Analysis
-
max time kernel
39s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 09:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe
-
Size
435KB
-
MD5
5457e914fdaf1d5f6b2ce1b2681a4e30
-
SHA1
40d1f47483edd4e13361d83783713e2cf3214fc1
-
SHA256
004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873f
-
SHA512
53feb5602e89715c6498a119fc87431aead272aec2a2fede501d58dbde13845cec27d658013302f022bb6502f16ae4ae39bdd7a5ff3eb3e4abcca042b0d2a1a1
-
SSDEEP
12288:ZMlmp1aH8ObWGRdA6sQhPbWGRdA6sQvjpxN:568OvZbN
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhoikfbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbglgcbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpgae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhjfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckgkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gioigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhpjfoji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obfiijia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qegnii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoefea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbcmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bichbckg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfnpek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcakdhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjnikpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eelinm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbfmqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ingogcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Algida32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpldjajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcofqphi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcfjkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbeqjpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipedihgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmohbln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmnbjill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadfbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbedmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcckjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmhcgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhbhecjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noalfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpflenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Panboflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paclje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbpegdik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgaohej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbggqfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfnpek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlikkbga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfijmdbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofaaghom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piipibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfokb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhdiknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeofcpjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagpldqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngonpgqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblpnepn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnealbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahhgkdfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnmoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckgkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnbfjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjeckk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abmkhmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjofljho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpcppgff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdhiaoi.exe -
Executes dropped EXE 64 IoCs
pid Process 2156 Conbmfif.exe 2896 Chfffk32.exe 2088 Cdpdpl32.exe 1356 Dmdkkm32.exe 2688 Diklpn32.exe 3044 Elbkbh32.exe 1696 Fmhaep32.exe 1940 Ffeoid32.exe 2980 Fblpnepn.exe 2004 Ghpngkhm.exe 2696 Gcjogidl.exe 2524 Hlijan32.exe 1124 Hhpjfoji.exe 2352 Icnealbb.exe 2168 Iogbllfc.exe 2496 Joohmk32.exe 2540 Jkeialfp.exe 744 Kakdpb32.exe 2276 Kclmbm32.exe 1484 Lljolodf.exe 1360 Lebcdd32.exe 1968 Ldgpea32.exe 2392 Lghigl32.exe 948 Ldljqpli.exe 2092 Mlikkbga.exe 2172 Mhbhecjc.exe 1604 Mefiog32.exe 2768 Ndnbeclb.exe 2876 Nnfgnibb.exe 2680 Nadpdg32.exe 2808 Nqjmec32.exe 2236 Ooaflp32.exe 1896 Ojgkih32.exe 2020 Oindpd32.exe 2372 Obfiijia.exe 2032 Pbienj32.exe 804 Panboflg.exe 2248 Paclje32.exe 108 Pphilb32.exe 2336 Qegnii32.exe 2300 Qpmbgaid.exe 1796 Ahhgkdfo.exe 2512 Abmkhmfe.exe 1244 Adohpe32.exe 2492 Aabhiikm.exe 1532 Afoqbpid.exe 692 Adcakdhn.exe 2084 Aagadh32.exe 1420 Bmnbjill.exe 2508 Biecoj32.exe 1716 Bbmggp32.exe 2744 Bodhlane.exe 2868 Blhifemo.exe 2824 Bhoikfbb.exe 1208 Boiagp32.exe 2188 Chafpfqp.exe 2900 Cplkehnk.exe 432 Cljajh32.exe 2940 Dkookd32.exe 1120 Domgache.exe 2304 Dkdhfdnj.exe 1404 Dhhhphmc.exe 2224 Djiegp32.exe 1052 Emjnikpc.exe -
