Analysis
-
max time kernel
79s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 02:39
Behavioral task
behavioral1
Sample
727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
General
-
Target
727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7N.exe
-
Size
337KB
-
MD5
ea0e26593847ddc92f6e17854eee8e90
-
SHA1
8229582ef86cd15e9214c3cf7280f2be5ca1c1fc
-
SHA256
727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7
-
SHA512
2ce4f4539bc60ffd38e89df954939f2215c818e051f5b29914354c246838b1b1a6fe49c06d8487843f0ee4b0c84230bc23671f091b4b4fefc4e3a7297cc5f541
-
SSDEEP
3072:7JhC3hzAJwVgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:1ODV1+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okailkhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabppo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffoihepa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjeba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfihd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opcaiggo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boainhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kopldl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbekojlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljndga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pogaeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homfboco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlkfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghloe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhlih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqambacb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lefikg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbkhnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cligkdlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdcdcmai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moloidjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efifjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emailhfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfigdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fillabde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhbdpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjojphb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdaoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlekja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecgeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghnfci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apllml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oncndnlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oncndnlq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibadnhmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmnkpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piemih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifceemdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjoaofc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkeol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqhclqnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcppgbjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dabfjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhodpidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfifmghc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgjieedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajghgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cemebcnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cemebcnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abehcbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokofpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjcnfcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aidpjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glongpao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbgok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iopeoknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimlqfeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbdbml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjanfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fialggcl.exe -
Executes dropped EXE 64 IoCs
