory of 1236 2808 Lkcgapjl.exe 35 PID 1236 wrote to memory of 2648 1236 Lbplciof.exe 36 PID 1236 wrote to memory of 2648 1236 Lbplciof.exe 36 PID 1236 wrote to memory of 2648 1236 Lbplciof.exe 36 PID 1236 wrote to memory of 2648 1236 Lbplciof.exe 36 PID 2648 wrote to memory of 2032 2648 Lbbiii32.exe 37 PID 2648 wrote to memory of 2032 2648 Lbbiii32.exe 37 PID 2648 wrote to memory of 2032 2648 Lbbiii32.exe 37 PID 2648 wrote to memory of 2032 2648 Lbbiii32.exe 37 PID 2032 wrote to memory of 3000 2032 Mnijnjbh.exe 38 PID 2032 wrote to memory of 3000 2032 Mnijnjbh.exe 38 PID 2032 wrote to memory of 3000 2032 Mnijnjbh.exe 38 PID 2032 wrote to memory of 3000 2032 Mnijnjbh.exe 38 PID 3000 wrote to memory of 484 3000 Mganfp32.exe 39 PID 3000 wrote to memory of 484 3000 Mganfp32.exe 39 PID 3000 wrote to memory of 484 3000 Mganfp32.exe 39 PID 3000 wrote to memory of 484 3000 Mganfp32.exe 39 PID 484 wrote to memory of 2368 484 Mmcpjfcj.exe 40 PID 484 wrote to memory of 2368 484 Mmcpjfcj.exe 40 PID 484 wrote to memory of 2368 484 Mmcpjfcj.exe 40 PID 484 wrote to memory of 2368 484 Mmcpjfcj.exe 40 PID 2368 wrote to memory of 964 2368 Nljjqbfp.exe 41 PID 2368 wrote to memory of 964 2368 Nljjqbfp.exe 41 PID 2368 wrote to memory of 964 2368 Nljjqbfp.exe 41 PID 2368 wrote to memory of 964 2368 Nljjqbfp.exe 41 PID 964 wrote to memory of 2004 964 Nlocka32.exe 42 PID 964 wrote to memory of 2004 964 Nlocka32.exe 42 PID 964 wrote to memory of 2004 964 Nlocka32.exe 42 PID 964 wrote to memory of 2004 964 Nlocka32.exe 42 PID 2004 wrote to memory of 472 2004 Noplmlok.exe 43 PID 2004 wrote to memory of 472 2004 Noplmlok.exe 43 PID 2004 wrote to memory of 472 2004 Noplmlok.exe 43 PID 2004 wrote to memory of 472 2004 Noplmlok.exe 43 PID 472 wrote to memory of 2112 472 Odanqb32.exe 44 PID 472 wrote to memory of 2112 472 Odanqb32.exe 44 PID 472 wrote to memory of 2112 472 Odanqb32.exe 44 PID 472 wrote to memory of 2112 472 Odanqb32.exe 44 PID 2112 wrote to memory of 2064 2112 Omjbihpn.exe 45 PID 2112 wrote to memory of 2064 2112 Omjbihpn.exe 45 PID 2112 wrote to memory of 2064 2112 Omjbihpn.exe 45 PID 2112 wrote to memory of 2064 2112 Omjbihpn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe"C:\Users\Admin\AppData\Local\Temp\6c2e3545752174064a8ede3c3b8dc6db16c7b0ff17c5de48b51f4dc3c84decc5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Kdnlpaln.exeC:\Windows\system32\Kdnlpaln.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Kgoebmip.exeC:\Windows\system32\Kgoebmip.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Lbplciof.exeC:\Windows\system32\Lbplciof.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Mnijnjbh.exeC:\Windows\system32\Mnijnjbh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Nljjqbfp.exeC:\Windows\system32\Nljjqbfp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Noplmlok.exeC:\Windows\system32\Noplmlok.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Odanqb32.exeC:\Windows\system32\Odanqb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:472 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Pcmabnhm.exeC:\Windows\system32\Pcmabnhm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Pkmobp32.exeC:\Windows\system32\Pkmobp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Pgdpgqgg.exeC:\Windows\system32\Pgdpgqgg.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Qcmnaaji.exeC:\Windows\system32\Qcmnaaji.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Afnfcl32.exeC:\Windows\system32\Afnfcl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Akmlacdn.exeC:\Windows\system32\Akmlacdn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Aeepjh32.exeC:\Windows\system32\Aeepjh32.exe24⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Akbelbpi.exeC:\Windows\system32\Akbelbpi.exe25⤵
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Aaondi32.exeC:\Windows\system32\Aaondi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1496 -
C:\Windows\SysWOW64\Bmhkojab.exeC:\Windows\system32\Bmhkojab.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Bfppgohb.exeC:\Windows\system32\Bfppgohb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:436 -
C:\Windows\SysWOW64\Behinlkh.exeC:\Windows\system32\Behinlkh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Celbik32.exeC:\Windows\system32\Celbik32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Cmjdcm32.exeC:\Windows\system32\Cmjdcm32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe34⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe35⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Dhaefepn.exeC:\Windows\system32\Dhaefepn.