Loads dropped DLL 64 IoCs
pid Process 2052 004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe 2052 004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe 2156 Conbmfif.exe 2156 Conbmfif.exe 2896 Chfffk32.exe 2896 Chfffk32.exe 2088 Cdpdpl32.exe 2088 Cdpdpl32.exe 1356 Dmdkkm32.exe 1356 Dmdkkm32.exe 2688 Diklpn32.exe 2688 Diklpn32.exe 3044 Elbkbh32.exe 3044 Elbkbh32.exe 1696 Fmhaep32.exe 1696 Fmhaep32.exe 1940 Ffeoid32.exe 1940 Ffeoid32.exe 2980 Fblpnepn.exe 2980 Fblpnepn.exe 2004 Ghpngkhm.exe 2004 Ghpngkhm.exe 2696 Gcjogidl.exe 2696 Gcjogidl.exe 2524 Hlijan32.exe 2524 Hlijan32.exe 1124 Hhpjfoji.exe 1124 Hhpjfoji.exe 2352 Icnealbb.exe 2352 Icnealbb.exe 2168 Iogbllfc.exe 2168 Iogbllfc.exe 2496 Joohmk32.exe 2496 Joohmk32.exe 2540 Jkeialfp.exe 2540 Jkeialfp.exe 744 Kakdpb32.exe 744 Kakdpb32.exe 2276 Kclmbm32.exe 2276 Kclmbm32.exe 1484 Lljolodf.exe 1484 Lljolodf.exe 1360 Lebcdd32.exe 1360 Lebcdd32.exe 1968 Ldgpea32.exe 1968 Ldgpea32.exe 2392 Lghigl32.exe 2392 Lghigl32.exe 948 Ldljqpli.exe 948 Ldljqpli.exe 2092 Mlikkbga.exe 2092 Mlikkbga.exe 2172 Mhbhecjc.exe 2172 Mhbhecjc.exe 1604 Mefiog32.exe 1604 Mefiog32.exe 2768 Ndnbeclb.exe 2768 Ndnbeclb.exe 2876 Nnfgnibb.exe 2876 Nnfgnibb.exe 2680 Nadpdg32.exe 2680 Nadpdg32.exe 2808 Nqjmec32.exe 2808 Nqjmec32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Abmkhmfe.exe Ahhgkdfo.exe File created C:\Windows\SysWOW64\Idojon32.exe Ilcfjkgj.exe File created C:\Windows\SysWOW64\Aomdpj32.exe Qkolil32.exe File created C:\Windows\SysWOW64\Halhkamm.dll Efeaqi32.exe File opened for modification C:\Windows\SysWOW64\Pphilb32.exe Paclje32.exe File created C:\Windows\SysWOW64\Bibkoabk.dll Dkdhfdnj.exe File created C:\Windows\SysWOW64\Obnpifem.dll Igdqmeke.exe File opened for modification C:\Windows\SysWOW64\Jqjdon32.exe Igpcpi32.exe File created C:\Windows\SysWOW64\Idoclg32.dll Piipibff.exe File created C:\Windows\SysWOW64\Glefpd32.exe Fpnekc32.exe File opened for modification C:\Windows\SysWOW64\Lpcppgff.exe Kbppfb32.exe File created C:\Windows\SysWOW64\Manknb32.dll Lmbcmo32.exe File created C:\Windows\SysWOW64\Gljbaeaa.dll Adohpe32.exe File created C:\Windows\SysWOW64\Ghpngkhm.exe Fblpnepn.exe File created C:\Windows\SysWOW64\Fdnpkd32.dll Knqnmeff.exe File opened for modification C:\Windows\SysWOW64\Ofaaghom.exe Ogldfl32.exe File opened for modification C:\Windows\SysWOW64\Mlacdj32.exe Mbiokdam.exe File opened for modification C:\Windows\SysWOW64\Pfpflenm.exe Pqcncnpe.exe File created C:\Windows\SysWOW64\Aeofcpjj.exe Aihenoef.exe File created C:\Windows\SysWOW64\Bclbnhmo.dll Ckbakiee.exe File created C:\Windows\SysWOW64\Chfffk32.exe Conbmfif.exe File opened for modification C:\Windows\SysWOW64\Ldgpea32.exe Lebcdd32.exe File created C:\Windows\SysWOW64\Lkpekajj.dll Ojgkih32.exe File created C:\Windows\SysWOW64\Fbbfmqdm.exe Fbpihafp.exe File created C:\Windows\SysWOW64\Pmfgjl32.dll Kefmnp32.exe File created C:\Windows\SysWOW64\Efhgfh32.dll Hojeka32.exe File opened for modification C:\Windows\SysWOW64\Ffeoid32.exe Fmhaep32.exe File opened for modification C:\Windows\SysWOW64\Egobfdpi.exe Emjnikpc.exe File opened for modification C:\Windows\SysWOW64\Gbpegdik.exe Fdkheh32.exe File opened for modification C:\Windows\SysWOW64\Jakjlpif.exe Jpgaohej.exe File opened for modification C:\Windows\SysWOW64\Pjgiad32.exe Paldmbmq.exe File created C:\Windows\SysWOW64\Boggkicf.exe Bndjei32.exe File created C:\Windows\SysWOW64\Ckbakiee.exe Clmdjmpm.exe File created C:\Windows\SysWOW64\Gcjogidl.exe Ghpngkhm.exe File opened for modification C:\Windows\SysWOW64\Ejpkho32.exe Egobfdpi.exe File created C:\Windows\SysWOW64\Gdhimfaj.dll Oaolne32.exe File created C:\Windows\SysWOW64\Ahiimj32.dll Abejlj32.exe File created C:\Windows\SysWOW64\Ofdqmm32.dll Hikpnkme.exe File created C:\Windows\SysWOW64\Jgllof32.exe Jndgfqlh.exe File opened for modification C:\Windows\SysWOW64\Kgfoee32.exe Knmjmodm.exe File created C:\Windows\SysWOW64\Ldljqpli.exe Lghigl32.exe File opened for modification C:\Windows\SysWOW64\Ndnbeclb.exe Mefiog32.exe File created C:\Windows\SysWOW64\Emadjj32.exe Eqjceidf.exe File opened for modification C:\Windows\SysWOW64\Fibqhibd.exe Fcckjb32.exe File created C:\Windows\SysWOW64\Meecojqp.dll Fcckjb32.exe File created C:\Windows\SysWOW64\Ijpjlh32.dll Hmpemkkf.exe File created C:\Windows\SysWOW64\Lpjpgo32.dll Pqcncnpe.exe File opened for modification C:\Windows\SysWOW64\Elbkbh32.exe Diklpn32.exe File opened for modification C:\Windows\SysWOW64\Dcgppana.exe Dklkkoqf.exe File created C:\Windows\SysWOW64\Ebhlmlhl.exe Efakhk32.exe File created C:\Windows\SysWOW64\Fcddlail.dll Ipbgci32.exe File created C:\Windows\SysWOW64\Ghdmjc32.dll Kgfoee32.exe File created C:\Windows\SysWOW64\Nodikecl.exe Noalfe32.exe File created C:\Windows\SysWOW64\Paihgboc.exe Phacnm32.exe File created C:\Windows\SysWOW64\Fkfcdpfg.exe Ebnokjpf.exe File opened for modification C:\Windows\SysWOW64\Kcpcjl32.exe