Analysis
-
max time kernel
77s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 02:59
Behavioral task
behavioral1
Sample
bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe
-
Size
264KB
-
MD5
49b25c825e6bd07c97f1744d95c96350
-
SHA1
16b22de156a43bed999567befe402c25b6eb90ab
-
SHA256
bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57
-
SHA512
4bb7251be8fa9f551d078bf267161f24f9310dc331cd9f1628082b1633c5c706fe61c3de49cf5a7914d3c501c4632b0be0a2dd04704eb0db5bf35e34958be8aa
-
SSDEEP
3072:4soKxcg2LoK24ho1mtye3lFDrFDHZtO8jJkiUi8ChpBhx5Zd424ho1mtye3lFDrO:boCcgsonsFj5tPNki9HZd1sFj5tw
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icqagkqp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qibjjgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpooiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmcelkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhdcnng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddinn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgbioee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnocdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Janijh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggdmkmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pinqoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbaebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjglppd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alfdcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moikinib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddeia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgmnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miekhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfdpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpkgggnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaibpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafpipoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khakhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padcqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdkoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhbbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cghpgbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kamncagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnpcabef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhfpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igojmjgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjmnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpegka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkkhmjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkncmhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjglppd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnbpgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndbjgjqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmgoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeokdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kabbehjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edokna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojmogak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jokccnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbmdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjdpgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haggkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoefea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncdciq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbnpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djfagjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Indkgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjgpqjqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpenkgfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfgkleh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckeekp32.exe -
Executes dropped EXE 64 IoCs
pid Process 2092 Neemgp32.exe 2844 Njdbefnf.exe 2244 Oacdmpan.exe 2976 Oiqegb32.exe 2692 Poddphee.exe 2760 Pddinn32.exe 108 Qgdbpi32.exe 2364 Alfdcp32.exe 3052 Ajlabc32.exe 2832 Afcbgd32.exe 2196 Bdmhcp32.exe 1028 Bdoeipjh.exe 584 Cmocha32.exe 2480 Cbqekhmp.exe 2476 Dahobdpe.exe 2188 Dpphipbk.exe 1696 Dmcibdad.exe 2440 Eiocbd32.exe 1488 Feccqime.exe 1408 Falakjag.exe 1448 Fkeedo32.exe 1460 Gkgbioee.exe 2336 Gdpfbd32.exe 1956 Ghmohcbl.exe 2120 Gknhjn32.exe 2968 Gdfmccfm.exe 2780 Hggeeo32.exe 2876 Hkiknb32.exe 2412 Himkgf32.exe 2060 Hiphmf32.exe 2752 Hqkmahpp.exe 1648 Iamjghnm.exe 1660 Iapfmg32.exe 2400 Incgfl32.exe 3012 Imidgh32.exe 2980 Ipimic32.exe 2740 Jplinckj.exe 1260 Jjhgdqef.exe 2184 Jhlgnd32.exe 2300 Jhndcd32.exe 1480 Khpaidpk.exe 2156 Kplfmfmf.exe 1636 Kkajkoml.exe 2544 Kdincdcl.exe 2020 Kldchgag.exe 1944 Kihcakpa.exe 2600 Koelibnh.exe 368 Klimcf32.exe 2100 Lddagi32.exe 2288 Lnobfn32.exe 2936 Lnaokn32.exe 2672 Lkepdbkb.exe 2660 Mjkmfn32.exe 2680 Mgomoboc.exe 892 Mlkegimk.exe 2896 Mlnbmikh.exe 2172 Mchjjc32.exe 1052 Mhdcbjal.exe 1708 Mookod32.exe 2508 Mfhcknpf.exe 1148 Mgjpcf32.exe 2208 Nqbdllld.exe 2496 Njjieace.exe 2488 Nccmng32.exe -
