Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12-10-2024 05:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe
-
Size
55KB
-
MD5
7ab1474ea11a7c098af18fb10b821150
-
SHA1
4c1da830767ebe7f9bec15312408fb9dbcd92a9b
-
SHA256
5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39
-
SHA512
58bdb8a7c85704ed60d5c32216e5c263d561245a10c158f47f332930bb009b59fa6c0ea737941ab6557c8eef5d3ded848c4b98d465615eef71aad9aa6b2fd94f
-
SSDEEP
1536:keO9iaR9OA1DBThW5r9+FoNSoNSd0A3shxD6:ke/KBTh29CoNXNW0A8hh
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlphbbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becpap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiogq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnacpffh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkecij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdnbbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgbno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jplkmgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diphbfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcaimgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dknajh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefdpjkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedpbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njbdea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbeofpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfliim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjdjjdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chnbcpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Comdkipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaghki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkoicb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejmhkiig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khkbbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifffkncm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caidaeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnnnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkhaqpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhgim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhcmhdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhejnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kffldlne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqjdgmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjojef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diphbfdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekcaonhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbdodnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgoboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjmijme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhdpnc.exe -
Executes dropped EXE 64 IoCs
pid Process 1736 Amkbnp32.exe 2248 Akncimmh.exe 2240 Akqpom32.exe 2976 Abkhkgbb.exe 2996 Aidphq32.exe 2028 Abmdafpp.exe 2680 Ajhiei32.exe 2544 Acqnnndl.exe 1296 Akhfoldn.exe 3028 Bepjha32.exe 2844 Bfagpiam.exe 3040 Bagkmb32.exe 1152 Bfccei32.exe 1692 Bplhnoej.exe 1844 Bbjdjjdn.exe 272 Bidlgdlk.exe 908 Bcjqdmla.exe 2964 Bigimdjh.exe 1360 Bpqain32.exe 1044 Bfkifhib.exe 1524 Ciifbchf.exe 564 Clgbno32.exe 1948 Cbajkiof.exe 2092 Cepfgdnj.exe 2268 Chnbcpmn.exe 2148 Cjmopkla.exe 2436 Cafgle32.exe 2192 Cojhejbh.exe 2448 Caidaeak.exe 2948 Cedpbd32.exe 2800 Comdkipe.exe 2076 Cakqgeoi.exe 2664 Danmmd32.exe 2032 Dpqnhadq.exe 784 Dkfbfjdf.exe 1620 Dlgnmb32.exe 3012 Dgmbkk32.exe 2144 Dgoopkgh.exe 2896 Dinklffl.exe 2356 Dcfpel32.exe 484 Diphbfdi.exe 2396 Dkadjn32.exe 1788 Ddiibc32.exe 2056 Ekcaonhe.exe 1856 Eamilh32.exe 1344 Ekfndmfb.exe 872 Endjaief.exe 2416 Eapfagno.exe 1552 Ehjona32.exe 2404 Egmojnlf.exe 2244 Ekhkjm32.exe 2572 Enfgfh32.exe 2808 Eabcggll.exe 2936 Edqocbkp.exe 2840 Eccpoo32.exe 2720 Ejmhkiig.exe 672 Elldgehk.exe 1796 Epgphcqd.exe 3064 Ecfldoph.exe 2952 Efdhpjok.exe 2360 Enkpahon.exe 588 Eolmip32.exe 852 Fchijone.exe 1988 Fffefjmi.exe -
Loads dropped DLL 64 IoCs
pid Process 2500 5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe 2500 5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe 1736 Amkbnp32.exe 1736 Amkbnp32.exe 2248 Akncimmh.exe 2248 Akncimmh.exe 2240 Akqpom32.exe 2240 Akqpom32.exe 2976 Abkhkgbb.exe 2976 Abkhkgbb.exe 2996 Aidphq32.exe 2996 Aidphq32.exe 2028 Abmdafpp.exe 2028 Abmdafpp.exe 2680 Ajhiei32.exe 2680 Ajhiei32.exe 2544 Acqnnndl.exe 2544 Acqnnndl.exe 1296 Akhfoldn.exe 1296 Akhfoldn.exe 3028 Bepjha32.exe 3028 Bepjha32.exe 2844 Bfagpiam.exe 2844 Bfagpiam.exe 3040 Bagkmb32.exe 3040 Bagkmb32.exe 1152 Bfccei32.exe 1152 Bfccei32.exe 1692 Bplhnoej.exe 1692 Bplhnoej.exe 1844 Bbjdjjdn.exe 1844 Bbjdjjdn.exe 272 Bidlgdlk.exe 272 Bidlgdlk.exe 908 Bcjqdmla.exe 908 Bcjqdmla.exe 2964 Bigimdjh.exe 2964 Bigimdjh.exe 1360 Bpqain32.exe 1360 Bpqain32.exe 1044 Bfkifhib.exe 1044 Bfkifhib.exe 1524 Ciifbchf.exe 1524 Ciifbchf.exe 564 Clgbno32.exe 564 Clgbno32.exe 1948 Cbajkiof.exe 1948 Cbajkiof.exe 2092 Cepfgdnj.exe 2092 Cepfgdnj.exe 2268 Chnbcpmn.exe 2268 Chnbcpmn.exe 2148 Cjmopkla.exe 2148 Cjmopkla.exe 2436 Cafgle32.exe 2436 Cafgle32.exe 2192 Cojhejbh.exe 2192 Cojhejbh.exe 2448 Caidaeak.exe 2448 Caidaeak.exe 2948 Cedpbd32.exe 2948 Cedpbd32.exe 2800 Comdkipe.exe 2800 Comdkipe.