pid Process 2820 Nmggllha.exe 2784 Ninhamne.exe 2716 Nndgeplo.exe 2612 Odcimipf.exe 3028 Pmcgmkil.exe 3004 Pfnhkq32.exe 2224 Pchbmigj.exe 2084 Pmqffonj.exe 1092 Aljmbknm.exe 2676 Apkbnibq.exe 1824 Bjiljf32.exe 1616 Bpjnmlel.exe 1756 Ccnddg32.exe 2940 Chmibmlo.exe 3052 Dgfpni32.exe 1880 Ddjphm32.exe 1556 Ekpkhkji.exe 2508 Ekfaij32.exe 1244 Fgpock32.exe 964 Fqhclqnc.exe 2256 Ffghjg32.exe 2452 Ffiepg32.exe 2448 Ghmnmo32.exe 2344 Gddobpbe.exe 2396 Gahpkd32.exe 2712 Ghddnnfi.exe 2780 Gpafgp32.exe 2884 Hbekojlp.exe 2592 Hajhpgag.exe 3024 Iopeoknn.exe 1104 Icbkhnan.exe 2976 Idbgbahq.exe 2124 Iokhcodo.exe 572 Iciaim32.exe 2872 Jhhfgcgj.exe 2200 Jbakpi32.exe 484 Jqhdfe32.exe 2136 Kqkalenn.exe 1828 Kmabqf32.exe 3040 Kikokf32.exe 1072 Kimlqfeq.exe 1312 Kbeqjl32.exe 1820 Lefikg32.exe 1364 Ljcbcngi.exe 1052 Lckflc32.exe 1664 Lmckeidj.exe 1648 Lncgollm.exe 1864 Lcppgbjd.exe 2460 Lpgqlc32.exe 2948 Mfqiingf.exe 2792 Mfceom32.exe 2920 Mlpngd32.exe 2700 Mfebdm32.exe 1152 Mpngmb32.exe 1788 Mkggnp32.exe 2372 Memlki32.exe 2776 Nkjdcp32.exe 2268 Ndbile32.exe 1044 Npiiafpa.exe 2952 Oogiha32.exe 2212 Ohbjgg32.exe 780 Pcnhmdli.exe 2500 Pnfipm32.exe 2384 Pccahc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2140 727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7N.exe 2140 727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7N.exe 2820 Nmggllha.exe 2820 Nmggllha.exe 2784 Ninhamne.exe 2784 Ninhamne.exe 2716 Nndgeplo.exe 2716 Nndgeplo.exe 2612 Odcimipf.exe 2612 Odcimipf.exe 3028 Pmcgmkil.exe 3028 Pmcgmkil.exe 3004 Pfnhkq32.exe 3004 Pfnhkq32.exe 2224 Pchbmigj.exe 2224 Pchbmigj.exe 2084 Pmqffonj.exe 2084 Pmqffonj.exe 1092 Aljmbknm.exe 1092 Aljmbknm.exe 2676 Apkbnibq.exe 2676 Apkbnibq.exe 1824 Bjiljf32.exe 1824 Bjiljf32.exe 1616 Bpjnmlel.exe 1616 Bpjnmlel.exe 1756 Ccnddg32.exe 1756 Ccnddg32.exe 2940 Chmibmlo.exe 2940 Chmibmlo.exe 3052 Dgfpni32.exe 3052 Dgfpni32.exe 1880 Ddjphm32.exe 1880 Ddjphm32.exe 1556 Ekpkhkji.exe 1556 Ekpkhkji.exe 2508 Ekfaij32.exe 2508 Ekfaij32.exe 1244 Fgpock32.exe 1244 Fgpock32.exe 964 Fqhclqnc.exe 964 Fqhclqnc.exe 2256 Ffghjg32.exe 2256 Ffghjg32.exe 2452 Ffiepg32.exe 2452 Ffiepg32.exe 2448 Ghmnmo32.exe 2448 Ghmnmo32.exe 2344 Gddobpbe.exe 2344 Gddobpbe.exe 2396 Gahpkd32.exe 2396 Gahpkd32.exe 2712 Ghddnnfi.exe 2712 Ghddnnfi.exe 2780 Gpafgp32.exe 2780 Gpafgp32.exe 2884 Hbekojlp.exe 2884 Hbekojlp.exe 2592 Hajhpgag.exe 2592 Hajhpgag.exe 3024 Iopeoknn.exe 3024 Iopeoknn.exe 1104 Icbkhnan.exe 1104 Icbkhnan.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pmcgmkil.exe Odcimipf.exe File created C:\Windows\SysWOW64\Mfebdm32.exe Mlpngd32.exe File opened for modification C:\Windows\SysWOW64\Cmikpngk.exe Cbcfbege.exe File created C:\Windows\SysWOW64\Papank32.exe Pobeao32.exe File created C:\Windows\SysWOW64\Lcegdl32.dll Dmaoem32.exe File created C:\Windows\SysWOW64\Bfimld32.dll Khglkqfj.exe File created C:\Windows\SysWOW64\Lnemfipf.dll Fldbnb32.exe File created C:\Windows\SysWOW64\Kddpplhi.dll Jpeafo32.exe File created C:\Windows\SysWOW64\Lgddiilp.dll Bmhkojab.exe File opened for modification C:\Windows\SysWOW64\Mnilfc32.exe Lkhcdhmk.exe File opened for modification C:\Windows\SysWOW64\Cjbpoeoj.exe Bdehgnqc.exe File created C:\Windows\SysWOW64\Ebcqicem.exe Dpbgghhl.exe File created C:\Windows\SysWOW64\Bpkqfdmp.exe Bphdpe32.exe File created C:\Windows\SysWOW64\Ollncgjq.exe Oafjfokk.exe File created C:\Windows\SysWOW64\Liopnp32.dll Ndmeecmb.exe File created C:\Windows\SysWOW64\Ijghmd32.exe Iekpdn32.exe File created C:\Windows\SysWOW64\Qomcdf32.exe Pbfcoedi.exe File opened for modification C:\Windows\SysWOW64\Fidkep32.exe Fianpp32.exe File opened for modification C:\Windows\SysWOW64\Jbakpi32.exe Jhhfgcgj.exe File created C:\Windows\SysWOW64\Aemafjeg.exe Qgiplffm.exe File created C:\Windows\SysWOW64\Lcjcogfe.dll Ehlkfn32.exe File created C:\Windows\SysWOW64\Ndmeecmb.exe Nanhihno.exe File opened for modification C:\Windows\SysWOW64\Qoaaqb32.exe Qdhqpe32.exe File created C:\Windows\SysWOW64\Himionmc.exe Hpdefh32.exe File opened for modification C:\Windows\SysWOW64\Dklibf32.exe Ckilmfke.exe File created C:\Windows\SysWOW64\Bbbmhm32.dll Kbeqjl32.exe File created C:\Windows\SysWOW64\Plhfoe32.dll Kgjgepqm.exe File opened for modification C:\Windows\SysWOW64\Bpbokj32.exe Bnafjo32.exe File created C:\Windows\SysWOW64\Jcfnnang.dll Pniohk32.exe File opened for modification C:\Windows\SysWOW64\Mbgela32.exe Mdcdcmai.exe File created C:\Windows\SysWOW64\Hljokk32.dll Dghjmlnm.exe File created C:\Windows\SysWOW64\Ffghjg32.exe Fqhclqnc.exe File created C:\Windows\SysWOW64\Jaopcbga.exe Jiclnpjg.exe File created C:\Windows\SysWOW64\Ncmioapf.dll Cpidai32.exe File created C:\Windows\SysWOW64\Omjeba32.exe Ohmljj32.exe File created