Kgibeklf.exe File created C:\Windows\SysWOW64\Bkeooo32.dll Jqjdon32.exe File created C:\Windows\SysWOW64\Jdhmel32.exe Jkpilg32.exe File created C:\Windows\SysWOW64\Poplqm32.exe Pmpcoabe.exe File created C:\Windows\SysWOW64\Djahmk32.exe Dcgppana.exe File created C:\Windows\SysWOW64\Jookedhp.exe Jakjlpif.exe File created C:\Windows\SysWOW64\Dfmcdb32.dll Akdedkfl.exe File opened for modification C:\Windows\SysWOW64\Bndjei32.exe Bigbmb32.exe File opened for modification C:\Windows\SysWOW64\Hhfqejoh.exe Gloppi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3400 628 WerFault.exe 303 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodikecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgpea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkookd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhlphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmejdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpgjob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglhghgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behpcefk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfmefdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljlhme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkiikm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknido32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qegnii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgiffg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbedmedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najbbepc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbeeliin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paldmbmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joohmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkeialfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaolne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgllof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panboflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domgache.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingogcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbchfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llojpghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onplmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmkhmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpfoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkkhfmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibqhibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcppgff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnpek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooaflp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpkho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelinm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bichbckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcjfgbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnbeclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbiokdam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milagp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkjffkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkheh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hopibdfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbcdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhmki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpdhiaoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhlmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikcbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adohpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpkdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noalfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcanahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kclmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmggp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcfdk32.dll" Gfadeaho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bndjei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adohpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpjbm32.dll" Bbmggp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boiagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfpkbbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogldfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmdlpebe.dll" Fnoiqpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobcekld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghigl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcfjia32.dll" Obfiijia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igdqmeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aikine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgcib32.dll" Jookedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjpgo32.dll" Pqcncnpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhfqejoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipbgci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgllof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbiokdam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aihenoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbienj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepjboco.dll" Hhhmki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpgfhg32.dll" Oggkklnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipbgci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafhafjm.dll" Lphjkfbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akdedkfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jeapek32.dll" Aagadh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkookd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hikpnkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikfmama.dll" Ebhlmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkjkp32.dll" Ngonpgqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhpjfoji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nahemf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohefjnqk.dll" Ahpfoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmkkhfmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igpcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apcngn32.dll" Dghekobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enomam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aomdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dohbgg32.dll" Mhjdpgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbdepe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblpnepn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdhlphff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbglgcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egooijaa.dll" Kicednho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfhfld32.dll" Kcpcjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoefea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egpdom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fibqhibd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mieimpkc.dll" Nadpdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahhgkdfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cadincif.dll" Bhoikfbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbpegdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhfqejoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmjcemh.dll" Nppceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbchfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejcjfgbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chfffk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdpdpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojojmfed.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2156 2052 004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe 29 PID 2052 wrote to memory of 2156 2052 004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe 29 PID 2052 wrote to memory of 2156 2052 004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe 29 PID 2052 wrote to memory of 2156 2052 004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe 29 PID 2156 wrote to memory of 2896 2156 Conbmfif.exe 30 PID 2156 wrote to memory of 2896 2156 Conbmfif.exe 30 PID 2156 wrote to memory of 2896 2156 Conbmfif.exe 30 PID 2156 wrote to memory of 2896 2156 Conbmfif.exe 30 PID 2896 wrote to memory of 2088 2896 Chfffk32.exe 31 PID 2896 wrote to memory of 2088 2896 Chfffk32.exe 31 PID 2896 wrote to memory of 2088 2896 Chfffk32.exe 31 PID 2896 wrote to memory of 2088 2896 Chfffk32.exe 31 PID 2088 wrote to memory of 1356 2088 Cdpdpl32.exe 32 PID 2088 wrote to memory of 1356 2088 Cdpdpl32.exe 32 PID 2088 wrote to memory of 1356 2088 Cdpdpl32.exe 32 PID 2088 wrote to memory of 1356 2088 Cdpdpl32.exe 32 PID 1356 wrote to memory of 2688 1356 Dmdkkm32.exe 33 PID 1356 wrote to memory of 2688 1356 Dmdkkm32.exe 33 PID 1356 wrote to memory of 2688 1356 Dmdkkm32.exe 33 PID 1356 wrote to memory of 2688 1356 Dmdkkm32.exe 33 PID 2688 wrote to memory of 3044 2688 Diklpn32.exe 34 PID 2688 wrote to memory of 3044 2688 Diklpn32.exe 34 PID 2688 wrote to memory of 3044 2688 Diklpn32.exe 34 PID 2688 wrote to memory of 3044 2688 Diklpn32.exe 34 PID 3044 wrote to memory of 1696 3044 Elbkbh32.exe 35 PID 3044 wrote to memory of 1696 3044 Elbkbh32.exe 35 PID 3044 wrote to memory of 1696 3044 Elbkbh32.exe 35 PID 3044 wrote to memory of 1696 3044 Elbkbh32.exe 35 PID 1696 wrote to memory of 1940 1696 Fmhaep32.exe 36 PID 1696 wrote to memory of 1940 1696 Fmhaep32.exe 36 PID 1696 wrote to memory of 1940 1696 Fmhaep32.exe 36 PID 1696 wrote to memory of 1940 1696 Fmhaep32.exe 36 PID 1940 wrote to memory of 2980 1940 Ffeoid32.exe 37 PID 1940 wrote to memory of 2980 1940 Ffeoid32.exe 37 PID 1940 wrote to memory of 2980 1940 Ffeoid32.exe 37 PID 1940 wrote to memory of 2980 1940 Ffeoid32.exe 37 PID 2980 wrote to memory of 2004 2980 Fblpnepn.exe 38 PID 2980 wrote to memory of 2004 2980 Fblpnepn.exe 38 PID 2980 wrote to memory of 2004 2980 Fblpnepn.exe 38 PID 2980 wrote to memory of 2004 2980 Fblpnepn.exe 38 PID 2004 wrote to memory of 2696 