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Akncimmh.exe Amkbnp32.exe File created C:\Windows\SysWOW64\Kgbioq32.dll Mbcoio32.exe File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe Abpcooea.exe File created C:\Windows\SysWOW64\Fffefjmi.exe Fchijone.exe File opened for modification C:\Windows\SysWOW64\Ecnoijbd.exe Eobchk32.exe File created C:\Windows\SysWOW64\Dmojkc32.exe Dicnkdnf.exe File created C:\Windows\SysWOW64\Nqcglmgd.dll Eklqcl32.exe File created C:\Windows\SysWOW64\Eddeladm.exe Eeaepd32.exe File created C:\Windows\SysWOW64\Jdnmma32.exe Jpbalb32.exe File created C:\Windows\SysWOW64\Qjdaldla.dll Mbhlek32.exe File created C:\Windows\SysWOW64\Foafdoag.exe Fhgnge32.exe File opened for modification C:\Windows\SysWOW64\Plmpblnb.exe Pgpgjepk.exe File created C:\Windows\SysWOW64\Mhniklfm.dll Kpicle32.exe File opened for modification C:\Windows\SysWOW64\Nbmaon32.exe Njfjnpgp.exe File created C:\Windows\SysWOW64\Hbqmnm32.dll Ecfldoph.exe File opened for modification C:\Windows\SysWOW64\Khcomhbi.exe Kokjdb32.exe File opened for modification C:\Windows\SysWOW64\Hnheohcl.exe Hjlioj32.exe File opened for modification C:\Windows\SysWOW64\Kpdjaecc.exe Knfndjdp.exe File created C:\Windows\SysWOW64\Idgcbbda.dll Bkbaii32.exe File opened for modification C:\Windows\SysWOW64\Ddpobo32.exe Dbncjf32.exe File created C:\Windows\SysWOW64\Npbdcgjh.dll Nhgnaehm.exe File created C:\Windows\SysWOW64\Bgllgedi.exe Aqbdkk32.exe File created C:\Windows\SysWOW64\Eapfagno.exe Endjaief.exe File created C:\Windows\SysWOW64\Njpgpbpf.exe Necogkbo.exe File created C:\Windows\SysWOW64\Oiffkkbk.exe Ofhjopbg.exe File opened for modification C:\Windows\SysWOW64\Ijklknbn.exe Idadnd32.exe File created C:\Windows\SysWOW64\Dcfpel32.exe Dinklffl.exe File created C:\Windows\SysWOW64\Nmoadk32.dll Fheabelm.exe File opened for modification C:\Windows\SysWOW64\Fhgnge32.exe Fjdnlhco.exe File created C:\Windows\SysWOW64\Bdfiaojk.dll Gpabcbdb.exe File created C:\Windows\SysWOW64\Hinqgg32.exe Gbdhjm32.exe File created C:\Windows\SysWOW64\Lbnooiab.dll Hnheohcl.exe File created C:\Windows\SysWOW64\Kjleflod.exe Kcamjb32.exe File created C:\Windows\SysWOW64\Fjfikeqd.dll Fdmhbplb.exe File created C:\Windows\SysWOW64\Pdlmgo32.dll Mmgfqh32.exe File opened for modification C:\Windows\SysWOW64\Gmmfaa32.exe Gjojef32.exe File created C:\Windows\SysWOW64\Hfmddp32.exe Hhjcic32.exe File created C:\Windows\SysWOW64\Mqpflg32.exe Mnaiol32.exe File opened for modification C:\Windows\SysWOW64\Bplhnoej.exe Bfccei32.exe File opened for modification C:\Windows\SysWOW64\Hbiaemkk.exe Hpjeialg.exe File opened for modification C:\Windows\SysWOW64\Odjdmjgo.exe Omqlpp32.exe File created C:\Windows\SysWOW64\Bckjhl32.exe Bbjmpcab.exe File opened for modification C:\Windows\SysWOW64\Dfphcj32.exe Ddblgn32.exe File created C:\Windows\SysWOW64\Obhipb32.dll Gbjojh32.exe File created C:\Windows\SysWOW64\Pofkha32.exe Plgolf32.exe File opened for modification C:\Windows\SysWOW64\Eccpoo32.exe Edqocbkp.exe File opened for modification C:\Windows\SysWOW64\Mmogmjmn.exe Mjpkqonj.exe File opened for modification C:\Windows\SysWOW64\Bbbgod32.exe Akiobk32.exe File created C:\Windows\SysWOW64\Golnjpio.dll Bofgii32.exe File created C:\Windows\SysWOW64\Jedcpi32.exe Jgabdlfb.exe File created C:\Windows\SysWOW64\Kgloog32.dll Cbffoabe.exe File opened for modification C:\Windows\SysWOW64\Ekcaonhe.exe Ddiibc32.exe File created C:\Windows\SysWOW64\Cnkjnb32.exe Cgaaah32.exe File opened for modification C:\Windows\SysWOW64\Abkhkgbb.exe Akqpom32.exe File created C:\Windows\SysWOW64\Lhblch32.dll Fhikme32.exe File created C:\Windows\SysWOW64\Heealhla.exe Hbfepmmn.exe File created C:\Windows\SysWOW64\Gemncekq.dll Khoebi32.exe File created C:\Windows\SysWOW64\Ccdmnj32.exe Cpiqmlfm.exe File opened for modification C:\Windows\SysWOW64\Ijclol32.exe Iefcfe32.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Bjpaop32.exe File opened for modification C:\Windows\SysWOW64\Fgadda32.exe Findhdcb.exe File created C:\Windows\SysWOW64\Hkibpkho.dll Poklngnf.exe File opened for modification C:\Windows\SysWOW64\Kcecbq32.exe Kpgffe32.exe File opened for modification C:\Windows\SysWOW64\Mggabaea.exe Mclebc32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dhhhbg32.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dhhhbg32.