Analysis
-
max time kernel
26s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 02:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe
-
Size
80KB
-
MD5
7d9986839ba235638a2ca9d1566129d9
-
SHA1
c4d73f01ed419a941efcbfdf4a9004953f6889d8
-
SHA256
bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999
-
SHA512
9ca65a89743e87129d2b11325cf0056eb056ef756f5ffc22fbc66d71a961cff0dded16cba5319153271dffe1bc3b516ec6b16a28fc611424ed0e7e2fbac4dcf3
-
SSDEEP
1536:2TJ/XuDXaqABrCk+kNpJkM2LXaIZTJ+7LhkiB0:8/XuDuBrP+k5kFXaMU7ui
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbcikn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcaaloed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipcjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldknmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcegdnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnhcdkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakaheoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfdcbmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ophanl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oegflcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elpldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndbjgjqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmhqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjoki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkfnaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmehqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eolljk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfkbhae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icjmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oegflcbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimhfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keodflee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmpkal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofjjghik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmcbbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neemgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qggoeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llgllj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmiknng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnobl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmjkapi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imqdcjkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjghlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchadifq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbccklmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epjbienl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmejmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flphccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnhkkjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqkmahpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhljpmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfhjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefpfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppiapp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfngbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnppgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihaldgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eganqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcfgfack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieligmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Infjfblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njipabhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dibjcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplood32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmafmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apdminod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkddjkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cneiki32.exe -
Executes dropped EXE 64 IoCs
pid Process 2272 Lbfcbdce.exe 2208 Llkgpmck.exe 2940 Lfckhc32.exe 2868 Lhbhdnio.exe 2708 Lkqdajhc.exe 2760 Lkcqfifp.exe 2796 Lbmicc32.exe 2504 Lgiakjld.exe 1256 Lkemli32.exe 2812 Ljjjmeie.exe 1536 Mcbofk32.exe 1752 Mmkcoq32.exe 2800 Mcekkkmc.exe 2852 Mkpppmko.exe 2680 Mbjhlg32.exe 2268 Mnaiah32.exe 572 Mfhabe32.exe 768 Mpqekkob.exe 2684 Mbobgfnf.exe 2364 Nhljpmlm.exe 1996 Nlgfqldf.exe 3064 Njlcah32.exe 376 Nmkpnd32.exe 888 Nhpdkm32.exe 1320 Nfcdfiob.exe 444 Ndgdpn32.exe 2784 Nhbqqlfe.exe 3052 Npneeocq.exe 2888 Nblaajbd.exe 2376 Nmbenc32.exe 1700 Oppbjn32.exe 1796 Ofjjghik.exe 1328 Oemjbe32.exe 1532 Oiifcdhn.exe 2212 Omdbdb32.exe 1872 Olgboogb.exe 1952 Ooeolkff.exe 948 Obakli32.exe 1492 Oepghe32.exe 2092 Ohncdp32.exe 2304 Olioeoeo.exe 2912 Oohlaj32.exe 2404 Oafhmf32.exe 1976 Oimpnc32.exe 1828 Ohppjpkc.exe 1804 Okolfkjg.exe 1396 Oojhfj32.exe 1888 Obfdgiji.exe 1712 Oedqcdim.exe 2440 Ohbmppia.exe 2992 Olnipn32.exe 2652 Oolelj32.exe 2656 Oakaheoa.exe 2532 Oefmid32.exe 2616 Oheieo32.exe 2012 Pkcfak32.exe 2804 Pooaaink.exe 2400 Pmabmf32.exe 2396 Pppnia32.exe 1540 Pdljjplb.exe 580 Pgjfflkf.exe 2960 Pkebgj32.exe 2064 Pihbbgjj.exe 2156 Papkcd32.exe -
