Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 07:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe
-
Size
96KB
-
MD5
54e64e31bd6025a4801047274ccf1e9c
-
SHA1
ac3d173e7bfffd9e4ac212e14b07bd77c237f0a4
-
SHA256
649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd
-
SHA512
12aaa4ce6b5f7f83747e35c223b2ea9f4913c29cb0291c7bef955e8bd27bb6b07b9b0081dae586d4c7541c6dbbbc371f217ba1a86898dd5b8752c1a6d7e96371
-
SSDEEP
1536:QRQ8G+BP/hlAHzlLf8tTGHeNBK7sDZ12LQ7RZObZUUWaegPYA:QFhlATlj8tTY/OkQClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipdolbbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkjgckc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemhjlha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjlmjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpbfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphmfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhbjmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmbdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlopkmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifakj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lielphqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgbcofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bocckoom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckbccnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcljdpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aimkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekbhnkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfpcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pglacbbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opmhqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiojqfdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbfin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqmkflcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olkjaflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdhnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ododdlcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkiemqdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcepgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkhga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbqdldhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nokdnail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feklja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odfofhic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bocckoom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfekkgla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joepjokm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glgqlkdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dndndbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djghpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djghpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdfmoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oblmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccinnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmecbkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngencpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdapjglj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkpppmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfoleio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paekijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paekijkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibeloo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqilfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmelfeqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdolbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahfkigd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkoidcaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phphgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phphgf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2080 Pcmoie32.exe 2880 Pdnkanfg.exe 2836 Pmecbkgj.exe 1676 Pkmmigjo.exe 2688 Pjbjjc32.exe 2064 Qanolm32.exe 948 Qijdqp32.exe 2624 Ailqfooi.exe 2940 Almihjlj.exe 2992 Apkbnibq.exe 1756 Aicfgn32.exe 1844 Abkkpd32.exe 2452 Baqhapdj.exe 2076 Binikb32.exe 976 Blobmm32.exe 2516 Bmnofp32.exe 2460 Ceickb32.exe 1288 Capdpcge.exe 2240 Cabaec32.exe 1308 Ckkenikc.exe 236 Ceqjla32.exe 2156 Ckmbdh32.exe 2252 Dnnkec32.exe 1568 Dckcnj32.exe 2128 Ddjphm32.exe 2832 Djghpd32.exe 2456 Dgkiih32.exe 2924 Dcbjni32.exe 2896 Dljngoea.exe 2788 Ekpkhkji.exe 2588 Ekbhnkhf.exe 2660 Edjlgq32.exe 2148 Enenef32.exe 2068 Ecbfmm32.exe 2736 Ffboohnm.exe 368 Fcfohlmg.exe 1972 Fejifdab.exe 2380 Fnbmoi32.exe 1220 Flfnhnfm.exe 1840 Gjbqjiem.exe 1724 Hfnkji32.exe 700 Hahljg32.exe 1656 Holldk32.exe 1872 Hkbmil32.exe 2052 Hhfmbq32.exe 2236 Iaobkf32.exe 1668 Ihijhpdo.exe 2400 Ipdolbbj.exe 1988 Ilkpac32.exe 1396 Iecdji32.exe 3048 Iphhgb32.exe 2764 Ieeqpi32.exe 2888 Ionehnbm.exe 2796 Jfhmehji.exe 1548 Jkdfmoha.exe 1652 Jdmjfe32.exe 2972 Jkgbcofn.exe 1300 Jgnchplb.exe 1968 Jngkdj32.exe 2348 Jhmpbc32.exe 2392 Jjnlikic.exe 2104 Jddqgdii.exe 920 Jnlepioj.exe 1712 Kfgjdlme.exe -
