Analysis
-
max time kernel
65s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 05:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe
-
Size
64KB
-
MD5
5af04760d3a37f88c04e358ff443ad9f
-
SHA1
176179118e276f9964cd257e3d7bd8500f2dc786
-
SHA256
f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a
-
SHA512
351209ec0b60e87adcb9326eae2aae357e9c6811e0439f493e649e9ddecb67e29f3026e1cb631b1cd66418199a8c061d81294cae2830b4a5aaa8d2ed3af8f48a
-
SSDEEP
768:NHM++98xV3h9FxfB9RHXyQdfpRLFM+RWyPk6OZMsuyZlVr/1H54FYnlKA2kms8Yo:LbjNf3FpVPk6OZVzxWylrPFW2iwTbWv
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgglifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imcfjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nafiej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnlnaim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmecbkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dofnnkfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmqjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbkgog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndoelpid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafkookd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmgcepio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjbghkfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjkcile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odcimipf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bldpiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdkhag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfjhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcehg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcofid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnngi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbmil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hipmoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddpbfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnhgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enmqjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjgonf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlpkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goocenaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alofnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbnnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edpoeoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifhgcgjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbelbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahfgbkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcpmijqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhopjqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgpff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgglifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coldmfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjbghkfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gminbfoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poacighp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jldbgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oipcnieb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkifgpeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coldmfkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlapaapg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepmlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnngi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmgcepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iboghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmemoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odckfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkchm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqmnadlk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnoiocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjneoeeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nickoldp.exe -
Executes dropped EXE 64 IoCs
pid Process 2904 Ebockkal.exe 2780 Emdhhdqb.exe 2688 Eepmlf32.exe 2676 Egpena32.exe 2500 Fhbbcail.exe 1928 Flqkjo32.exe 1980 Famcbf32.exe 2112 Fmddgg32.exe 2980 Ffmipmjn.exe 1900 Gminbfoh.exe 2448 Gedbfimc.exe 768 Goocenaa.exe 2404 Ghidcceo.exe 1812 Hocmpm32.exe 2508 Hdpehd32.exe 112 Hlpchfdi.exe 692 Ilemce32.exe 800 Iadbqlmh.exe 1632 Iklfia32.exe 1720 Idekbgji.exe 2016 Jqnhmgmk.exe 1748 Jjijkmbi.exe 884 Jinfli32.exe 2808 Jegdgj32.exe 1600 Kbkdpnil.exe 2824 Kpoejbhe.exe 2944 Kkefoc32.exe 2800 Klhbdclg.exe 1688 Kjmoeo32.exe 2196 Llcehg32.exe 1672 Ldjmidcj.exe 1988 Lbmnea32.exe 2372 Liibgkoo.exe 2924 Lhoohgdg.exe 2444 Mpnngi32.exe 2304 Mcofid32.exe 520 Miiofn32.exe 2408 Nepokogo.exe 2504 Nljhhi32.exe 1292 Ncdpdcfh.exe 1348 Ninhamne.exe 652 Nphpng32.exe 1552 Nhcebj32.exe 860 Nkaane32.exe 1204 Ndjfgkha.exe 2128 Nkdndeon.exe 1456 Neibanod.exe 2160 Noagjc32.exe 2496 Ohjkcile.exe 2820 Odcimipf.exe 2716 Omnmal32.exe 1788 Oqlfhjch.exe 784 Pigklmqc.exe 3000 Poacighp.exe 2984 Pmecbkgj.exe 2176 Pfnhkq32.exe 3036 Pofldf32.exe 588 Pgaahh32.exe 2512 Pajeanhf.exe 1804 Pjbjjc32.exe 948 Qcjoci32.exe 1484 Qpaohjkk.exe 1076 Qaqlbmbn.exe 1540 Ailqfooi.exe -