Loads dropped DLL 64 IoCs
pid Process 396 bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe 396 bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe 2092 Neemgp32.exe 2092 Neemgp32.exe 2844 Njdbefnf.exe 2844 Njdbefnf.exe 2244 Oacdmpan.exe 2244 Oacdmpan.exe 2976 Oiqegb32.exe 2976 Oiqegb32.exe 2692 Poddphee.exe 2692 Poddphee.exe 2760 Pddinn32.exe 2760 Pddinn32.exe 108 Qgdbpi32.exe 108 Qgdbpi32.exe 2364 Alfdcp32.exe 2364 Alfdcp32.exe 3052 Ajlabc32.exe 3052 Ajlabc32.exe 2832 Afcbgd32.exe 2832 Afcbgd32.exe 2196 Bdmhcp32.exe 2196 Bdmhcp32.exe 1028 Bdoeipjh.exe 1028 Bdoeipjh.exe 584 Cmocha32.exe 584 Cmocha32.exe 2480 Cbqekhmp.exe 2480 Cbqekhmp.exe 2476 Dahobdpe.exe 2476 Dahobdpe.exe 2188 Dpphipbk.exe 2188 Dpphipbk.exe 1696 Dmcibdad.exe 1696 Dmcibdad.exe 2440 Eiocbd32.exe 2440 Eiocbd32.exe 1488 Feccqime.exe 1488 Feccqime.exe 1408 Falakjag.exe 1408 Falakjag.exe 1448 Fkeedo32.exe 1448 Fkeedo32.exe 1460 Gkgbioee.exe 1460 Gkgbioee.exe 2336 Gdpfbd32.exe 2336 Gdpfbd32.exe 1956 Ghmohcbl.exe 1956 Ghmohcbl.exe 2120 Gknhjn32.exe 2120 Gknhjn32.exe 2968 Gdfmccfm.exe 2968 Gdfmccfm.exe 2780 Hggeeo32.exe 2780 Hggeeo32.exe 2876 Hkiknb32.exe 2876 Hkiknb32.exe 2412 Himkgf32.exe 2412 Himkgf32.exe 2060 Hiphmf32.exe 2060 Hiphmf32.exe 2752 Hqkmahpp.exe 2752 Hqkmahpp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bjmgmelp.dll Dbkaee32.exe File created C:\Windows\SysWOW64\Nccmng32.exe Njjieace.exe File created C:\Windows\SysWOW64\Lfhdeoqh.exe Lmppmi32.exe File created C:\Windows\SysWOW64\Bnkhoack.dll Nifmqm32.exe File created C:\Windows\SysWOW64\Blklfk32.exe Bgndnd32.exe File created C:\Windows\SysWOW64\Pbaebh32.exe Pgkqeo32.exe File opened for modification C:\Windows\SysWOW64\Okefjcle.exe Ohginhma.exe File created C:\Windows\SysWOW64\Hqckln32.dll Clcghk32.exe File opened for modification C:\Windows\SysWOW64\Fangfcki.exe Fkdoii32.exe File opened for modification C:\Windows\SysWOW64\Lmjbphod.exe Kmeiei32.exe File created C:\Windows\SysWOW64\Kgmobc32.dll Lcnqin32.exe File created C:\Windows\SysWOW64\Nhpcmi32.exe Npdohg32.exe File created C:\Windows\SysWOW64\Pbgniekp.dll Plbbmjhf.exe File created C:\Windows\SysWOW64\Cmmnclpk.dll Apllml32.exe File created C:\Windows\SysWOW64\Jocfagpi.dll Abhnlqlf.exe File created C:\Windows\SysWOW64\Onloqmmk.dll Dqcmdjjo.exe File created C:\Windows\SysWOW64\Fflehp32.exe Eelinm32.exe File created C:\Windows\SysWOW64\Foaekdkd.dll Gnfoao32.exe File created C:\Windows\SysWOW64\Cbpbek32.exe Cpafhpaj.exe File created C:\Windows\SysWOW64\Kebgea32.exe Jgnflmia.exe File opened for modification C:\Windows\SysWOW64\Fpijgk32.exe Fmhaep32.exe File created C:\Windows\SysWOW64\Mfmial32.dll Nenaho32.exe File created C:\Windows\SysWOW64\Aadbfp32.exe Ahlnmjkf.exe File created C:\Windows\SysWOW64\Mbfbfe32.exe Mjknab32.exe File created C:\Windows\SysWOW64\Jqonjmbn.exe Jggiah32.exe File opened for modification C:\Windows\SysWOW64\Oqfeda32.exe Ojlmgg32.exe File opened for modification C:\Windows\SysWOW64\Fkfcdpfg.exe Eopbooqb.exe File created C:\Windows\SysWOW64\Jbkagpjl.dll Nncaejie.exe File opened for modification C:\Windows\SysWOW64\Flcjjdpe.exe Feiamj32.exe File created C:\Windows\SysWOW64\Dmhcgd32.exe Cpccnp32.exe File created C:\Windows\SysWOW64\Dkojjgfg.exe Ddeammok.exe File opened for modification C:\Windows\SysWOW64\Ajlabc32.exe Alfdcp32.exe File created C:\Windows\SysWOW64\Cjmfag32.dll Djoinbpm.exe File created C:\Windows\SysWOW64\Lmbadfdl.exe Legmpdga.exe File created C:\Windows\SysWOW64\Gljfeimi.exe Gfnnmboa.exe File opened for modification C:\Windows\SysWOW64\Nahhfoij.exe Nhpcmi32.exe File created C:\Windows\SysWOW64\Cmocha32.exe Bdoeipjh.exe File created C:\Windows\SysWOW64\Jigmeagl.exe Jbmdig32.exe File opened for modification C:\Windows\SysWOW64\Pcajpjoi.exe Pmhbbp32.exe File opened for modification C:\Windows\SysWOW64\Iggdmkmn.exe Ibklddof.exe File created C:\Windows\SysWOW64\Moifmnie.dll Iomhkgkb.exe File created C:\Windows\SysWOW64\Pjddeg32.dll Flcjjdpe.exe File created C:\Windows\SysWOW64\Mfdklc32.exe Mpjboi32.exe File created C:\Windows\SysWOW64\Jhohclgg.dll Ddgnbl32.exe File created C:\Windows\SysWOW64\Bjfiajnd.dll Jlcmhann.exe File created C:\Windows\SysWOW64\Ibjefkgd.dll Moikinib.exe File created C:\Windows\SysWOW64\Oamohenq.exe Ooncljom.exe File created C:\Windows\SysWOW64\Anedfn32.dll Fogipnjj.exe File opened for modification C:\Windows\SysWOW64\Jmigke32.exe Imgjfe32.exe File opened for modification C:\Windows\SysWOW64\Nlcnaaog.exe Mlqakaqi.exe File created C:\Windows\SysWOW64\Epnfkjll.dll Fangfcki.exe File opened for modification C:\Windows\SysWOW64\Hcfenn32.exe Hcdihn32.exe File created C:\Windows\SysWOW64\Lpdabcij.dll Fehodaqd.exe File opened for modification C:\Windows\SysWOW64\Abnmae32.exe Aghidl32.exe File created C:\Windows\SysWOW64\Bdpnlo32.exe Blejgm32.exe File created C:\Windows\SysWOW64\Jmbahk32.dll Blklfk32.exe File created C:\Windows\SysWOW64\Hllkhoaj.exe Haggkf32.exe File created C:\Windows\SysWOW64\Pdcgpi32.dll Ijbjpg32.exe File created