Loads dropped DLL 64 IoCs
pid Process 2580 649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe 2580 649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe 2080 Pcmoie32.exe 2080 Pcmoie32.exe 2880 Pdnkanfg.exe 2880 Pdnkanfg.exe 2836 Pmecbkgj.exe 2836 Pmecbkgj.exe 1676 Pkmmigjo.exe 1676 Pkmmigjo.exe 2688 Pjbjjc32.exe 2688 Pjbjjc32.exe 2064 Qanolm32.exe 2064 Qanolm32.exe 948 Qijdqp32.exe 948 Qijdqp32.exe 2624 Ailqfooi.exe 2624 Ailqfooi.exe 2940 Almihjlj.exe 2940 Almihjlj.exe 2992 Apkbnibq.exe 2992 Apkbnibq.exe 1756 Aicfgn32.exe 1756 Aicfgn32.exe 1844 Abkkpd32.exe 1844 Abkkpd32.exe 2452 Baqhapdj.exe 2452 Baqhapdj.exe 2076 Binikb32.exe 2076 Binikb32.exe 976 Blobmm32.exe 976 Blobmm32.exe 2516 Bmnofp32.exe 2516 Bmnofp32.exe 2460 Ceickb32.exe 2460 Ceickb32.exe 1288 Capdpcge.exe 1288 Capdpcge.exe 2240 Cabaec32.exe 2240 Cabaec32.exe 1308 Ckkenikc.exe 1308 Ckkenikc.exe 236 Ceqjla32.exe 236 Ceqjla32.exe 2156 Ckmbdh32.exe 2156 Ckmbdh32.exe 2252 Dnnkec32.exe 2252 Dnnkec32.exe 1568 Dckcnj32.exe 1568 Dckcnj32.exe 2128 Ddjphm32.exe 2128 Ddjphm32.exe 2832 Djghpd32.exe 2832 Djghpd32.exe 2456 Dgkiih32.exe 2456 Dgkiih32.exe 2924 Dcbjni32.exe 2924 Dcbjni32.exe 2896 Dljngoea.exe 2896 Dljngoea.exe 2788 Ekpkhkji.exe 2788 Ekpkhkji.exe 2588 Ekbhnkhf.exe 2588 Ekbhnkhf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mmljkb32.dll Emggflfc.exe File created C:\Windows\SysWOW64\Gcaajfbd.dll Ehdnkh32.exe File opened for modification C:\Windows\SysWOW64\Fefpfi32.exe Fpihnbmk.exe File created C:\Windows\SysWOW64\Lnlmmo32.exe Lphlck32.exe File created C:\Windows\SysWOW64\Gnhfacfn.dll Nnfeep32.exe File created C:\Windows\SysWOW64\Kalkjh32.exe Klocba32.exe File opened for modification C:\Windows\SysWOW64\Mkggnp32.exe Maocekoo.exe File created C:\Windows\SysWOW64\Bjqjnn32.dll Oolbcaij.exe File opened for modification C:\Windows\SysWOW64\Ejdaoa32.exe Eoomai32.exe File created C:\Windows\SysWOW64\Hbknmicj.exe Hibidc32.exe File created C:\Windows\SysWOW64\Ijfieo32.dll Kjakhcne.exe File created C:\Windows\SysWOW64\Noepdo32.exe Mdplfflp.exe File created C:\Windows\SysWOW64\Lgocca32.dll Mfhabe32.exe File opened for modification C:\Windows\SysWOW64\Ghnfci32.exe Gofajcog.exe File created C:\Windows\SysWOW64\Khpaidpk.exe Jmkmlk32.exe File opened for modification C:\Windows\SysWOW64\Bleilh32.exe Aidpjm32.exe File created C:\Windows\SysWOW64\Acfoejcg.dll Dpgckm32.exe File created C:\Windows\SysWOW64\Kihcakpa.exe Kppohf32.exe File created C:\Windows\SysWOW64\Pmijgn32.exe Ppejmj32.exe File created C:\Windows\SysWOW64\Gmapcm32.dll Pamlel32.exe File created C:\Windows\SysWOW64\Ododdlcd.exe Oejgbonl.exe File created C:\Windows\SysWOW64\Omjgkjof.exe Ognobcqo.exe File created C:\Windows\SysWOW64\Gaffja32.exe Gepeep32.exe File opened for modification C:\Windows\SysWOW64\Almihjlj.exe Ailqfooi.exe File created C:\Windows\SysWOW64\Libiii32.dll Ejdaoa32.exe File created C:\Windows\SysWOW64\Cienge32.dll Qpocno32.exe File created C:\Windows\SysWOW64\Npppaejj.exe Nejkdm32.exe File opened for modification C:\Windows\SysWOW64\Dlbaljhn.exe Dooqceid.exe File opened for modification C:\Windows\SysWOW64\Adeiobgc.exe Acemeo32.exe File created C:\Windows\SysWOW64\Ieeidi32.dll Mahgejhf.exe File opened for modification C:\Windows\SysWOW64\Dqmkflcd.exe Dfhficcn.exe File created C:\Windows\SysWOW64\Idlfno32.dll Gaffja32.exe File created C:\Windows\SysWOW64\Apkbnibq.exe Almihjlj.exe File opened for modification C:\Windows\SysWOW64\Pmiikipg.exe Pglacbbo.exe File created C:\Windows\SysWOW64\Behinlkh.exe Blodefdg.exe File created C:\Windows\SysWOW64\Dlnjjc32.exe Ccceeqfl.exe File created C:\Windows\SysWOW64\Ijjgkmqh.exe Iabcbg32.exe File created C:\Windows\SysWOW64\Pahbckfe.dll Ebhani32.exe File created C:\Windows\SysWOW64\Gpfecckm.dll Qijdqp32.exe File created