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6560 6520 WerFault.exe 664 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffefjmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mccbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkhngdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anneqafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfnopfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnacpffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amkbnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfljkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeieced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmeiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakqgeoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmegncpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnflke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiehm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbcoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeeeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnnaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edibhmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjpdjjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkplgnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqnhadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edqocbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipokcdjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfbaabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgedmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbdqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigimdjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngjeamd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdnhoac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcheib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khoebi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khabghdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqjdgmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicnkdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjeinje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boogmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabcggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foojop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmogmjmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcnojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cileqlmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmopkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdhpjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnipkkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckgicnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcqcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heealhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmojkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkjdopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejecol32.dll" Hhjcic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apldjp32.dll" Gblkoham.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Majdmi32.dll" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meccmfen.dll" Comdkipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfgkgmk.dll" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdmhbplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkppcjdc.dll" Ibhndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoepingi.dll" Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdjea32.dll" Nplimbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomgdcce.dll" Oadkej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcdjoaee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnoijbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkbojpna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kllnhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eelkeeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmiil32.dll" Khabghdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Necogkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilnmeelc.dll" Afjjed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijppackl.dll" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddoqj32.dll" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll" Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofaejacl.dll" Cnmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aopahjll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmeon.dll" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elpodcba.dll" Dkadjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhapjlg.dll" Endjaief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffmkfifa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fimmkm32.dll" Mnifja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Popeif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhhgcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pldebkhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioohokoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpkl32.dll" Ihbcmaje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekiphge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcgphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blibjh32.dll" Bpqain32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hinqgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddeladm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obhipb32.dll" Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lldmleam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqpflg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngealejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mclebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplimbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cepfgdnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbkpeake.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qffhlolm.dll" Eknmhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbalb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1736 2500 5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe 30 PID 2500 wrote to memory of 1736 2500 5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe 30 PID 2500 wrote to memory of 1736 2500 5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe 30 PID 2500 wrote to memory of 1736 2500 5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe 30 PID 1736 wrote to memory of 2248 1736 Amkbnp32.exe 31 PID 1736 wrote to memory of 2248 1736 Amkbnp32.exe 31 PID 1736 wrote to memory of 2248 1736 Amkbnp32.exe 31 PID 1736 wrote to memory of 2248 1736 Amkbnp32.exe 31 PID 2248 wrote to memory of 2240 2248 Akncimmh.exe 32 PID 2248 wrote to memory of 2240 2248 Akncimmh.exe 32 PID 2248 wrote to memory of 2240 2248 Akncimmh.exe 32 PID 2248 wrote to memory of 2240 2248 Akncimmh.exe 32 PID 2240 wrote to memory of 2976 2240 Akqpom32.exe 33 PID 2240 wrote to memory of 2976 2240 Akqpom32.exe 33 PID 2240 wrote to memory of 2976 2240 Akqpom32.exe 33 PID 2240 wrote to memory of 2976 2240 Akqpom32.exe 33 PID 2976 wrote to memory of 2996 2976 Abkhkgbb.exe 34 PID 2976 wrote to memory of 2996 2976 Abkhkgbb.exe 34 PID 2976 wrote to memory of 2996 2976 Abkhkgbb.exe 34 PID 2976 wrote to memory of 2996 2976 Abkhkgbb.exe 34 PID 2996 wrote to memory of 2028 2996 Aidphq32.exe 35 PID 2996 wrote to memory of 2028 2996 Aidphq32.exe 35 PID 2996 wrote to memory of 2028 2996 Aidphq32.exe 35 PID 2996 wrote to memory of 2028 2996 Aidphq32.exe 35 PID 2028 wrote to memory of 2680 2028 Abmdafpp.exe 36 PID 2028 wrote to memory of 2680 2028 Abmdafpp.exe 36 PID 2028 wrote to memory of 2680 2028 Abmdafpp.exe 36 PID 2028 wrote to memory of 2680 2028 Abmdafpp.exe 36 PID 2680 wrote to memory of 2544 2680 Ajhiei32.exe 37 PID 2680 wrote to memory of 2544 2680 Ajhiei32.exe 37 PID 2680 wrote to memory of 2544 2680 Ajhiei32.exe 37 PID 2680 wrote to memory of 2544 2680 Ajhiei32.exe 37 PID 2544 wrote to memory of 1296 2544 Acqnnndl.exe 38 PID 2544 wrote to memory of 1296 2544 Acqnnndl.exe 38 PID 2544 wrote to memory of 1296 2544 Acqnnndl.exe 38 PID 2544 wrote to memory of 1296 2544 Acqnnndl.exe 38 PID 1296 wrote to memory of 3028 1296 Akhfoldn.exe 39 PID 1296 wrote to memory of 3028 1296 Akhfoldn.exe 39 PID 1296 wrote to memory of 3028 1296 Akhfoldn.exe 39 PID 1296 wrote to memory of 3028 1296 Akhfoldn.exe 39 PID 3028 wrote to memory of 2844 3028 Bepjha32.exe 40 PID 3028 wrote to memory of 2844 3028 Bepjha32.exe 40 PID 3028 wrote to memory of 2844 3028 Bepjha32.exe 40 PID 3028 wrote to memory of 2844 3028 Bepjha32.exe 40 PID 2844 wrote to memory of 3040 2844 Bfagpiam.exe 41 PID 2844 wrote to memory of 3040 2844 Bfagpiam.exe 41 PID 2844 wrote to memory of 3040 2844 Bfagpiam.exe 41 PID 2844 wrote to memory of 3040 2844 Bfagpiam.exe 41 PID 3040 wrote to memory of 1152 3040 Bagkmb32.exe 42 PID 3040 wrote to memory of 1152 3040 Bagkmb32.exe 42 PID 3040 wrote to memory of 1152 3040 Bagkmb32.exe 42 PID 3040 wrote to memory of 1152 3040 Bagkmb32.exe 42 PID 1152 wrote to memory of 1692 1152 Bfccei32.exe 43 PID 1152 wrote to memory of 1692 1152 Bfccei32.exe 43 PID 1152 wrote to memory of 1692 1152 Bfccei32.exe 43 PID 1152 wrote to memory of 1692 1152 Bfccei32.exe 43 PID 1692 wrote to memory of 1844 1692 Bplhnoej.exe 44 PID 1692 wrote to memory of 1844 1692 Bplhnoej.exe 44 PID 1692 wrote to memory of 1844 1692 Bplhnoej.exe 44 PID 1692 wrote to memory of 1844 1692 Bplhnoej.exe 44 PID 1844 wrote to memory of 272 1844 Bbjdjjdn.exe 45 PID 1844 wrote to memory of 272 1844 Bbjdjjdn.exe 45 PID 1844 wrote to memory of 272 1844 Bbjdjjdn.exe 45 PID 1844 wrote to memory of 272 1844 Bbjdjjdn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe"C:\Users\Admin\AppData\Local\Temp\5b1a89a121be41d63d1591fd68c7636bf378e02675a9650b31691a4faa2c1c39N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Akqpom32.exeC:\Windows\system32\Akqpom32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:272 