C:\Windows\SysWOW64\Dhimmamn.dll Cignlf32.exe File opened for modification C:\Windows\SysWOW64\Hllkhoaj.exe Haggkf32.exe File created C:\Windows\SysWOW64\Ckcjeg32.dll Kaeokg32.exe File created C:\Windows\SysWOW64\Qibjjgag.exe Qpjeaa32.exe File created C:\Windows\SysWOW64\Ckeekp32.exe Ccjpfmic.exe File created C:\Windows\SysWOW64\Fcckjb32.exe Ffokan32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3276 3164 WerFault.exe 715 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbihpbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mognco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapcaocc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamjghnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkncmhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpqhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfdcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodejhfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjffc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blejgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkancm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mefiog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpakdbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfnnmboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmdehgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ielllj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbplepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieegcid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmhcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kleeqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibfik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqcmdjjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcckjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idqpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkfcdpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ponadfim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinqoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilaieljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbcda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqnjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjmfpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegaje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkfco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddeammok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgaejeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihjfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjieace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmbbkij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfbia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conmkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpcgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhedachg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkepdbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccakij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onplmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmoone32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgqokp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhdcnng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhcknpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngkfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nokdnail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liibigjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljolodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chldbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpcoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcajpjoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaffpoi.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnfekdpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afcbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlegof32.dll" Ccamabgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kleeqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmpafnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmolej32.dll" Jhlgnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkepdbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiegacgd.dll" Ppqqbjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Galfpgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dldgme32.dll" Dbighojl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlgaokci.dll" Iiiapg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peandcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmjopiol.dll" Fdldmokn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnaokn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Galfpgpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbajci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feiamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabciggh.dll" Nikflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apllml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcnqin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgmbbkij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knmjmodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddeia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haggkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qahlpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfnnmboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibbbhe32.dll" Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nipgab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Habgan32.dll" Enjcfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimqnd32.dll" Egedebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecnbpcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojaje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iamnpbpo.dll" Belfldoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpfpofk.dll" Ehlqao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpokgjb.dll" Eiocbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejejkhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blklfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flcjjdpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfigkljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oijbkpqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plnhbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahobdpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Achlch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqneaodd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnbpcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lebemmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igffogeb.dll" Nqijmkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjefkgd.dll" Moikinib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdjaeei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjmbohhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imgjfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpijgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gocpcfeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkgmdbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lafgdfbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhjaok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhjaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnfkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnkkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dapnfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okgnna32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 396 wrote to memory of 2092 396 bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe 29 PID 396 wrote to memory of 2092 396 bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe 29 PID 396 wrote to memory of 2092 396 bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe 29 PID 396 wrote to memory of 2092 396 bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe 29 PID 2092 wrote to memory of 2844 2092 Neemgp32.exe 30 PID 2092 wrote to memory of 2844 2092 Neemgp32.exe 30 PID 2092 wrote to memory of 2844 2092 Neemgp32.exe 30 PID 2092 wrote to memory of 2844 2092 Neemgp32.exe 30 PID 2844 wrote to memory of 2244 2844 Njdbefnf.exe 31 PID 2844 wrote to memory of 2244 2844 Njdbefnf.exe 31 PID 2844 wrote to memory of 2244 2844 Njdbefnf.exe 31 PID 2844 wrote to memory of 2244 2844 Njdbefnf.exe 31 PID 2244 wrote to memory of 2976 2244 Oacdmpan.exe 32 PID 2244 wrote to memory of 2976 2244 Oacdmpan.exe 32 PID 2244 wrote to memory of 2976 2244 Oacdmpan.exe 32 PID 2244 wrote to memory of 2976 2244 Oacdmpan.exe 32 PID 2976 wrote to memory of 2692 2976 Oiqegb32.exe 33 PID 2976 wrote to memory of 2692 2976 Oiqegb32.exe 33 PID 2976 wrote to memory of 2692 2976 Oiqegb32.exe 33 PID 2976 wrote to memory of 2692 2976 Oiqegb32.exe 33 PID 2692 wrote to memory of 2760 2692 Poddphee.exe 34 PID 2692 wrote to memory of 2760 2692 Poddphee.exe 34 PID 2692 wrote to memory of 2760 2692 Poddphee.exe 34 PID 2692 wrote to memory of 2760 2692 Poddphee.exe 34 PID 2760 wrote to memory of 108 2760 Pddinn32.exe 35 PID 2760 wrote to memory of 108 2760 Pddinn32.exe 35 PID 2760 wrote to memory of 108 2760 Pddinn32.exe 35 PID 2760 wrote to memory of 108 2760 Pddinn32.exe 35 PID 108 wrote to memory of 2364 108 Qgdbpi32.exe 36 PID 108 wrote to memory of 2364 108 Qgdbpi32.exe 36 PID 108 wrote to memory of 2364 108 Qgdbpi32.exe 36 PID 108 wrote to memory of 2364 108 Qgdbpi32.exe 36 PID 2364 wrote to memory of 3052 2364 Alfdcp32.exe 37 PID 2364 wrote to memory of 3052 2364 Alfdcp32.exe 37 PID 2364 wrote to memory of 3052 2364 Alfdcp32.exe 37 PID 2364 wrote to memory of 3052 2364 Alfdcp32.exe 37 PID 3052 wrote to memory of 2832 3052 Ajlabc32.exe 38 PID 3052 wrote to memory of 2832 3052 Ajlabc32.exe 38 PID 3052 wrote to memory of 2832 3052 Ajlabc32.exe 38 PID 3052 wrote to memory of 2832 3052 Ajlabc32.exe 38 PID 2832 wrote to memory of 2196 2832 Afcbgd32.exe 39 PID 2832 wrote to memory of 2196 2832 Afcbgd32.exe 39 PID 2832 wrote