2004 Ghpngkhm.exe 39 PID 2004 wrote to memory of 2696 2004 Ghpngkhm.exe 39 PID 2004 wrote to memory of 2696 2004 Ghpngkhm.exe 39 PID 2004 wrote to memory of 2696 2004 Ghpngkhm.exe 39 PID 2696 wrote to memory of 2524 2696 Gcjogidl.exe 40 PID 2696 wrote to memory of 2524 2696 Gcjogidl.exe 40 PID 2696 wrote to memory of 2524 2696 Gcjogidl.exe 40 PID 2696 wrote to memory of 2524 2696 Gcjogidl.exe 40 PID 2524 wrote to memory of 1124 2524 Hlijan32.exe 41 PID 2524 wrote to memory of 1124 2524 Hlijan32.exe 41 PID 2524 wrote to memory of 1124 2524 Hlijan32.exe 41 PID 2524 wrote to memory of 1124 2524 Hlijan32.exe 41 PID 1124 wrote to memory of 2352 1124 Hhpjfoji.exe 42 PID 1124 wrote to memory of 2352 1124 Hhpjfoji.exe 42 PID 1124 wrote to memory of 2352 1124 Hhpjfoji.exe 42 PID 1124 wrote to memory of 2352 1124 Hhpjfoji.exe 42 PID 2352 wrote to memory of 2168 2352 Icnealbb.exe 43 PID 2352 wrote to memory of 2168 2352 Icnealbb.exe 43 PID 2352 wrote to memory of 2168 2352 Icnealbb.exe 43 PID 2352 wrote to memory of 2168 2352 Icnealbb.exe 43 PID 2168 wrote to memory of 2496 2168 Iogbllfc.exe 44 PID 2168 wrote to memory of 2496 2168 Iogbllfc.exe 44 PID 2168 wrote to memory of 2496 2168 Iogbllfc.exe 44 PID 2168 wrote to memory of 2496 2168 Iogbllfc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe"C:\Users\Admin\AppData\Local\Temp\004dd8cdff6f3a03d48f4d3c534106ac3a01d419a72a41be4b3f418e62aa873fN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Conbmfif.exeC:\Windows\system32\Conbmfif.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Chfffk32.exeC:\Windows\system32\Chfffk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Cdpdpl32.exeC:\Windows\system32\Cdpdpl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Dmdkkm32.exeC:\Windows\system32\Dmdkkm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Elbkbh32.exeC:\Windows\system32\Elbkbh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Fmhaep32.exeC:\Windows\system32\Fmhaep32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Fblpnepn.exeC:\Windows\system32\Fblpnepn.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Gcjogidl.exeC:\Windows\system32\Gcjogidl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Hlijan32.exeC:\Windows\system32\Hlijan32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Hhpjfoji.exeC:\Windows\system32\Hhpjfoji.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\Icnealbb.exeC:\Windows\system32\Icnealbb.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Iogbllfc.exeC:\Windows\system32\Iogbllfc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Joohmk32.exeC:\Windows\system32\Joohmk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Kakdpb32.exeC:\Windows\system32\Kakdpb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744 -
C:\Windows\SysWOW64\Kclmbm32.exeC:\Windows\system32\Kclmbm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Lljolodf.exeC:\Windows\system32\Lljolodf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Lebcdd32.exeC:\Windows\system32\Lebcdd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Ldgpea32.exeC:\Windows\system32\Ldgpea32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Lghigl32.exeC:\Windows\system32\Lghigl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Ldljqpli.exeC:\Windows\system32\Ldljqpli.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Mlikkbga.exeC:\Windows\system32\Mlikkbga.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Mhbhecjc.exeC:\Windows\system32\Mhbhecjc.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Mefiog32.exeC:\Windows\system32\Mefiog32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Ndnbeclb.exeC:\Windows\system32\Ndnbeclb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Nnfgnibb.exeC:\Windows\system32\Nnfgnibb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Nadpdg32.exeC:\Windows\system32\Nadpdg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe35⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Pbienj32.exeC:\Windows\system32\Pbienj32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Panboflg.exeC:\Windows\system32\Panboflg.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:804 -
C:\Windows\SysWOW64\Paclje32.exeC:\Windows\system32\Paclje32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe42⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Ahhgkdfo.exeC:\Windows\system32\Ahhgkdfo.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Abmkhmfe.exeC:\Windows\system32\Abmkhmfe.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Adohpe32.exeC:\Windows\system32\Adohpe32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Aabhiikm.exeC:\Windows\system32\Aabhiikm.exe46⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Afoqbpid.exeC:\Windows\system32\Afoqbpid.exe47⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Bmnbjill.exeC:\Windows\system32\Bmnbjill.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe51⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Bbmggp32.exeC:\Windows\system32\Bbmggp32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Blhifemo.exeC:\Windows\system32\Blhifemo.exe54⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Bhoikfbb.exeC:\Windows\system32\Bhoikfbb.