C:\Windows\SysWOW64\Nfqbol32.exe Nlhnfg32.exe File created C:\Windows\SysWOW64\Haekqknh.dll Ngfhbd32.exe File created C:\Windows\SysWOW64\Fhngkm32.exe Ebdoocdk.exe File opened for modification C:\Windows\SysWOW64\Ikbndqnc.exe Ibjikk32.exe File opened for modification C:\Windows\SysWOW64\Jocceo32.exe Jblbpnhk.exe File created C:\Windows\SysWOW64\Pepigm32.dll Lelmei32.exe File created C:\Windows\SysWOW64\Dmmadecm.dll Qolmip32.exe File created C:\Windows\SysWOW64\Pcgkcccn.exe Pibgfjdh.exe File opened for modification C:\Windows\SysWOW64\Caccnllf.exe Cppjadhk.exe File created C:\Windows\SysWOW64\Jbpfpd32.exe Jpajdi32.exe File created C:\Windows\SysWOW64\Mjkmfn32.exe Ldndng32.exe File created C:\Windows\SysWOW64\Iefbpdca.dll Hqemlbqi.exe File opened for modification C:\Windows\SysWOW64\Nkjdcp32.exe Memlki32.exe File created C:\Windows\SysWOW64\Bcoffd32.exe Bcmjpd32.exe File created C:\Windows\SysWOW64\Ndemja32.dll Hpbhphie.exe File created C:\Windows\SysWOW64\Gddobpbe.exe Ghmnmo32.exe File created C:\Windows\SysWOW64\Acmbambf.dll Qfifmghc.exe File created C:\Windows\SysWOW64\Bocfch32.exe Boainhic.exe File created C:\Windows\SysWOW64\Qkeofnfk.exe Qfifmghc.exe File created C:\Windows\SysWOW64\Bjlnaghp.exe Bgkeol32.exe File created C:\Windows\SysWOW64\Joepjokm.exe Jocceo32.exe File created C:\Windows\SysWOW64\Khfnln32.dll Cfknjfbl.exe File created C:\Windows\SysWOW64\Pjligacm.dll Hhhkbqea.exe File created C:\Windows\SysWOW64\Lbnbpcde.dll Jaahgd32.exe File opened for modification C:\Windows\SysWOW64\Bdiaqj32.exe Ahbqliap.exe File created C:\Windows\SysWOW64\Eocmep32.dll Nfmahkhh.exe File opened for modification C:\Windows\SysWOW64\Pniohk32.exe Pdajpf32.exe File created C:\Windows\SysWOW64\Jpajdi32.exe Jdjioh32.exe File created C:\Windows\SysWOW64\Lghgocek.exe Laknfmgd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2252 3252 WerFault.exe 659 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfcqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkffohon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmhmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbeimf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhbdpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiocbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdpjgjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphmbolk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkpgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeepjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmjpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lefikg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjneoeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjceb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfdbcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknakhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alncgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbgok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpajdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmeohnil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcehngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baakem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgndnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffghjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koogbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiphmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopeoknn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlekja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgelahmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhcdhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olokighn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legcjjjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifakj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkgad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkfjman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapnfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flmecm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijbjpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blklfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghnfci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgjieedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhngkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfmahkhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omeini32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qckcdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agilkijf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadhen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodjdede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdophn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdkbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbjgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opebpdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcnilhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllhib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Domffn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djkodg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agdfjc32.dll" Aggkdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjpacdo.dll" Jbpfpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gifhkpgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiobcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkeahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbdbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njjfli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhdfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obgmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khfcgbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mampci32.dll" Fidkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaamhjgm.dll" Kmabqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoaaqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgjieedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnekggoo.dll" Migdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnolpa32.dll" Agchdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjimpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Milaecdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odmbgbpa.dll" Qefihg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aocgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiphmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njgeel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dklibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifdhgj32.dll" Ekpkhkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfmmanif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcphpcno.dll" Jepoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldcnnnje.dll" Fhfihd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bleilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmbclj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoajgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eemjqoee.dll" Fgeabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafeln32.dll" Ophoecoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gckgkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejegcc32.dll" Opebpdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkekmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icblchdc.dll" Fjajno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kogffida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccaipaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjeholco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdego32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbcfbege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgddiilp.dll" Bmhkojab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdjioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcjqpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjcnfcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqkalenn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nejbpm32.dll" Agakog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apllml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbqjclca.dll" Fqkbkicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kphpdhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abmgojdb.dll" Ehiiop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aijolhib.dll" Abehcbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkmobp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpdefh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijghmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgind32.dll" Gdpikmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkhjhk32.dll" Dhlapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqnhcgma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpggcbki.dll" Egimdmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glhbolin.dll" Jgpklb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppehbh32.dll" Dmffhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inofameg.dll" Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nogbpf32.dll" Ibbioilj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2820 