Loads dropped DLL 64 IoCs
pid Process 2772 f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe 2772 f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe 2904 Ebockkal.exe 2904 Ebockkal.exe 2780 Emdhhdqb.exe 2780 Emdhhdqb.exe 2688 Eepmlf32.exe 2688 Eepmlf32.exe 2676 Egpena32.exe 2676 Egpena32.exe 2500 Fhbbcail.exe 2500 Fhbbcail.exe 1928 Flqkjo32.exe 1928 Flqkjo32.exe 1980 Famcbf32.exe 1980 Famcbf32.exe 2112 Fmddgg32.exe 2112 Fmddgg32.exe 2980 Ffmipmjn.exe 2980 Ffmipmjn.exe 1900 Gminbfoh.exe 1900 Gminbfoh.exe 2448 Gedbfimc.exe 2448 Gedbfimc.exe 768 Goocenaa.exe 768 Goocenaa.exe 2404 Ghidcceo.exe 2404 Ghidcceo.exe 1812 Hocmpm32.exe 1812 Hocmpm32.exe 2508 Hdpehd32.exe 2508 Hdpehd32.exe 112 Hlpchfdi.exe 112 Hlpchfdi.exe 692 Ilemce32.exe 692 Ilemce32.exe 800 Iadbqlmh.exe 800 Iadbqlmh.exe 1632 Iklfia32.exe 1632 Iklfia32.exe 1720 Idekbgji.exe 1720 Idekbgji.exe 2016 Jqnhmgmk.exe 2016 Jqnhmgmk.exe 1748 Jjijkmbi.exe 1748 Jjijkmbi.exe 884 Jinfli32.exe 884 Jinfli32.exe 2808 Jegdgj32.exe 2808 Jegdgj32.exe 1600 Kbkdpnil.exe 1600 Kbkdpnil.exe 2824 Kpoejbhe.exe 2824 Kpoejbhe.exe 2944 Kkefoc32.exe 2944 Kkefoc32.exe 2800 Klhbdclg.exe 2800 Klhbdclg.exe 1688 Kjmoeo32.exe 1688 Kjmoeo32.exe 2196 Llcehg32.exe 2196 Llcehg32.exe 1672 Ldjmidcj.exe 1672 Ldjmidcj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Opnphfdp.dll Egpena32.exe File created C:\Windows\SysWOW64\Iokhcodo.exe Ilkpac32.exe File created C:\Windows\SysWOW64\Jlaeab32.exe Iloilcci.exe File created C:\Windows\SysWOW64\Gngfjicn.exe Fijnabef.exe File created C:\Windows\SysWOW64\Gfdaid32.exe Gpjilj32.exe File created C:\Windows\SysWOW64\Ikicmc32.dll Pofldf32.exe File opened for modification C:\Windows\SysWOW64\Kmfklepl.exe Kjhopjqi.exe File created C:\Windows\SysWOW64\Acejlfhl.exe Ajmfca32.exe File created C:\Windows\SysWOW64\Lkkckf32.dll Nphpng32.exe File created C:\Windows\SysWOW64\Apfici32.exe Ailqfooi.exe File opened for modification C:\Windows\SysWOW64\Pipjpj32.exe Pfando32.exe File created C:\Windows\SysWOW64\Kninog32.exe Kccian32.exe File created C:\Windows\SysWOW64\Ahpfkg32.dll Kccian32.exe File created C:\Windows\SysWOW64\Pbhoip32.exe Pipjpj32.exe File created C:\Windows\SysWOW64\Jqnocncd.dll Kkefoc32.exe File created C:\Windows\SysWOW64\Qjpnmmqd.dll Heakefnf.exe File opened for modification C:\Windows\SysWOW64\Kpoejbhe.exe Kbkdpnil.exe File created C:\Windows\SysWOW64\Mqobfajn.dll Enpdjfgj.exe File created C:\Windows\SysWOW64\Bgbjkg32.dll Mehbpjjk.exe File created C:\Windows\SysWOW64\Oaeghhnb.dll Edpoeoea.exe File created C:\Windows\SysWOW64\Ieppjclf.exe Ihlpqonl.exe File opened for modification C:\Windows\SysWOW64\Omgfdhbq.exe Odoakckp.exe File created C:\Windows\SysWOW64\Mhkhgd32.exe Moccnoni.exe File opened for modification C:\Windows\SysWOW64\Biiiempl.exe Bfjmia32.exe File created C:\Windows\SysWOW64\Ioienjgm.dll Fnoiocfj.exe File created C:\Windows\SysWOW64\Gnhapl32.dll Nlapaapg.exe File created C:\Windows\SysWOW64\Pmfmej32.exe Pgjdmc32.exe File created C:\Windows\SysWOW64\Jomadboo.dll Ceacoqfi.exe File created C:\Windows\SysWOW64\Qlckjo32.dll Nhcgkbja.exe File created C:\Windows\SysWOW64\Qcjoci32.exe Pjbjjc32.exe File created C:\Windows\SysWOW64\Bldpiifb.exe Ahfgbkpl.exe File opened for modification C:\Windows\SysWOW64\Hdeall32.exe Hipmoc32.exe File opened for modification C:\Windows\SysWOW64\Llcehg32.exe Kjmoeo32.exe File created C:\Windows\SysWOW64\Andhah32.dll Nljhhi32.exe File created C:\Windows\SysWOW64\Jgkphj32.exe Jjgonf32.exe File created C:\Windows\SysWOW64\Jcfjhj32.exe Jjneoeeh.exe File opened for modification C:\Windows\SysWOW64\Dcpmijqc.exe Dncdqcbl.exe File created C:\Windows\SysWOW64\Hpeplh32.dll Iloilcci.exe File created C:\Windows\SysWOW64\Naflocji.dll Mlpngd32.exe File created C:\Windows\SysWOW64\Foibjlda.dll Mlmjgnaa.exe File created C:\Windows\SysWOW64\Cebedebg.dll Gpeoakhc.exe File created C:\Windows\SysWOW64\Nphpng32.exe Ninhamne.exe File opened for modification C:\Windows\SysWOW64\Idmnga32.exe Imcfjg32.exe File opened for modification C:\Windows\SysWOW64\Moqgiopk.exe Mehbpjjk.exe File opened for modification C:\Windows\SysWOW64\Hidfjckg.exe Hplbamdf.exe File created C:\Windows\SysWOW64\Abiqcm32.exe Aeepjh32.exe File opened for modification C:\Windows\SysWOW64\Bejiehfi.exe Akbelbpi.exe File opened for modification C:\Windows\SysWOW64\Eepmlf32.exe Emdhhdqb.exe