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Chafpfqp.exeC:\Windows\system32\Chafpfqp.exe57⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Cplkehnk.exeC:\Windows\system32\Cplkehnk.exe58⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Cljajh32.exeC:\Windows\system32\Cljajh32.exe59⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Dkookd32.exeC:\Windows\system32\Dkookd32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Domgache.exeC:\Windows\system32\Domgache.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Dkdhfdnj.exeC:\Windows\system32\Dkdhfdnj.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Dhhhphmc.exeC:\Windows\system32\Dhhhphmc.exe63⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Djiegp32.exeC:\Windows\system32\Djiegp32.exe64⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Egobfdpi.exeC:\Windows\system32\Egobfdpi.exe66⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Eqjceidf.exeC:\Windows\system32\Eqjceidf.exe68⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe69⤵PID:2132
-
C:\Windows\SysWOW64\Eelinm32.exeC:\Windows\system32\Eelinm32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\SysWOW64\Fbpihafp.exeC:\Windows\system32\Fbpihafp.exe71⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2796 -
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe73⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Fhakkg32.exeC:\Windows\system32\Fhakkg32.exe74⤵PID:3024
-
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe75⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Fdkheh32.exeC:\Windows\system32\Fdkheh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Gbpegdik.exeC:\Windows\system32\Gbpegdik.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Gmejdm32.exeC:\Windows\system32\Gmejdm32.exe79⤵
- System Location Discovery: System Language Discovery
PID:364 -
C:\Windows\SysWOW64\Giljinne.exeC:\Windows\system32\Giljinne.exe80⤵PID:1704
-
C:\Windows\SysWOW64\Gfpkbbmo.exeC:\Windows\system32\Gfpkbbmo.exe81⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Gbglgcbc.exeC:\Windows\system32\Gbglgcbc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Gloppi32.exeC:\Windows\system32\Gloppi32.exe83⤵
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Hhfqejoh.exeC:\Windows\system32\Hhfqejoh.exe84⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe85⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Hhhmki32.exeC:\Windows\system32\Hhhmki32.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Hhkjpi32.exeC:\Windows\system32\Hhkjpi32.exe87⤵PID:2860
-
C:\Windows\SysWOW64\Hilghaqq.exeC:\Windows\system32\Hilghaqq.exe88⤵PID:2792
-
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe90⤵PID:884
-
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Ipmeej32.exeC:\Windows\system32\Ipmeej32.exe92⤵PID:1960
-
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe94⤵PID:2964
-
C:\Windows\SysWOW64\Ingogcke.exeC:\Windows\system32\Ingogcke.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Igpcpi32.exeC:\Windows\system32\Igpcpi32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe97⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Jkpilg32.exeC:\Windows\system32\Jkpilg32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Jdhmel32.exeC:\Windows\system32\Jdhmel32.exe99⤵PID:924
-
C:\Windows\SysWOW64\Jfijmdbh.exeC:\Windows\system32\Jfijmdbh.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe102⤵PID:2160
-
C:\Windows\SysWOW64\Jkklpk32.exeC:\Windows\system32\Jkklpk32.exe103⤵PID:2128
-
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Kmjhjndm.exeC:\Windows\system32\Kmjhjndm.exe105⤵PID:2040
-
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe107⤵
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe108⤵
- Drops file in System32 directory
PID:932 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe109⤵
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Kcpcjl32.exeC:\Windows\system32\Kcpcjl32.exe110⤵
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Ljlhme32.exeC:\Windows\system32\Ljlhme32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe112⤵PID:1540
-
C:\Windows\SysWOW64\Mgbeqjpd.exeC:\Windows\system32\Mgbeqjpd.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:652 -
C:\Windows\SysWOW64\Mdfejn32.exeC:\Windows\system32\Mdfejn32.exe114⤵PID:1096
-
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe116⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe117⤵PID:2120
-
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe118⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Nimaic32.exeC:\Windows\system32\Nimaic32.exe119⤵PID:2820
-
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe120⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Najbbepc.exeC:\Windows\system32\Najbbepc.exe121⤵
- System Location Discovery: System Language Discovery
PID:2948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-