2140 727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7N.exe 30 PID 2140 wrote to memory of 2820 2140 727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7N.exe 30 PID 2140 wrote to memory of 2820 2140 727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7N.exe 30 PID 2140 wrote to memory of 2820 2140 727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7N.exe 30 PID 2820 wrote to memory of 2784 2820 Nmggllha.exe 31 PID 2820 wrote to memory of 2784 2820 Nmggllha.exe 31 PID 2820 wrote to memory of 2784 2820 Nmggllha.exe 31 PID 2820 wrote to memory of 2784 2820 Nmggllha.exe 31 PID 2784 wrote to memory of 2716 2784 Ninhamne.exe 32 PID 2784 wrote to memory of 2716 2784 Ninhamne.exe 32 PID 2784 wrote to memory of 2716 2784 Ninhamne.exe 32 PID 2784 wrote to memory of 2716 2784 Ninhamne.exe 32 PID 2716 wrote to memory of 2612 2716 Nndgeplo.exe 33 PID 2716 wrote to memory of 2612 2716 Nndgeplo.exe 33 PID 2716 wrote to memory of 2612 2716 Nndgeplo.exe 33 PID 2716 wrote to memory of 2612 2716 Nndgeplo.exe 33 PID 2612 wrote to memory of 3028 2612 Odcimipf.exe 34 PID 2612 wrote to memory of 3028 2612 Odcimipf.exe 34 PID 2612 wrote to memory of 3028 2612 Odcimipf.exe 34 PID 2612 wrote to memory of 3028 2612 Odcimipf.exe 34 PID 3028 wrote to memory of 3004 3028 Pmcgmkil.exe 35 PID 3028 wrote to memory of 3004 3028 Pmcgmkil.exe 35 PID 3028 wrote to memory of 3004 3028 Pmcgmkil.exe 35 PID 3028 wrote to memory of 3004 3028 Pmcgmkil.exe 35 PID 3004 wrote to memory of 2224 3004 Pfnhkq32.exe 36 PID 3004 wrote to memory of 2224 3004 Pfnhkq32.exe 36 PID 3004 wrote to memory of 2224 3004 Pfnhkq32.exe 36 PID 3004 wrote to memory of 2224 3004 Pfnhkq32.exe 36 PID 2224 wrote to memory of 2084 2224 Pchbmigj.exe 37 PID 2224 wrote to memory of 2084 2224 Pchbmigj.exe 37 PID 2224 wrote to memory of 2084 2224 Pchbmigj.exe 37 PID 2224 wrote to memory of 2084 2224 Pchbmigj.exe 37 PID 2084 wrote to memory of 1092 2084 Pmqffonj.exe 38 PID 2084 wrote to memory of 1092 2084 Pmqffonj.exe 38 PID 2084 wrote to memory of 1092 2084 Pmqffonj.exe 38 PID 2084 wrote to memory of 1092 2084 Pmqffonj.exe 38 PID 1092 wrote to memory of 2676 1092 Aljmbknm.exe 39 PID 1092 wrote to memory of 2676 1092 Aljmbknm.exe 39 PID 1092 wrote to memory of 2676 1092 Aljmbknm.exe 39 PID 1092 wrote to memory of 2676 1092 Aljmbknm.exe 39 PID 2676 wrote to memory of 1824 2676 Apkbnibq.exe 40 PID 2676 wrote to memory of 1824 2676 Apkbnibq.exe 40 PID 2676 wrote to memory of 1824 2676 Apkbnibq.exe 40 PID 2676 wrote to memory of 1824 2676 Apkbnibq.exe 40 PID 1824 wrote to memory of 1616 1824 Bjiljf32.exe 41 PID 1824 wrote to memory of 1616 1824 Bjiljf32.exe 41 PID 1824 wrote to memory of 1616 1824 Bjiljf32.exe 41 PID 1824 wrote to memory of 1616 1824 Bjiljf32.exe 41 PID 1616 wrote to memory of 1756 1616 Bpjnmlel.exe 42 PID 1616 wrote to memory of 1756 1616 Bpjnmlel.exe 42 PID 1616 wrote to memory of 1756 1616 Bpjnmlel.exe 42 PID 1616 wrote to memory of 1756 1616 Bpjnmlel.exe 42 PID 1756 wrote to memory of 2940 1756 Ccnddg32.exe 43 PID 1756 wrote to memory of 2940 1756 Ccnddg32.exe 43 PID 1756 wrote to memory of 2940 1756 Ccnddg32.exe 43 PID 1756 wrote to memory of 2940 1756 Ccnddg32.exe 43 PID 2940 wrote to memory of 3052 2940 Chmibmlo.exe 44 PID 2940 wrote to memory of 3052 2940 Chmibmlo.exe 44 PID 2940 wrote to memory of 3052 2940 Chmibmlo.exe 44 PID 2940 wrote to memory of 3052 2940 Chmibmlo.exe 44 PID 3052 wrote to memory of 1880 3052 Dgfpni32.exe 45 PID 3052 wrote to memory of 1880 3052 Dgfpni32.exe 45 PID 3052 wrote to memory of 1880 3052 Dgfpni32.exe 45 PID 3052 wrote to memory of 1880 3052 Dgfpni32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7N.exe"C:\Users\Admin\AppData\Local\Temp\727bd7726a7e436dc4b5d39841c832f48d6b5110dd86fb4bd4ca4bfa033d28b7N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Nmggllha.exeC:\Windows\system32\Nmggllha.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Ninhamne.exeC:\Windows\system32\Ninhamne.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Nndgeplo.exeC:\Windows\system32\Nndgeplo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Odcimipf.exeC:\Windows\system32\Odcimipf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Pmcgmkil.exeC:\Windows\system32\Pmcgmkil.