C:\Windows\SysWOW64\Ngcanq32.exe Nafiej32.exe File created C:\Windows\SysWOW64\Hgmoqm32.dll Hmkiobge.exe File created C:\Windows\SysWOW64\Higjomhj.dll Lpapgnpb.exe File created C:\Windows\SysWOW64\Ighmnbma.dll Nfmahkhh.exe File opened for modification C:\Windows\SysWOW64\Mlhbgc32.exe Macnjk32.exe File opened for modification C:\Windows\SysWOW64\Nqamaeii.exe Nflidmic.exe File created C:\Windows\SysWOW64\Mbomgjkh.dll Bcedbefd.exe File created C:\Windows\SysWOW64\Anekin32.dll Aeahjn32.exe File created C:\Windows\SysWOW64\Gjpldngk.dll Mhfoleio.exe File created C:\Windows\SysWOW64\Bedene32.exe Bphmfo32.exe File opened for modification C:\Windows\SysWOW64\Ficilgai.exe Fondonbc.exe File opened for modification C:\Windows\SysWOW64\Cfmjoe32.exe Cdjabn32.exe File created C:\Windows\SysWOW64\Khhcfo32.dll Fhaibnim.exe File created C:\Windows\SysWOW64\Cnkifmfo.dll Ppegdapd.exe File created C:\Windows\SysWOW64\Immbmp32.dll Gcimop32.exe File created C:\Windows\SysWOW64\Lmolkg32.exe Lcignoki.exe File created C:\Windows\SysWOW64\Oofeeflg.dll Eponmmaj.exe File created C:\Windows\SysWOW64\Cipleo32.exe Cgaoic32.exe File created C:\Windows\SysWOW64\Mhlmhiho.dll Dndndbnl.exe File created C:\Windows\SysWOW64\Lfilnh32.exe Lomglo32.exe File created C:\Windows\SysWOW64\Kibmchmc.dll Pkfiaqgk.exe File created C:\Windows\SysWOW64\Aomolh32.dll Agolpnjl.exe File created C:\Windows\SysWOW64\Jhlgnd32.exe Jocceo32.exe File opened for modification C:\Windows\SysWOW64\Ljjhdm32.exe Lcppgbjd.exe File opened for modification C:\Windows\SysWOW64\Oolbcaij.exe Odfofhic.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3648 2868 WerFault.exe 803 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeblgodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fondonbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccmng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqpbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odfofhic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomglo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behinlkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cooddbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbmkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjneoeeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddoopbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdjpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeijpdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcbga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmkafhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdcdjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbaafak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqjfgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnopmegg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcimop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbmgkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ealbcngg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkljfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmdfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foacmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaopcbga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmqjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blodefdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heamno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhabe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipameehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaipmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadphghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljcbcngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmhgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alicahno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelfedpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldihjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflhjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonenbgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoomai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbedm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokmnlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noepdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpapgnpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmeiei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkiemqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpejfjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooqceid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjmlaci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciebdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Encchoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjnnbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpnbcfkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhbjmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieeqpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qggoeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdncb32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhkojab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiopah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njlopkmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbaafak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefjaj32.dll" Bleilh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbljhig.dll" Oppbjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oejgbonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkfoiql.dll" Phklcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngalll32.dll" Jbgbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nokdnail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifakj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knngob32.dll" Ipcjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkblpcle.dll" Bcdbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inofameg.dll" Hqhiab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kommediq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmijgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbdoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljkaejba.dll" Binikb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noepdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcaqmkpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njcibgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnaacb32.dll" Pmijgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iljccajl.dll" Bbdoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qanolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgjdlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ollcee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nadoiccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfklepl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jojnglco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlifcqfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ollncgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkkmln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjcfjoil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngencpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhlcal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcfbfaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfgkqba.dll" Pimlmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmocck32.dll" Mogene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqjfgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpnkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kejpdk32.dll" Kjchmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqdbjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffdnama.dll" Dkkmln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egkgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkljfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekgfkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbilgok.dll" Bdpnlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjbjjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkoqmhii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nidhfgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdldjnpc.dll" Ljfckodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmgekh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abpohb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mampci32.dll" Ffeoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jahonm32.dll" Afnfcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlaoip32.dll" Njlcah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obcgaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immbmp32.dll" Gcimop32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2580 wrote to memory of 2080 2580 649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe 30 PID 2580 wrote to memory of 2080 2580 649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe 30 PID 2580 wrote to memory of 2080 2580 649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe 30 PID 2580 wrote to memory of 2080 2580 649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe 30 PID 2080 wrote to memory of 2880 2080 Pcmoie32.exe 31 PID 2080 wrote to memory of 2880 2080 Pcmoie32.exe 31 PID 2080 wrote to memory of 2880 2080 Pcmoie32.exe 31 PID 2080 wrote to memory of 2880 2080 Pcmoie32.exe 31 PID 2880 wrote to memory of 2836 2880 Pdnkanfg.exe 32 PID 2880 wrote to memory of 2836 2880 Pdnkanfg.exe 32 PID 2880 wrote to memory of 2836 2880 Pdnkanfg.exe 32 PID 2880 wrote to memory of 2836 2880 Pdnkanfg.exe 32 PID 2836 wrote to memory of 1676 2836 Pmecbkgj.exe 33 PID 2836 wrote to memory of 1676 2836 Pmecbkgj.exe 33 PID 2836 wrote to memory of 1676 2836 Pmecbkgj.exe 33 PID 2836 wrote to memory of 1676 2836 Pmecbkgj.exe 33 PID 1676 wrote to memory of 2688 1676 Pkmmigjo.exe 34 PID 1676 wrote to memory of 2688 1676 Pkmmigjo.exe 34 PID 1676 wrote to memory of 2688 1676 Pkmmigjo.exe 34 PID 1676 wrote to memory of 2688 1676 Pkmmigjo.exe 34 PID 2688 wrote to memory of 2064 2688 Pjbjjc32.exe 35 PID 2688 wrote to memory of 2064 2688 Pjbjjc32.exe 35 PID 2688 wrote to memory of 2064 2688 Pjbjjc32.exe 35 PID 2688 wrote to memory of 2064 2688 Pjbjjc32.exe 35 PID 2064 wrote to memory of 948 2064 Qanolm32.exe 36 PID 2064 wrote to memory of 948 2064 Qanolm32.exe 36 PID 2064 wrote to memory of 948 2064 Qanolm32.exe 36 PID 2064 wrote to memory of 948 2064 Qanolm32.exe 36 PID 948 wrote to memory of 2624 948 Qijdqp32.exe 37 PID 948 wrote to memory of 2624 948 Qijdqp32.exe 37 PID 948 wrote to memory of 2624 948 Qijdqp32.exe 37 PID 948 wrote to memory of 2624 948 Qijdqp32.exe 37 PID 2624 wrote to memory of 2940 2624 Ailqfooi.exe 38 PID 2624 wrote to memory of 2940 2624 Ailqfooi.exe 38 PID 2624 wrote to memory of 2940 2624 Ailqfooi.exe 38 PID 2624 wrote to memory of 2940 2624 Ailqfooi.exe 38 PID 2940 wrote to memory of 2992 2940 Almihjlj.exe 39 PID 2940 wrote to memory of 2992 2940 Almihjlj.exe 39 PID 2940 wrote to memory of 2992 2940 Almihjlj.exe 39 PID 2940 wrote to memory of 2992 2940 Almihjlj.exe 39 PID 2992 wrote to memory of 1756 2992 Apkbnibq.exe 40 PID 2992 wrote to memory of 1756 2992 Apkbnibq.exe 40 PID 2992 wrote to memory of 1756 2992 Apkbnibq.exe 40 PID 2992 wrote to memory of 1756 2992 Apkbnibq.exe 40 PID 1756 wrote to memory of 1844 1756 Aicfgn32.exe 41 PID 1756 wrote to memory of 1844 1756 Aicfgn32.exe 41 PID 1756 wrote to memory of 1844 1756 Aicfgn32.exe 41 PID 1756 wrote to memory of 1844 1756 Aicfgn32.exe 41 PID 1844 wrote to memory of 2452 1844 Abkkpd32.exe 42 PID 1844 wrote to memory of 2452 1844 Abkkpd32.exe 42 PID 1844 wrote to memory of 2452 1844 Abkkpd32.exe 42 PID 1844 wrote to memory of 2452 1844 Abkkpd32.exe 42 PID 2452 wrote to memory of 2076 2452 Baqhapdj.exe 43 PID 2452 wrote to memory of 2076 2452 Baqhapdj.exe 43 PID 2452 wrote to memory of 2076 2452 Baqhapdj.exe 43 PID 2452 wrote to memory of 2076 2452 Baqhapdj.exe 43 PID 2076 wrote to memory of 976 2076 Binikb32.exe 44 PID 2076 wrote to memory of 976 2076 Binikb32.exe 44 PID 2076 wrote to memory of 976 2076 Binikb32.exe 44 PID 2076 wrote to memory of 976 2076 Binikb32.exe 44 PID 976 wrote to memory of 2516 976 Blobmm32.exe 45 PID 976 wrote to memory of 2516 976 Blobmm32.exe 45 PID 976 wrote to memory of 2516 976 Blobmm32.exe 45 PID 976 wrote to memory of 2516 976 Blobmm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe"C:\Users\Admin\AppData\Local\Temp\649d8947ab65b9e030648aa0059b7cdb5829dbe0daeebd62486d91f6a9273dfd.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Pdnkanfg.exeC:\Windows\system32\Pdnkanfg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Pjbjjc32.exeC:\Windows\system32\Pjbjjc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Qanolm32.exeC:\Windows\system32\Qanolm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Qijdqp32.exeC:\Windows\system32\Qijdqp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Ailqfooi.exeC:\Windows\system32\Ailqfooi.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Almihjlj.exeC:\Windows\system32\Almihjlj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Apkbnibq.exeC:\Windows\system32\Apkbnibq.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Aicfgn32.exeC:\Windows\system32\Aicfgn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Abkkpd32.exeC:\Windows\system32\Abkkpd32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Baqhapdj.exeC:\Windows\system32\Baqhapdj.