File created C:\Windows\SysWOW64\Pigklmqc.exe Oqlfhjch.exe File opened for modification C:\Windows\SysWOW64\Dcmpcjcf.exe Dnqhkcdo.exe File created C:\Windows\SysWOW64\Mcpkkhei.dll Pjjmonac.exe File opened for modification C:\Windows\SysWOW64\Anfeop32.exe Qqbeel32.exe File created C:\Windows\SysWOW64\Gpeoakhc.exe Fmgcepio.exe File created C:\Windows\SysWOW64\Lgfamj32.dll Oobiclmh.exe File opened for modification C:\Windows\SysWOW64\Bmjekahk.exe Bpfebmia.exe File opened for modification C:\Windows\SysWOW64\Gngfjicn.exe Fijnabef.exe File opened for modification C:\Windows\SysWOW64\Ilkpac32.exe Icbkhnan.exe File created C:\Windows\SysWOW64\Odoakckp.exe Oobiclmh.exe File created C:\Windows\SysWOW64\Qgfmlp32.exe Pgdpgqgg.exe File created C:\Windows\SysWOW64\Pnifdmnc.dll Nhcebj32.exe File opened for modification C:\Windows\SysWOW64\Gpeoakhc.exe Fmgcepio.exe File opened for modification C:\Windows\SysWOW64\Bknfeege.exe Bmjekahk.exe File created C:\Windows\SysWOW64\Eajcmh32.dll Cdnjaibm.exe File created C:\Windows\SysWOW64\Jkfapl32.dll Dajgfboj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4132 4108 WerFault.exe 340 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedpdpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomglo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljjqbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmenijcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpdjfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qidckjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjmidcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhoip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abiqcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhopgkin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmbdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeanhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmnadlk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbmhdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jldbgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moccnoni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhbdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neibanod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcjoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaobmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkaane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poacighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmqjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoihaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpehd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqlbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjneoeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphbfplf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqnhmgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljhhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhobgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfopdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepmlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohphgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iagaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfgcieii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdfmlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomhnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjekahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnoiocfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebockkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odcimipf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpgqlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjmonac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekddck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afecna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidfjckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieppjclf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebofcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panehkaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmddgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goocenaa.