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe37⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Dmajdl32.exeC:\Windows\system32\Dmajdl32.exe38⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Dkekmp32.exeC:\Windows\system32\Dkekmp32.exe39⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Dlfgehqk.exeC:\Windows\system32\Dlfgehqk.exe40⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Dmecokhm.exeC:\Windows\system32\Dmecokhm.exe41⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Dgnhhq32.exeC:\Windows\system32\Dgnhhq32.exe42⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe44⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Ecgeba32.exeC:\Windows\system32\Ecgeba32.exe45⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ekbjgd32.exeC:\Windows\system32\Ekbjgd32.exe46⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Edkopifk.exeC:\Windows\system32\Edkopifk.exe47⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Eopcmb32.exeC:\Windows\system32\Eopcmb32.exe48⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe49⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Enepnoji.exeC:\Windows\system32\Enepnoji.exe50⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Edohki32.exeC:\Windows\system32\Edohki32.exe51⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe52⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe53⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Fcgaae32.exeC:\Windows\system32\Fcgaae32.exe54⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Fcingdbh.exeC:\Windows\system32\Fcingdbh.exe55⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe56⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Fbnkha32.exeC:\Windows\system32\Fbnkha32.exe57⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:524 -
C:\Windows\SysWOW64\Gfldno32.exeC:\Windows\system32\Gfldno32.exe59⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Gkimff32.exeC:\Windows\system32\Gkimff32.exe60⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe63⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ggdfff32.exeC:\Windows\system32\Ggdfff32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Gmaoomld.exeC:\Windows\system32\Gmaoomld.exe65⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe66⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Hpbhphie.exeC:\Windows\system32\Hpbhphie.exe67⤵PID:752
-
C:\Windows\SysWOW64\Hecjco32.exeC:\Windows\system32\Hecjco32.exe68⤵PID:2208
-
C:\Windows\SysWOW64\Hnlnmd32.exeC:\Windows\system32\Hnlnmd32.exe69⤵PID:2012
-
C:\Windows\SysWOW64\Hnnkbd32.exeC:\Windows\system32\Hnnkbd32.exe70⤵PID:1300
-
C:\Windows\SysWOW64\Ijelgemi.exeC:\Windows\system32\Ijelgemi.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe72⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Ipdaek32.exeC:\Windows\system32\Ipdaek32.exe73⤵PID:1480
-
C:\Windows\SysWOW64\Iimenapo.exeC:\Windows\system32\Iimenapo.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Ibejfffo.exeC:\Windows\system32\Ibejfffo.exe75⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Iddfqi32.exeC:\Windows\system32\Iddfqi32.exe76⤵PID:3020
-
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe77⤵PID:3004
-
C:\Windows\SysWOW64\Jgeobdkc.exeC:\Windows\system32\Jgeobdkc.exe78⤵PID:2652
-
C:\Windows\SysWOW64\Jaopcbga.exeC:\Windows\system32\Jaopcbga.exe79⤵PID:1576
-
C:\Windows\SysWOW64\Jkgelh32.exeC:\Windows\system32\Jkgelh32.exe80⤵PID:2864
-
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Jklnggjm.exeC:\Windows\system32\Jklnggjm.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:556 -
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe83⤵PID:2168
-
C:\Windows\SysWOW64\Knmghb32.exeC:\Windows\system32\Knmghb32.exe84⤵PID:1816
-
C:\Windows\SysWOW64\Kcipqi32.exeC:\Windows\system32\Kcipqi32.exe85⤵PID:1864
-
C:\Windows\SysWOW64\Kobmkj32.exeC:\Windows\system32\Kobmkj32.exe86⤵PID:2060
-
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe87⤵PID:824
-
C:\Windows\SysWOW64\Klijjnen.exeC:\Windows\system32\Klijjnen.exe88⤵PID:2152
-
C:\Windows\SysWOW64\Lfaocc32.exeC:\Windows\system32\Lfaocc32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe91⤵PID:1452
-
C:\Windows\SysWOW64\Lhddjngm.exeC:\Windows\system32\Lhddjngm.exe92⤵PID:2940
-
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe94⤵PID:2880
-
C:\Windows\SysWOW64\Lqbfdp32.exeC:\Windows\system32\Lqbfdp32.exe95⤵PID:1324
-
C:\Windows\SysWOW64\Lglnajjb.exeC:\Windows\system32\Lglnajjb.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1348 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe97⤵PID:2028
-
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe98⤵PID:332
-
C:\Windows\SysWOW64\Mqfooonp.exeC:\Windows\system32\Mqfooonp.exe99⤵PID:2180
-
C:\Windows\SysWOW64\Mjodhe32.exeC:\Windows\system32\Mjodhe32.exe100⤵PID:2200
-
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe101⤵PID:2500
-
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe102⤵PID:2136
-
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe103⤵PID:1340
-
C:\Windows\SysWOW64\Mginjnnp.exeC:\Windows\system32\Mginjnnp.exe104⤵
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Maabcc32.exeC:\Windows\system32\Maabcc32.exe105⤵PID:924
-
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe106⤵PID:2584
-
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe107⤵PID:2944
-
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe108⤵PID:2188
-
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe109⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe110⤵PID:2672
-
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe111⤵PID:1436
-
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe112⤵PID:1728
-
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe113⤵PID:2044
-
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe114⤵PID:2396
-
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe116⤵PID:1368
-
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe118⤵PID:1544
-
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe119⤵PID:1520
-
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe120⤵PID:3052
-
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe121⤵PID:1644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-