to memory of 2196 2832 Afcbgd32.exe 39 PID 2832 wrote to memory of 2196 2832 Afcbgd32.exe 39 PID 2196 wrote to memory of 1028 2196 Bdmhcp32.exe 40 PID 2196 wrote to memory of 1028 2196 Bdmhcp32.exe 40 PID 2196 wrote to memory of 1028 2196 Bdmhcp32.exe 40 PID 2196 wrote to memory of 1028 2196 Bdmhcp32.exe 40 PID 1028 wrote to memory of 584 1028 Bdoeipjh.exe 41 PID 1028 wrote to memory of 584 1028 Bdoeipjh.exe 41 PID 1028 wrote to memory of 584 1028 Bdoeipjh.exe 41 PID 1028 wrote to memory of 584 1028 Bdoeipjh.exe 41 PID 584 wrote to memory of 2480 584 Cmocha32.exe 42 PID 584 wrote to memory of 2480 584 Cmocha32.exe 42 PID 584 wrote to memory of 2480 584 Cmocha32.exe 42 PID 584 wrote to memory of 2480 584 Cmocha32.exe 42 PID 2480 wrote to memory of 2476 2480 Cbqekhmp.exe 43 PID 2480 wrote to memory of 2476 2480 Cbqekhmp.exe 43 PID 2480 wrote to memory of 2476 2480 Cbqekhmp.exe 43 PID 2480 wrote to memory of 2476 2480 Cbqekhmp.exe 43 PID 2476 wrote to memory of 2188 2476 Dahobdpe.exe 44 PID 2476 wrote to memory of 2188 2476 Dahobdpe.exe 44 PID 2476 wrote to memory of 2188 2476 Dahobdpe.exe 44 PID 2476 wrote to memory of 2188 2476 Dahobdpe.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe"C:\Users\Admin\AppData\Local\Temp\bfe27977e11d5596a241874e71a640e05862bdd22af37e6c3c3ef3317bbb4b57N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Njdbefnf.exeC:\Windows\system32\Njdbefnf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Poddphee.exeC:\Windows\system32\Poddphee.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Pddinn32.exeC:\Windows\system32\Pddinn32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:108 -
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Ajlabc32.exeC:\Windows\system32\Ajlabc32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Afcbgd32.exeC:\Windows\system32\Afcbgd32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Bdoeipjh.exeC:\Windows\system32\Bdoeipjh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Cbqekhmp.exeC:\Windows\system32\Cbqekhmp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Dmcibdad.exeC:\Windows\system32\Dmcibdad.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Eiocbd32.exeC:\Windows\system32\Eiocbd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Falakjag.exeC:\Windows\system32\Falakjag.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Fkeedo32.exeC:\Windows\system32\Fkeedo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Gkgbioee.exeC:\Windows\system32\Gkgbioee.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Gknhjn32.exeC:\Windows\system32\Gknhjn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Gdfmccfm.exeC:\Windows\system32\Gdfmccfm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Hggeeo32.exeC:\Windows\system32\Hggeeo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Hkiknb32.exeC:\Windows\system32\Hkiknb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Himkgf32.exeC:\Windows\system32\Himkgf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Hiphmf32.exeC:\Windows\system32\Hiphmf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Hqkmahpp.exeC:\Windows\system32\Hqkmahpp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Iamjghnm.exeC:\Windows\system32\Iamjghnm.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Iapfmg32.exeC:\Windows\system32\Iapfmg32.exe34⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Incgfl32.exeC:\Windows\system32\Incgfl32.exe35⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Imidgh32.exeC:\Windows\system32\Imidgh32.exe36⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Ipimic32.exeC:\Windows\system32\Ipimic32.exe37⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Jplinckj.exeC:\Windows\system32\Jplinckj.exe38⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jjhgdqef.exeC:\Windows\system32\Jjhgdqef.exe39⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Jhlgnd32.exeC:\Windows\system32\Jhlgnd32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe41⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Khpaidpk.exeC:\Windows\system32\Khpaidpk.exe42⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe43⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Kkajkoml.exeC:\Windows\system32\Kkajkoml.exe44⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe45⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Kldchgag.exeC:\Windows\system32\Kldchgag.exe46⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Kihcakpa.exeC:\Windows\system32\Kihcakpa.exe47⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Koelibnh.exeC:\Windows\system32\Koelibnh.exe48⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Klimcf32.exeC:\Windows\system32\Klimcf32.exe49⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe50⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Ldgnmhhj.exeC:\Windows\system32\Ldgnmhhj.exe51⤵PID:2296
-