Loads dropped DLL 64 IoCs
pid Process 1820 bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe 1820 bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe 2272 Lbfcbdce.exe 2272 Lbfcbdce.exe 2208 Llkgpmck.exe 2208 Llkgpmck.exe 2940 Lfckhc32.exe 2940 Lfckhc32.exe 2868 Lhbhdnio.exe 2868 Lhbhdnio.exe 2708 Lkqdajhc.exe 2708 Lkqdajhc.exe 2760 Lkcqfifp.exe 2760 Lkcqfifp.exe 2796 Lbmicc32.exe 2796 Lbmicc32.exe 2504 Lgiakjld.exe 2504 Lgiakjld.exe 1256 Lkemli32.exe 1256 Lkemli32.exe 2812 Ljjjmeie.exe 2812 Ljjjmeie.exe 1536 Mcbofk32.exe 1536 Mcbofk32.exe 1752 Mmkcoq32.exe 1752 Mmkcoq32.exe 2800 Mcekkkmc.exe 2800 Mcekkkmc.exe 2852 Mkpppmko.exe 2852 Mkpppmko.exe 2680 Mbjhlg32.exe 2680 Mbjhlg32.exe 2268 Mnaiah32.exe 2268 Mnaiah32.exe 572 Mfhabe32.exe 572 Mfhabe32.exe 768 Mpqekkob.exe 768 Mpqekkob.exe 2684 Mbobgfnf.exe 2684 Mbobgfnf.exe 2364 Nhljpmlm.exe 2364 Nhljpmlm.exe 1996 Nlgfqldf.exe 1996 Nlgfqldf.exe 3064 Njlcah32.exe 3064 Njlcah32.exe 376 Nmkpnd32.exe 376 Nmkpnd32.exe 888 Nhpdkm32.exe 888 Nhpdkm32.exe 1320 Nfcdfiob.exe 1320 Nfcdfiob.exe 444 Ndgdpn32.exe 444 Ndgdpn32.exe 2784 Nhbqqlfe.exe 2784 Nhbqqlfe.exe 3052 Npneeocq.exe 3052 Npneeocq.exe 2888 Nblaajbd.exe 2888 Nblaajbd.exe 2376 Nmbenc32.exe 2376 Nmbenc32.exe 1700 Oppbjn32.exe 1700 Oppbjn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lhbhdnio.exe Lfckhc32.exe File created C:\Windows\SysWOW64\Pemjdi32.dll Eleliepj.exe File created C:\Windows\SysWOW64\Jdmfdgbj.exe Jpajdi32.exe File created C:\Windows\SysWOW64\Ncnbqeoe.dll Kcdljghj.exe File created C:\Windows\SysWOW64\Nlklik32.exe Nilpmo32.exe File opened for modification C:\Windows\SysWOW64\Bdmhcp32.exe Bbolge32.exe File created C:\Windows\SysWOW64\Jjbpfopf.dll Olobcm32.exe File created C:\Windows\SysWOW64\Keodflee.exe Kcahjqfa.exe File opened for modification C:\Windows\SysWOW64\Bigohejb.exe Afhbljko.exe File opened for modification C:\Windows\SysWOW64\Cllmdcej.exe Cmimif32.exe File opened for modification C:\Windows\SysWOW64\Fhccoe32.exe Fdggofgn.exe File created C:\Windows\SysWOW64\Ahmehqna.exe Ajjeld32.exe File opened for modification C:\Windows\SysWOW64\Biakbc32.exe Bfcnfh32.exe File opened for modification C:\Windows\SysWOW64\Elgioe32.exe Eiimci32.exe File created C:\Windows\SysWOW64\Fabkfhch.dll Mqjehngm.exe File created C:\Windows\SysWOW64\Ohppjpkc.exe Oimpnc32.exe File created C:\Windows\SysWOW64\Gojkecka.exe Gkoodd32.exe File created C:\Windows\SysWOW64\Paemac32.exe Pmjaadjm.exe File opened for modification C:\Windows\SysWOW64\Koelibnh.exe Klgpmgod.exe File opened for modification C:\Windows\SysWOW64\Nkjeod32.exe Nccmng32.exe File created C:\Windows\SysWOW64\Ccbfdf32.dll Cfkkam32.exe File created C:\Windows\SysWOW64\Joigkgel.dll Dhlapc32.exe File created C:\Windows\SysWOW64\Okakjo32.dll Fdggofgn.exe File opened for modification C:\Windows\SysWOW64\Kdjenkgh.exe Kaliaphd.exe File opened for modification C:\Windows\SysWOW64\Echoepmo.exe Epjbienl.exe File opened for modification C:\Windows\SysWOW64\Lodoefed.exe Llfcik32.exe File created C:\Windows\SysWOW64\Kpnnbm32.dll Pdamhocm.exe File created C:\Windows\SysWOW64\Khmebeij.dll Gdfmccfm.exe File opened for modification C:\Windows\SysWOW64\Ljjjmeie.exe Lkemli32.exe File created C:\Windows\SysWOW64\Oefmid32.exe Oakaheoa.exe File created C:\Windows\SysWOW64\Akihojfo.dll Dendcg32.exe File opened for modification C:\Windows\SysWOW64\Jkdalb32.exe Jfiekc32.exe File created C:\Windows\SysWOW64\Lckbkfbb.exe Lpmeojbo.exe File created C:\Windows\SysWOW64\Pdgnnfme.dll Plfhdlfb.exe File opened for modification C:\Windows\SysWOW64\Dijjgegh.exe Dflnkjhe.exe File created C:\Windows\SysWOW64\Falakjag.exe Fondonbc.exe File created C:\Windows\SysWOW64\Bebkdqbc.dll Ikbndqnc.exe File created C:\Windows\SysWOW64\Pajicf32.dll Mjofanld.exe File created C:\Windows\SysWOW64\Mkpppmko.exe Mcekkkmc.exe File opened for modification C:\Windows\SysWOW64\Bnmjgkpo.exe Bkonkpqk.exe File created C:\Windows\SysWOW64\Hjcajn32.exe Hgeenb32.exe File opened for modification C:\Windows\SysWOW64\Mfdjpo32.exe Mcendc32.exe File created C:\Windows\SysWOW64\Oppbjn32.exe Nmbenc32.exe File opened for modification C:\Windows\SysWOW64\Jkfnaa32.exe Jfkbqcam.exe File created C:\Windows\SysWOW64\Oefcdgnb.dll Njmejaqb.exe File created C:\Windows\SysWOW64\Hdfjnimm.dll Obamebfc.exe File created C:\Windows\SysWOW64\Obfdgiji.exe Oojhfj32.exe File created C:\Windows\SysWOW64\Magfkkpi.dll Oojhfj32.exe File created C:\Windows\SysWOW64\Kjfdgc32.dll Ehonebqq.exe File created C:\Windows\SysWOW64\Mkkpjg32.exe Mgodjico.exe File created C:\Windows\SysWOW64\Banndk32.dll