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Binikb32.exeC:\Windows\system32\Binikb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Blobmm32.exeC:\Windows\system32\Blobmm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Bmnofp32.exeC:\Windows\system32\Bmnofp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Ceickb32.exeC:\Windows\system32\Ceickb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Cabaec32.exeC:\Windows\system32\Cabaec32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Ceqjla32.exeC:\Windows\system32\Ceqjla32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Ckmbdh32.exeC:\Windows\system32\Ckmbdh32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Dnnkec32.exeC:\Windows\system32\Dnnkec32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Ddjphm32.exeC:\Windows\system32\Ddjphm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Djghpd32.exeC:\Windows\system32\Djghpd32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Dgkiih32.exeC:\Windows\system32\Dgkiih32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Dcbjni32.exeC:\Windows\system32\Dcbjni32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Ekpkhkji.exeC:\Windows\system32\Ekpkhkji.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Ekbhnkhf.exeC:\Windows\system32\Ekbhnkhf.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe33⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe34⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Ecbfmm32.exeC:\Windows\system32\Ecbfmm32.exe35⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ffboohnm.exeC:\Windows\system32\Ffboohnm.exe36⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Fcfohlmg.exeC:\Windows\system32\Fcfohlmg.exe37⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe38⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe39⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Flfnhnfm.exeC:\Windows\system32\Flfnhnfm.exe40⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Gjbqjiem.exeC:\Windows\system32\Gjbqjiem.exe41⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Hfnkji32.exeC:\Windows\system32\Hfnkji32.exe42⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Hahljg32.exeC:\Windows\system32\Hahljg32.exe43⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Holldk32.exeC:\Windows\system32\Holldk32.exe44⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Hkbmil32.exeC:\Windows\system32\Hkbmil32.exe45⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Hhfmbq32.exeC:\Windows\system32\Hhfmbq32.exe46⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Iaobkf32.exeC:\Windows\system32\Iaobkf32.exe47⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ihijhpdo.exeC:\Windows\system32\Ihijhpdo.exe48⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Ilkpac32.exeC:\Windows\system32\Ilkpac32.exe50⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Iecdji32.exeC:\Windows\system32\Iecdji32.exe51⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Iphhgb32.exeC:\Windows\system32\Iphhgb32.exe52⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Ieeqpi32.exeC:\Windows\system32\Ieeqpi32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Ionehnbm.exeC:\Windows\system32\Ionehnbm.exe54⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe55⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Jkdfmoha.exeC:\Windows\system32\Jkdfmoha.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Jdmjfe32.exeC:\Windows\system32\Jdmjfe32.exe57⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Jgnchplb.exeC:\Windows\system32\Jgnchplb.exe59⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Jngkdj32.exeC:\Windows\system32\Jngkdj32.exe60⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Jhmpbc32.exeC:\Windows\system32\Jhmpbc32.exe61⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Jjnlikic.exeC:\Windows\system32\Jjnlikic.exe62⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Jddqgdii.exeC:\Windows\system32\Jddqgdii.exe63⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Jnlepioj.exeC:\Windows\system32\Jnlepioj.exe64⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Kfgjdlme.exeC:\Windows\system32\Kfgjdlme.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Kqmnadlk.exeC:\Windows\system32\Kqmnadlk.exe66⤵PID:2092
-
C:\Windows\SysWOW64\Kjebjjck.exeC:\Windows\system32\Kjebjjck.exe67⤵PID:1340
-