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1524 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe34⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe36⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe37⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe38⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe39⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe41⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe46⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe47⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe49⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe50⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe51⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe52⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe53⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe56⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe58⤵
- Executes dropped EXE
PID:672 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe59⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe62⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe63⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe66⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe67⤵PID:1048
-
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe68⤵
- System Location Discovery: System Language Discovery
PID:280 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe69⤵PID:2012
-
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe70⤵
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe71⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe72⤵PID:2068
-
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe73⤵PID:2792
-
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe74⤵
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe75⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe76⤵PID:2580
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe77⤵PID:3056
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe78⤵
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe79⤵PID:2080
-
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe80⤵PID:296
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe81⤵
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe82⤵
- System Location Discovery: System Language Discovery
PID:1132 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe83⤵PID:2352
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe84⤵
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe85⤵PID:836
-
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe86⤵PID:2284
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe87⤵PID:2328
-
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe88⤵PID:2992
-
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe90⤵PID:2200
-
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe91⤵PID:1652
-
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe92⤵PID:3008
-
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe93⤵PID:3068
-
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe94⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe95⤵PID:1508
-
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe96⤵PID:2648
-
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe97⤵PID:1340
-
C:\Windows\SysWOW64\Gpabcbdb.exeC:\Windows\system32\Gpabcbdb.exe98⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe99⤵PID:1976
-
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe100⤵PID:396
-
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe101⤵PID:2264
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe102⤵PID:2772
-
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe103⤵PID:2132
-
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe104⤵PID:2780
-
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe105⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe106⤵
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe107⤵PID:3000
-
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe108⤵PID:320
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe109⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe110⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:640 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe112⤵PID:2624
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe113⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe114⤵PID:2760
-
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe115⤵PID:2120
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe116⤵PID:2668
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2332 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe118⤵PID:1468
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe119⤵PID:2196
-
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe120⤵PID:536
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe121⤵PID:1096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-