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cedpdpdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbmhdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijilkf32.dll" Ckhbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnoiocfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbcik32.dll" Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepcmgbf.dll" Goocenaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ninhamne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dajgfboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abjhjbbl.dll" Hbghdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oobiclmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neibanod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmecbkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacclb32.dll" Bdfjnkne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdjgfomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbjjekhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnhgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecjibgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehbgng.dll" Pgdpgqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqjhjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfbbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anfeop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afecna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Milaecdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqilppic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjkehhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbpibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhapl32.dll" Nlapaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcfncko.dll" Idekbgji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijfihip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfjmia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dammoahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Einkkn32.dll" Pkifgpeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqnhmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll" Bmjekahk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbfgo.dll" Ekpkhkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jldbgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afakja32.dll" Qkelme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dammoahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmemoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gminbfoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gedbfimc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailqfooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obfohq32.dll" Iokhcodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andhah32.dll" Nljhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagimi32.dll" Fijnabef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigpekfk.dll" Kdnlpaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmncgk32.dll" Gminbfoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppppfck.dll" Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkelme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bomhnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkdegmha.dll" Ejohdbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfiqneo.dll" Hplbamdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neibanod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqffgapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhkhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnjaibm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blaobmkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpgqlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqkieogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqghocek.dll" Kfgcieii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonjnmnj.dll" Kdlpkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggekf32.dll" Abgaeddg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2904 2772 f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe 30 PID 2772 wrote to memory of 2904 2772 f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe 30 PID 2772 wrote to memory of 2904 2772 f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe 30 PID 2772 wrote to memory of 2904 2772 f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe 30 PID 2904 wrote to memory of 2780 2904 Ebockkal.exe 31 PID 2904 wrote to memory of 2780 2904 Ebockkal.exe 31 PID 2904 wrote to memory of 2780 2904 Ebockkal.exe 31 PID 2904 wrote to memory of 2780 2904 Ebockkal.exe 31 PID 2780 wrote to memory of 2688 2780 Emdhhdqb.exe 32 PID 2780 wrote to memory of 2688 2780 Emdhhdqb.exe 32 PID 2780 wrote to memory of 2688 2780 Emdhhdqb.exe 32 PID 2780 wrote to memory of 2688 2780 Emdhhdqb.exe 32 PID 2688 wrote to memory of 2676 2688 Eepmlf32.exe 33 PID 2688 wrote to memory of 2676 2688 Eepmlf32.exe 33 PID 2688 wrote to memory of 2676 2688 Eepmlf32.exe 33 PID 2688 wrote to memory of 2676 2688 Eepmlf32.exe 33 PID 2676 wrote to memory of 2500 2676 Egpena32.exe 34 PID 2676 wrote to memory of 2500 2676 Egpena32.exe 34 PID 2676 wrote to memory of 2500 2676 Egpena32.exe 34 PID 2676 wrote to memory of 2500 2676 Egpena32.exe 34 PID 2500 wrote to memory of 1928 2500 Fhbbcail.exe 35 PID 2500 wrote to memory of 