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Pchbmigj.exeC:\Windows\system32\Pchbmigj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Pmqffonj.exeC:\Windows\system32\Pmqffonj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Aljmbknm.exeC:\Windows\system32\Aljmbknm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\Apkbnibq.exeC:\Windows\system32\Apkbnibq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Bjiljf32.exeC:\Windows\system32\Bjiljf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Ccnddg32.exeC:\Windows\system32\Ccnddg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Chmibmlo.exeC:\Windows\system32\Chmibmlo.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Dgfpni32.exeC:\Windows\system32\Dgfpni32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ddjphm32.exeC:\Windows\system32\Ddjphm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Ekfaij32.exeC:\Windows\system32\Ekfaij32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Fgpock32.exeC:\Windows\system32\Fgpock32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Fqhclqnc.exeC:\Windows\system32\Fqhclqnc.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Ffghjg32.exeC:\Windows\system32\Ffghjg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Ffiepg32.exeC:\Windows\system32\Ffiepg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Gahpkd32.exeC:\Windows\system32\Gahpkd32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Hbekojlp.exeC:\Windows\system32\Hbekojlp.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Hajhpgag.exeC:\Windows\system32\Hajhpgag.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Icbkhnan.exeC:\Windows\system32\Icbkhnan.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Idbgbahq.exeC:\Windows\system32\Idbgbahq.exe33⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe34⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe35⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Jhhfgcgj.exeC:\Windows\system32\Jhhfgcgj.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Jbakpi32.exeC:\Windows\system32\Jbakpi32.exe37⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Jqhdfe32.exeC:\Windows\system32\Jqhdfe32.exe38⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Kmabqf32.exeC:\Windows\system32\Kmabqf32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Kikokf32.exeC:\Windows\system32\Kikokf32.exe41⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Kimlqfeq.exeC:\Windows\system32\Kimlqfeq.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Kbeqjl32.exeC:\Windows\system32\Kbeqjl32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1312 -
C:\Windows\SysWOW64\Lefikg32.exeC:\Windows\system32\Lefikg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe45⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Lckflc32.exeC:\Windows\system32\Lckflc32.exe46⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Lmckeidj.exeC:\Windows\system32\Lmckeidj.exe47⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Lncgollm.exeC:\Windows\system32\Lncgollm.exe48⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Lcppgbjd.exeC:\Windows\system32\Lcppgbjd.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Lpgqlc32.exeC:\Windows\system32\Lpgqlc32.exe50⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Mfqiingf.exeC:\Windows\system32\Mfqiingf.exe51⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Mfceom32.exeC:\Windows\system32\Mfceom32.exe52⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Mlpngd32.exeC:\Windows\system32\Mlpngd32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Mfebdm32.exeC:\Windows\system32\Mfebdm32.exe54⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Mpngmb32.exeC:\Windows\system32\Mpngmb32.exe55⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe56⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Memlki32.exeC:\Windows\system32\Memlki32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Nkjdcp32.exeC:\Windows\system32\Nkjdcp32.exe58⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe59⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Npiiafpa.exeC:\Windows\system32\Npiiafpa.exe60⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Oogiha32.exeC:\Windows\system32\Oogiha32.exe61⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Pcnhmdli.exeC:\Windows\system32\Pcnhmdli.exe63⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe64⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Pccahc32.exeC:\Windows\system32\Pccahc32.exe65⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Pqgbah32.exeC:\Windows\system32\Pqgbah32.exe66⤵PID:1332