C:\Windows\SysWOW64\Lnobfn32.exeC:\Windows\system32\Lnobfn32.exe52⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Lnaokn32.exeC:\Windows\system32\Lnaokn32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Lkepdbkb.exeC:\Windows\system32\Lkepdbkb.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2672 -
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe55⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Mgomoboc.exeC:\Windows\system32\Mgomoboc.exe56⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Mlkegimk.exeC:\Windows\system32\Mlkegimk.exe57⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Mlnbmikh.exeC:\Windows\system32\Mlnbmikh.exe58⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mchjjc32.exeC:\Windows\system32\Mchjjc32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Mhdcbjal.exeC:\Windows\system32\Mhdcbjal.exe60⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Mookod32.exeC:\Windows\system32\Mookod32.exe61⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe63⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Nqbdllld.exeC:\Windows\system32\Nqbdllld.exe64⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Nccmng32.exeC:\Windows\system32\Nccmng32.exe66⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Njmejaqb.exeC:\Windows\system32\Njmejaqb.exe67⤵PID:1140
-
C:\Windows\SysWOW64\Ndbjgjqh.exeC:\Windows\system32\Ndbjgjqh.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe69⤵
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe70⤵PID:1168
-
C:\Windows\SysWOW64\Ppqqbjkm.exeC:\Windows\system32\Ppqqbjkm.exe71⤵
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Ppgfciee.exeC:\Windows\system32\Ppgfciee.exe72⤵PID:2332
-
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe73⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Aadbfp32.exeC:\Windows\system32\Aadbfp32.exe74⤵PID:2668
-
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe76⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Apllml32.exeC:\Windows\system32\Apllml32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe78⤵PID:2460
-
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe79⤵PID:1532
-
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe81⤵PID:560
-
C:\Windows\SysWOW64\Bbdoec32.exeC:\Windows\system32\Bbdoec32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe83⤵PID:1524
-
C:\Windows\SysWOW64\Bbflkcao.exeC:\Windows\system32\Bbflkcao.exe84⤵PID:2268
-
C:\Windows\SysWOW64\Cbihpbpl.exeC:\Windows\system32\Cbihpbpl.exe85⤵
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Cqneaodd.exeC:\Windows\system32\Cqneaodd.exe86⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe87⤵PID:1984
-
C:\Windows\SysWOW64\Cilfka32.exeC:\Windows\system32\Cilfka32.exe88⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Ccakij32.exeC:\Windows\system32\Ccakij32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Cohlnkeg.exeC:\Windows\system32\Cohlnkeg.exe90⤵PID:2456
-
C:\Windows\SysWOW64\Dippfplg.exeC:\Windows\system32\Dippfplg.exe91⤵PID:3004
-
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe92⤵PID:2220
-
C:\Windows\SysWOW64\Dicmlpje.exeC:\Windows\system32\Dicmlpje.exe93⤵PID:1580
-
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe94⤵
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe95⤵PID:2148
-
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe96⤵
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe97⤵PID:1528
-
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe98⤵PID:524
-
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe99⤵PID:2068
-
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe100⤵PID:872
-
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe101⤵PID:2856
-
C:\Windows\SysWOW64\Efdmohmm.exeC:\Windows\system32\Efdmohmm.exe102⤵PID:2868
-
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe103⤵PID:2956
-
C:\Windows\SysWOW64\Eiefqc32.exeC:\Windows\system32\Eiefqc32.exe104⤵PID:1776
-
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe105⤵PID:2992
-
C:\Windows\SysWOW64\Epakcm32.exeC:\Windows\system32\Epakcm32.exe106⤵PID:2836
-
C:\Windows\SysWOW64\Fhlogo32.exeC:\Windows\system32\Fhlogo32.exe107⤵PID:820
-
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe108⤵PID:1896
-
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe109⤵PID:2144
-
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe110⤵PID:2464
-
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe111⤵PID:928
-
C:\Windows\SysWOW64\Fdjfmolo.exeC:\Windows\system32\Fdjfmolo.exe112⤵PID:2072
-
C:\Windows\SysWOW64\Fkdoii32.exeC:\Windows\system32\Fkdoii32.exe113⤵
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe114⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Giikkehc.exeC:\Windows\system32\Giikkehc.exe115⤵PID:2304
-
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe116⤵PID:2260
-
C:\Windows\SysWOW64\Ggphji32.exeC:\Windows\system32\Ggphji32.exe117⤵PID:2352
-
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe118⤵PID:2888
-
C:\Windows\SysWOW64\Gjpakdbl.exeC:\Windows\system32\Gjpakdbl.exe119⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe121⤵
- Modifies registry class
PID:2216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-