1928 2500 Fhbbcail.exe 35 PID 2500 wrote to memory of 1928 2500 Fhbbcail.exe 35 PID 2500 wrote to memory of 1928 2500 Fhbbcail.exe 35 PID 1928 wrote to memory of 1980 1928 Flqkjo32.exe 36 PID 1928 wrote to memory of 1980 1928 Flqkjo32.exe 36 PID 1928 wrote to memory of 1980 1928 Flqkjo32.exe 36 PID 1928 wrote to memory of 1980 1928 Flqkjo32.exe 36 PID 1980 wrote to memory of 2112 1980 Famcbf32.exe 37 PID 1980 wrote to memory of 2112 1980 Famcbf32.exe 37 PID 1980 wrote to memory of 2112 1980 Famcbf32.exe 37 PID 1980 wrote to memory of 2112 1980 Famcbf32.exe 37 PID 2112 wrote to memory of 2980 2112 Fmddgg32.exe 38 PID 2112 wrote to memory of 2980 2112 Fmddgg32.exe 38 PID 2112 wrote to memory of 2980 2112 Fmddgg32.exe 38 PID 2112 wrote to memory of 2980 2112 Fmddgg32.exe 38 PID 2980 wrote to memory of 1900 2980 Ffmipmjn.exe 39 PID 2980 wrote to memory of 1900 2980 Ffmipmjn.exe 39 PID 2980 wrote to memory of 1900 2980 Ffmipmjn.exe 39 PID 2980 wrote to memory of 1900 2980 Ffmipmjn.exe 39 PID 1900 wrote to memory of 2448 1900 Gminbfoh.exe 40 PID 1900 wrote to memory of 2448 1900 Gminbfoh.exe 40 PID 1900 wrote to memory of 2448 1900 Gminbfoh.exe 40 PID 1900 wrote to memory of 2448 1900 Gminbfoh.exe 40 PID 2448 wrote to memory of 768 2448 Gedbfimc.exe 41 PID 2448 wrote to memory of 768 2448 Gedbfimc.exe 41 PID 2448 wrote to memory of 768 2448 Gedbfimc.exe 41 PID 2448 wrote to memory of 768 2448 Gedbfimc.exe 41 PID 768 wrote to memory of 2404 768 Goocenaa.exe 42 PID 768 wrote to memory of 2404 768 Goocenaa.exe 42 PID 768 wrote to memory of 2404 768 Goocenaa.exe 42 PID 768 wrote to memory of 2404 768 Goocenaa.exe 42 PID 2404 wrote to memory of 1812 2404 Ghidcceo.exe 43 PID 2404 wrote to memory of 1812 2404 Ghidcceo.exe 43 PID 2404 wrote to memory of 1812 2404 Ghidcceo.exe 43 PID 2404 wrote to memory of 1812 2404 Ghidcceo.exe 43 PID 1812 wrote to memory of 2508 1812 Hocmpm32.exe 44 PID 1812 wrote to memory of 2508 1812 Hocmpm32.exe 44 PID 1812 wrote to memory of 2508 1812 Hocmpm32.exe 44 PID 1812 wrote to memory of 2508 1812 Hocmpm32.exe 44 PID 2508 wrote to memory of 112 2508 Hdpehd32.exe 45 PID 2508 wrote to memory of 112 2508 Hdpehd32.exe 45 PID 2508 wrote to memory of 112 2508 Hdpehd32.exe 45 PID 2508 wrote to memory of 112 2508 Hdpehd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe"C:\Users\Admin\AppData\Local\Temp\f7649f32c1fc66b223596d6c4cf70e041fa8a3ce2f30970d7be651454248b01a.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Emdhhdqb.exeC:\Windows\system32\Emdhhdqb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Flqkjo32.exeC:\Windows\system32\Flqkjo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Ghidcceo.exeC:\Windows\system32\Ghidcceo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:692 -
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:800 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Jegdgj32.exeC:\Windows\system32\Jegdgj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Kbkdpnil.exeC:\Windows\system32\Kbkdpnil.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Kkefoc32.exeC:\Windows\system32\Kkefoc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Kjmoeo32.exeC:\Windows\system32\Kjmoeo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2196 -
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe33⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe34⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Mpnngi32.exeC:\Windows\system32\Mpnngi32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe38⤵
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe39⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Nljhhi32.exeC:\Windows\system32\Nljhhi32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe41⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Ninhamne.exeC:\Windows\system32\Ninhamne.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:652 -
C:\Windows\SysWOW64\Nhcebj32.exeC:\Windows\system32\Nhcebj32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\Ndjfgkha.exeC:\Windows\system32\Ndjfgkha.exe46⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe47⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Neibanod.exeC:\Windows\system32\Neibanod.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe49⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Ohjkcile.exeC:\Windows\system32\Ohjkcile.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Odcimipf.exeC:\Windows\system32\Odcimipf.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2820 -
C:\Windows\SysWOW64\Omnmal32.exeC:\Windows\system32\Omnmal32.exe52⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1788 -