-
C:\Windows\SysWOW64\Pibgfjdh.exeC:\Windows\system32\Pibgfjdh.exe67⤵
- Drops file in System32 directory
PID:584 -
C:\Windows\SysWOW64\Pcgkcccn.exeC:\Windows\system32\Pcgkcccn.exe68⤵PID:2416
-
C:\Windows\SysWOW64\Qnalcqpm.exeC:\Windows\system32\Qnalcqpm.exe69⤵PID:2664
-
C:\Windows\SysWOW64\Qgiplffm.exeC:\Windows\system32\Qgiplffm.exe70⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Aemafjeg.exeC:\Windows\system32\Aemafjeg.exe71⤵PID:1676
-
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe72⤵PID:1872
-
C:\Windows\SysWOW64\Anhbdpje.exeC:\Windows\system32\Anhbdpje.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe74⤵PID:1536
-
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Aidpjm32.exeC:\Windows\system32\Aidpjm32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Acjdgf32.exeC:\Windows\system32\Acjdgf32.exe77⤵PID:2328
-
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe78⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Bemmenhb.exeC:\Windows\system32\Bemmenhb.exe79⤵PID:1316
-
C:\Windows\SysWOW64\Bbannb32.exeC:\Windows\system32\Bbannb32.exe80⤵PID:2128
-
C:\Windows\SysWOW64\Bhnffi32.exeC:\Windows\system32\Bhnffi32.exe81⤵PID:3064
-
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe82⤵PID:848
-
C:\Windows\SysWOW64\Bjoohdbd.exeC:\Windows\system32\Bjoohdbd.exe83⤵PID:876
-
C:\Windows\SysWOW64\Bedcembk.exeC:\Windows\system32\Bedcembk.exe84⤵PID:2484
-
C:\Windows\SysWOW64\Befpkmph.exeC:\Windows\system32\Befpkmph.exe85⤵PID:1668
-
C:\Windows\SysWOW64\Cppakj32.exeC:\Windows\system32\Cppakj32.exe86⤵PID:2856
-
C:\Windows\SysWOW64\Cmdaeo32.exeC:\Windows\system32\Cmdaeo32.exe87⤵PID:2668
-
C:\Windows\SysWOW64\Cbajme32.exeC:\Windows\system32\Cbajme32.exe88⤵PID:2772
-
C:\Windows\SysWOW64\Cbcfbege.exeC:\Windows\system32\Cbcfbege.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe90⤵PID:2240
-
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe91⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe92⤵PID:2620
-
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe93⤵PID:2916
-
C:\Windows\SysWOW64\Dkeahf32.exeC:\Windows\system32\Dkeahf32.exe94⤵
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Ddnfql32.exeC:\Windows\system32\Ddnfql32.exe95⤵PID:2440
-
C:\Windows\SysWOW64\Dabfjp32.exeC:\Windows\system32\Dabfjp32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1368 -
C:\Windows\SysWOW64\Dadcppbp.exeC:\Windows\system32\Dadcppbp.exe97⤵PID:904
-
C:\Windows\SysWOW64\Dkmghe32.exeC:\Windows\system32\Dkmghe32.exe98⤵PID:3012
-
C:\Windows\SysWOW64\Ejadibmh.exeC:\Windows\system32\Ejadibmh.exe99⤵PID:912
-
C:\Windows\SysWOW64\Ejdaoa32.exeC:\Windows\system32\Ejdaoa32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Eoajgh32.exeC:\Windows\system32\Eoajgh32.exe101⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Ejfnda32.exeC:\Windows\system32\Ejfnda32.exe102⤵PID:1992
-
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe103⤵PID:2788
-
C:\Windows\SysWOW64\Ehlkfn32.exeC:\Windows\system32\Ehlkfn32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Ebdoocdk.exeC:\Windows\system32\Ebdoocdk.exe105⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe107⤵PID:432
-
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe108⤵PID:264
-
C:\Windows\SysWOW64\Fgeabi32.exeC:\Windows\system32\Fgeabi32.exe109⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Fqnfkoen.exeC:\Windows\system32\Fqnfkoen.exe110⤵PID:1252
-
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe111⤵PID:2164
-
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe112⤵PID:612
-
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe113⤵PID:2404
-
C:\Windows\SysWOW64\Gjkcod32.exeC:\Windows\system32\Gjkcod32.exe114⤵PID:2808
-
C:\Windows\SysWOW64\Gphlgk32.exeC:\Windows\system32\Gphlgk32.exe115⤵PID:1980
-
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe116⤵PID:916
-
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe117⤵PID:1720
-
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe118⤵PID:2320
-
C:\Windows\SysWOW64\Hjhchg32.exeC:\Windows\system32\Hjhchg32.exe119⤵PID:2988
-
C:\Windows\SysWOW64\Ibmkbh32.exeC:\Windows\system32\Ibmkbh32.exe120⤵PID:1352
-
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe121⤵PID:2300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-