Boifinfg.exe File created C:\Windows\SysWOW64\Flphccbp.exe Fialggcl.exe File created C:\Windows\SysWOW64\Jaecfp32.dll Pdljjplb.exe File opened for modification C:\Windows\SysWOW64\Fcoaebjc.exe Fdlqjf32.exe File opened for modification C:\Windows\SysWOW64\Nbljfdoh.exe Nnpofe32.exe File created C:\Windows\SysWOW64\Mkqbhf32.exe Mlnbmikh.exe File opened for modification C:\Windows\SysWOW64\Opqdcgib.exe Olehbh32.exe File opened for modification C:\Windows\SysWOW64\Ofjjghik.exe Oppbjn32.exe File opened for modification C:\Windows\SysWOW64\Bnqcaffa.exe Akbgdkgm.exe File created C:\Windows\SysWOW64\Mdjfie32.dll Llgllj32.exe File opened for modification C:\Windows\SysWOW64\Mdkcgk32.exe Mfhcknpf.exe File opened for modification C:\Windows\SysWOW64\Ngcbie32.exe Nplkhh32.exe File opened for modification C:\Windows\SysWOW64\Lkcqfifp.exe Lkqdajhc.exe File opened for modification C:\Windows\SysWOW64\Imcaijia.exe Ieligmho.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8252 8228 WerFault.exe 847 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kciifc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phoeomjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmnnakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfeep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfckhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biikne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqbnnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfflfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibpjaagi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbgon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficilgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehbfjia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbqqlfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffgjma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaoblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnobi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbepplkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhfmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdakoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdkdjhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlcceboa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmhqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdekigip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnikmnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obijpgcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biakbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkpnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedbmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpiihgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fialggcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkeedo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbnhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfhdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknakhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdkpomkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmopge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamkllea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojhfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpgieb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdahnmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keodflee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbkolmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljkofkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icjmpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgela32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpgeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ododdlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcbgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcimop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbibli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmlal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goodpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiglfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhegcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faikbkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falakjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eigpmjqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikpgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbjhlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haejcj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkneka32.dll" Gdgcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpmbmao.dll" Nmeohnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pknakhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmfdj32.dll" Jbooen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemjbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnmjgkpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbmlal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiniaboi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plaoim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahdkhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ceoagcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfahiebp.dll" Ekeiel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lednal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdiik32.dll" Mbjhlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnmjgkpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eidchjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enkfnp32.dll" Iecohl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfjaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjmiknng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dendcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecodfogg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaegbmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biakbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joepjokm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkcfak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boeppomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmicb32.dll" Lodoefed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohmljj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Copljmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcqdidim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andkbien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckmpf32.dll" Ifiilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lllpclnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkmmpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aglhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoijjjcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacegd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbdfdi32.dll" Ppegdapd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppiapp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iecohl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Necqbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfghagio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikgjlgb.dll" Dbcnpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfhikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcfam32.dll" Ahioobed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcfgfack.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhjae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjfbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iceiibef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Holjmiol.dll" Lhegcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhpdkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oelnfp32.dll" Gfmmanif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flingf32.dll" Lobbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcbgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmldh32.dll" Djcpqidc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gknhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahjldnpp.dll" Jffakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhnibd32.dll" Ipcjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moedaakj.dll" Mcmkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdklnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgihjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhbjmg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2272 1820 bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe 28 PID 1820 wrote to memory of 2272 1820 bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe 28 PID 1820 wrote to memory of 2272 1820 bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe 28 PID 1820 wrote to memory of 2272 1820 bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe 28 PID 2272 wrote to memory of 2208 2272 Lbfcbdce.exe 29 PID 2272 wrote to memory of 2208 2272 Lbfcbdce.exe 29 PID 2272 wrote to memory of 2208 2272 Lbfcbdce.exe 29 PID 2272 wrote to memory of 2208 2272 Lbfcbdce.exe 29 PID 2208 wrote to memory of 2940 2208 Llkgpmck.exe 30 PID 2208 wrote to memory of 2940 2208 Llkgpmck.exe 30 PID 2208 wrote to memory of 2940 2208 Llkgpmck.exe 30 PID 2208 wrote to memory of 2940 2208 Llkgpmck.exe 30 PID 2940 wrote to memory of 2868 2940 Lfckhc32.exe 31 PID 2940 wrote to memory of 2868 2940 Lfckhc32.exe 31 PID 2940 wrote to memory of 2868 2940 Lfckhc32.exe 31 PID 2940 wrote to memory of 2868 2940 Lfckhc32.exe 31 PID 2868 wrote to memory of 2708 2868 Lhbhdnio.exe 32 PID 2868 wrote to memory of 2708 2868 Lhbhdnio.exe 32 PID 2868 wrote to memory of 2708 2868 Lhbhdnio.exe 32 PID 2868 wrote to memory of 2708 2868 Lhbhdnio.exe 32 PID 2708 wrote to memory