C:\Windows\SysWOW64\Kcngcp32.exeC:\Windows\system32\Kcngcp32.exe68⤵PID:2468
-
C:\Windows\SysWOW64\Kmfklepl.exeC:\Windows\system32\Kmfklepl.exe69⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Kcpcho32.exeC:\Windows\system32\Kcpcho32.exe70⤵PID:2352
-
C:\Windows\SysWOW64\Kkkhmadd.exeC:\Windows\system32\Kkkhmadd.exe71⤵PID:2828
-
C:\Windows\SysWOW64\Kfaljjdj.exeC:\Windows\system32\Kfaljjdj.exe72⤵PID:3052
-
C:\Windows\SysWOW64\Lknebaba.exeC:\Windows\system32\Lknebaba.exe73⤵PID:2680
-
C:\Windows\SysWOW64\Lajmkhai.exeC:\Windows\system32\Lajmkhai.exe74⤵PID:2424
-
C:\Windows\SysWOW64\Lgdfgbhf.exeC:\Windows\system32\Lgdfgbhf.exe75⤵PID:2204
-
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Lggbmbfc.exeC:\Windows\system32\Lggbmbfc.exe77⤵PID:3000
-
C:\Windows\SysWOW64\Lmckeidj.exeC:\Windows\system32\Lmckeidj.exe78⤵PID:3060
-
C:\Windows\SysWOW64\Lgiobadq.exeC:\Windows\system32\Lgiobadq.exe79⤵PID:2320
-
C:\Windows\SysWOW64\Ljgkom32.exeC:\Windows\system32\Ljgkom32.exe80⤵PID:2464
-
C:\Windows\SysWOW64\Lcppgbjd.exeC:\Windows\system32\Lcppgbjd.exe81⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Ljjhdm32.exeC:\Windows\system32\Ljjhdm32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Mcbmmbhb.exeC:\Windows\system32\Mcbmmbhb.exe83⤵PID:960
-
C:\Windows\SysWOW64\Mmkafhnb.exeC:\Windows\system32\Mmkafhnb.exe84⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Mfceom32.exeC:\Windows\system32\Mfceom32.exe85⤵PID:2284
-
C:\Windows\SysWOW64\Mpkjgckc.exeC:\Windows\system32\Mpkjgckc.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe88⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Mkggnp32.exeC:\Windows\system32\Mkggnp32.exe89⤵PID:2428
-
C:\Windows\SysWOW64\Mbopon32.exeC:\Windows\system32\Mbopon32.exe90⤵PID:3012
-
C:\Windows\SysWOW64\Mdplfflp.exeC:\Windows\system32\Mdplfflp.exe91⤵
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:632 -
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe93⤵PID:1680
-
C:\Windows\SysWOW64\Nafiej32.exeC:\Windows\system32\Nafiej32.exe94⤵
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Ngcanq32.exeC:\Windows\system32\Ngcanq32.exe95⤵PID:1800
-
C:\Windows\SysWOW64\Nahfkigd.exeC:\Windows\system32\Nahfkigd.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Ngencpel.exeC:\Windows\system32\Ngencpel.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Nlbgkgcc.exeC:\Windows\system32\Nlbgkgcc.exe98⤵PID:2280
-
C:\Windows\SysWOW64\Nejkdm32.exeC:\Windows\system32\Nejkdm32.exe99⤵
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Npppaejj.exeC:\Windows\system32\Npppaejj.exe100⤵PID:2712
-
C:\Windows\SysWOW64\Oemhjlha.exeC:\Windows\system32\Oemhjlha.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Ooemcb32.exeC:\Windows\system32\Ooemcb32.exe102⤵PID:1016
-
C:\Windows\SysWOW64\Ohmalgeb.exeC:\Windows\system32\Ohmalgeb.exe103⤵PID:1128
-
C:\Windows\SysWOW64\Oafedmlb.exeC:\Windows\system32\Oafedmlb.exe104⤵PID:2620
-
C:\Windows\SysWOW64\Olkjaflh.exeC:\Windows\system32\Olkjaflh.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Odfofhic.exeC:\Windows\system32\Odfofhic.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Oolbcaij.exeC:\Windows\system32\Oolbcaij.exe107⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Oggghc32.exeC:\Windows\system32\Oggghc32.exe108⤵PID:2184
-
C:\Windows\SysWOW64\Pamlel32.exeC:\Windows\system32\Pamlel32.exe109⤵
- Drops file in System32 directory
PID:1432 -
C:\Windows\SysWOW64\Pcnhmdli.exeC:\Windows\system32\Pcnhmdli.exe110⤵PID:1736
-
C:\Windows\SysWOW64\Pjhpin32.exeC:\Windows\system32\Pjhpin32.exe111⤵PID:1648
-
C:\Windows\SysWOW64\Pglacbbo.exeC:\Windows\system32\Pglacbbo.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1776 -
C:\Windows\SysWOW64\Pmiikipg.exeC:\Windows\system32\Pmiikipg.exe113⤵PID:2780
-
C:\Windows\SysWOW64\Anjojphb.exeC:\Windows\system32\Anjojphb.exe114⤵PID:2676
-
C:\Windows\SysWOW64\Aidpjm32.exeC:\Windows\system32\Aidpjm32.exe115⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe116⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Bjalndpb.exeC:\Windows\system32\Bjalndpb.exe117⤵PID:2404
-
C:\Windows\SysWOW64\Bdipfi32.exeC:\Windows\system32\Bdipfi32.exe118⤵PID:1040
-
C:\Windows\SysWOW64\Cooddbfh.exeC:\Windows\system32\Cooddbfh.exe119⤵
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Chgimh32.exeC:\Windows\system32\Chgimh32.exe120⤵PID:540
-
C:\Windows\SysWOW64\Cpbnaj32.exeC:\Windows\system32\Cpbnaj32.exe121⤵PID:1532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-