C:\Windows\SysWOW64\Pigklmqc.exeC:\Windows\system32\Pigklmqc.exe54⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Poacighp.exeC:\Windows\system32\Poacighp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Pofldf32.exeC:\Windows\system32\Pofldf32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Pgaahh32.exeC:\Windows\system32\Pgaahh32.exe59⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Pjbjjc32.exeC:\Windows\system32\Pjbjjc32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Qcjoci32.exeC:\Windows\system32\Qcjoci32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe63⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Qaqlbmbn.exeC:\Windows\system32\Qaqlbmbn.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Ailqfooi.exeC:\Windows\system32\Ailqfooi.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Apfici32.exeC:\Windows\system32\Apfici32.exe66⤵PID:952
-
C:\Windows\SysWOW64\Abgaeddg.exeC:\Windows\system32\Abgaeddg.exe67⤵
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Alofnj32.exeC:\Windows\system32\Alofnj32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Ahfgbkpl.exeC:\Windows\system32\Ahfgbkpl.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:752 -
C:\Windows\SysWOW64\Bldpiifb.exeC:\Windows\system32\Bldpiifb.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Bjiljf32.exeC:\Windows\system32\Bjiljf32.exe71⤵PID:2252
-
C:\Windows\SysWOW64\Bpfebmia.exeC:\Windows\system32\Bpfebmia.exe72⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Bmjekahk.exeC:\Windows\system32\Bmjekahk.exe73⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe74⤵PID:1056
-
C:\Windows\SysWOW64\Bdfjnkne.exeC:\Windows\system32\Bdfjnkne.exe75⤵
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Cpohhk32.exeC:\Windows\system32\Cpohhk32.exe78⤵PID:236
-
C:\Windows\SysWOW64\Celpqbon.exeC:\Windows\system32\Celpqbon.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Cabaec32.exeC:\Windows\system32\Cabaec32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe81⤵PID:1392
-
C:\Windows\SysWOW64\Ckmbdh32.exeC:\Windows\system32\Ckmbdh32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe83⤵PID:936
-
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Dnqhkcdo.exeC:\Windows\system32\Dnqhkcdo.exe85⤵
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe86⤵PID:1664
-
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe87⤵
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Dfbbpd32.exeC:\Windows\system32\Dfbbpd32.exe91⤵
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe92⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe93⤵PID:1176
-
C:\Windows\SysWOW64\Enpdjfgj.exeC:\Windows\system32\Enpdjfgj.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe96⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Fpkchm32.exeC:\Windows\system32\Fpkchm32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Fpmpnmck.exeC:\Windows\system32\Fpmpnmck.exe98⤵PID:1520
-
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Gngfjicn.exeC:\Windows\system32\Gngfjicn.exe100⤵PID:1436
-
C:\Windows\SysWOW64\Gahpkd32.exeC:\Windows\system32\Gahpkd32.exe101⤵PID:2320
-
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe102⤵PID:848
-
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe103⤵PID:3032
-
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe104⤵PID:2712
-
C:\Windows\SysWOW64\Gjemoi32.exeC:\Windows\system32\Gjemoi32.exe105⤵PID:2640
-
C:\Windows\SysWOW64\Gdmbhnjj.exeC:\Windows\system32\Gdmbhnjj.exe106⤵PID:2276
-
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe107⤵PID:2804
-
C:\Windows\SysWOW64\Heakefnf.exeC:\Windows\system32\Heakefnf.exe108⤵
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Hbekojlp.exeC:\Windows\system32\Hbekojlp.exe109⤵PID:2928
-
C:\Windows\SysWOW64\Hhadgakg.exeC:\Windows\system32\Hhadgakg.exe110⤵PID:2488
-
C:\Windows\SysWOW64\Hbghdj32.exeC:\Windows\system32\Hbghdj32.exe111⤵
- Modifies registry class
PID:628 -
C:\Windows\SysWOW64\Hkbmil32.exeC:\Windows\system32\Hkbmil32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe113⤵PID:2416
-
C:\Windows\SysWOW64\Imcfjg32.exeC:\Windows\system32\Imcfjg32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Idmnga32.exeC:\Windows\system32\Idmnga32.exe115⤵PID:2796
-
C:\Windows\SysWOW64\Inebpgbf.exeC:\Windows\system32\Inebpgbf.exe116⤵PID:2104
-
C:\Windows\SysWOW64\Icbkhnan.exeC:\Windows\system32\Icbkhnan.exe117⤵
- Drops file in System32 directory
PID:1416 -
C:\Windows\SysWOW64\Ilkpac32.exeC:\Windows\system32\Ilkpac32.exe118⤵
- Drops file in System32 directory
PID:664 -
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe119⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Iloilcci.exeC:\Windows\system32\Iloilcci.exe120⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Jlaeab32.exeC:\Windows\system32\Jlaeab32.exe121⤵PID:264
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-