of 2760 2708 Lkqdajhc.exe 33 PID 2708 wrote to memory of 2760 2708 Lkqdajhc.exe 33 PID 2708 wrote to memory of 2760 2708 Lkqdajhc.exe 33 PID 2708 wrote to memory of 2760 2708 Lkqdajhc.exe 33 PID 2760 wrote to memory of 2796 2760 Lkcqfifp.exe 34 PID 2760 wrote to memory of 2796 2760 Lkcqfifp.exe 34 PID 2760 wrote to memory of 2796 2760 Lkcqfifp.exe 34 PID 2760 wrote to memory of 2796 2760 Lkcqfifp.exe 34 PID 2796 wrote to memory of 2504 2796 Lbmicc32.exe 35 PID 2796 wrote to memory of 2504 2796 Lbmicc32.exe 35 PID 2796 wrote to memory of 2504 2796 Lbmicc32.exe 35 PID 2796 wrote to memory of 2504 2796 Lbmicc32.exe 35 PID 2504 wrote to memory of 1256 2504 Lgiakjld.exe 36 PID 2504 wrote to memory of 1256 2504 Lgiakjld.exe 36 PID 2504 wrote to memory of 1256 2504 Lgiakjld.exe 36 PID 2504 wrote to memory of 1256 2504 Lgiakjld.exe 36 PID 1256 wrote to memory of 2812 1256 Lkemli32.exe 37 PID 1256 wrote to memory of 2812 1256 Lkemli32.exe 37 PID 1256 wrote to memory of 2812 1256 Lkemli32.exe 37 PID 1256 wrote to memory of 2812 1256 Lkemli32.exe 37 PID 2812 wrote to memory of 1536 2812 Ljjjmeie.exe 38 PID 2812 wrote to memory of 1536 2812 Ljjjmeie.exe 38 PID 2812 wrote to memory of 1536 2812 Ljjjmeie.exe 38 PID 2812 wrote to memory of 1536 2812 Ljjjmeie.exe 38 PID 1536 wrote to memory of 1752 1536 Mcbofk32.exe 39 PID 1536 wrote to memory of 1752 1536 Mcbofk32.exe 39 PID 1536 wrote to memory of 1752 1536 Mcbofk32.exe 39 PID 1536 wrote to memory of 1752 1536 Mcbofk32.exe 39 PID 1752 wrote to memory of 2800 1752 Mmkcoq32.exe 40 PID 1752 wrote to memory of 2800 1752 Mmkcoq32.exe 40 PID 1752 wrote to memory of 2800 1752 Mmkcoq32.exe 40 PID 1752 wrote to memory of 2800 1752 Mmkcoq32.exe 40 PID 2800 wrote to memory of 2852 2800 Mcekkkmc.exe 41 PID 2800 wrote to memory of 2852 2800 Mcekkkmc.exe 41 PID 2800 wrote to memory of 2852 2800 Mcekkkmc.exe 41 PID 2800 wrote to memory of 2852 2800 Mcekkkmc.exe 41 PID 2852 wrote to memory of 2680 2852 Mkpppmko.exe 42 PID 2852 wrote to memory of 2680 2852 Mkpppmko.exe 42 PID 2852 wrote to memory of 2680 2852 Mkpppmko.exe 42 PID 2852 wrote to memory of 2680 2852 Mkpppmko.exe 42 PID 2680 wrote to memory of 2268 2680 Mbjhlg32.exe 43 PID 2680 wrote to memory of 2268 2680 Mbjhlg32.exe 43 PID 2680 wrote to memory of 2268 2680 Mbjhlg32.exe 43 PID 2680 wrote to memory of 2268 2680 Mbjhlg32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe"C:\Users\Admin\AppData\Local\Temp\bcf63d9e6ad8484f93a836127c0686ed543948edd1cad176a969cf9a9bca1999.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Lbfcbdce.exeC:\Windows\system32\Lbfcbdce.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Lfckhc32.exeC:\Windows\system32\Lfckhc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Lkqdajhc.exeC:\Windows\system32\Lkqdajhc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Lkcqfifp.exeC:\Windows\system32\Lkcqfifp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Lgiakjld.exeC:\Windows\system32\Lgiakjld.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Mcbofk32.exeC:\Windows\system32\Mcbofk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Mkpppmko.exeC:\Windows\system32\Mkpppmko.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Mnaiah32.exeC:\Windows\system32\Mnaiah32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Mfhabe32.exeC:\Windows\system32\Mfhabe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Mpqekkob.exeC:\Windows\system32\Mpqekkob.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Njlcah32.exeC:\Windows\system32\Njlcah32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:376 -
C:\Windows\SysWOW64\Nhpdkm32.exeC:\Windows\system32\Nhpdkm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe35⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe36⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe37⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe39⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe40⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe41⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe42⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe43⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe44⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Oimpnc32.exeC:\Windows\system32\Oimpnc32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe46⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe47⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe49⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe50⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ohbmppia.exeC:\Windows\system32\Ohbmppia.exe51⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe52⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Oolelj32.exeC:\Windows\system32\Oolelj32.exe53⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Oefmid32.exeC:\Windows\system32\Oefmid32.exe55⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe56⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe58⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Pmabmf32.exeC:\Windows\system32\Pmabmf32.exe59⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Pppnia32.exeC:\Windows\system32\Pppnia32.exe60⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Pgjfflkf.exeC:\Windows\system32\Pgjfflkf.exe62⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Pkebgj32.exeC:\Windows\system32\Pkebgj32.exe63⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pihbbgjj.exeC:\Windows\system32\Pihbbgjj.exe64⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe65⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Pdngpp32.exeC:\Windows\system32\Pdngpp32.exe66⤵PID:2160
-
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe67⤵PID:1512
-
C:\Windows\SysWOW64\Pkholjam.exeC:\Windows\system32\Pkholjam.exe68⤵PID:1008
-
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe69⤵PID:1988
-
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe70⤵PID:1972
-
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe71⤵
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Pccdqloh.exeC:\Windows\system32\Pccdqloh.exe72⤵PID:3044
-
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe73⤵PID:2928
-
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe74⤵PID:1156
-
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe75⤵PID:2512
-
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe76⤵PID:2676
-
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe77⤵PID:2516
-
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe78⤵PID:2500
-
C:\Windows\SysWOW64\Phbinc32.exeC:\Windows\system32\Phbinc32.exe79⤵PID:1876
-
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe80⤵PID:2036
-
C:\Windows\SysWOW64\Ppiapp32.exeC:\Windows\system32\Ppiapp32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2564 -
C:\Windows\SysWOW64\Qchmll32.exeC:\Windows\system32\Qchmll32.exe82⤵PID:1784
-
C:\Windows\SysWOW64\Qefihg32.exeC:\Windows\system32\Qefihg32.exe83⤵PID:1148
-
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe84⤵PID:2276
-
C:\Windows\SysWOW64\Qlpadaac.exeC:\Windows\system32\Qlpadaac.exe85⤵PID:1092
-
C:\Windows\SysWOW64\Qoonqmqf.exeC:\Windows\system32\Qoonqmqf.exe86⤵PID:844
-
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe87⤵PID:924
-
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe88⤵PID:1864
-
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe89⤵PID:1164
-
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe90⤵PID:1160
-
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe91⤵PID:2788
-
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe92⤵PID:2636
-
C:\Windows\SysWOW64\Andkbien.exeC:\Windows\system32\Andkbien.exe93⤵
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Afkccffq.exeC:\Windows\system32\Afkccffq.exe94⤵PID:2968
-
C:\Windows\SysWOW64\Ahioobed.exeC:\Windows\system32\Ahioobed.exe95⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Agloko32.exeC:\Windows\system32\Agloko32.exe96⤵PID:396
-
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe97⤵PID:2572
-
C:\Windows\SysWOW64\Aqddcdbo.exeC:\Windows\system32\Aqddcdbo.exe98⤵PID:2224
-
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe99⤵PID:2472
-
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe100⤵PID:2144
-
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe101⤵PID:2032
-
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe102⤵PID:1640
-
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe103⤵PID:2916
-
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe104⤵PID:1296
-
C:\Windows\SysWOW64\Aklefm32.exeC:\Windows\system32\Aklefm32.exe105⤵PID:2056
-
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe106⤵PID:2744
-
C:\Windows\SysWOW64\Amnanefa.exeC:\Windows\system32\Amnanefa.exe107⤵PID:2536
-
C:\Windows\SysWOW64\Adeiobgc.exeC:\Windows\system32\Adeiobgc.exe108⤵PID:2976
-
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe109⤵PID:2580
-
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe110⤵
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Ajaagi32.exeC:\Windows\system32\Ajaagi32.exe111⤵PID:1500
-
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe112⤵PID:2180
-
C:\Windows\SysWOW64\Aonjpp32.exeC:\Windows\system32\Aonjpp32.exe113⤵PID:1980
-
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe114⤵PID:1696
-
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe115⤵
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe116⤵PID:1928
-
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe117⤵PID:720
-
C:\Windows\SysWOW64\Bclcfnih.exeC:\Windows\system32\Bclcfnih.exe118⤵PID:2620
-
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe119⤵PID:3008
-
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1188 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-