Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 07:18
Static task
static1
Behavioral task
behavioral1
Sample
c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe
Resource
win10v2004-20241007-en
General
-
Target
c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe
-
Size
224KB
-
MD5
cf76e0942cce39ba153dc08146213250
-
SHA1
2c6a923efc19530e15c1a218674d579756fe422a
-
SHA256
c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819
-
SHA512
95628e66f8277905354d4bca618b4042c6ee96c60a5d650856e3ae60a02be914821ab91d9e75442c60da01e0e5d0bcc88e69961a3947363946978a2921421f33
-
SSDEEP
6144:d5k++KzxVv9VRbbWGRdA6sQc/Yp7TVX3J/1awbWGRdA6sQcv:d5kRKzxVv9HbWGRdA6sQhPbWGRdA6sQc
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogmcjef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhcim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkloq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppfomk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfoojj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmagpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnflke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcnbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqbbagjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddimn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbeiiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgoelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhcegll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjofdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjcomcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpcooea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeaepd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqombic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adifpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkqmoma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imahkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfafgbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cegoqlof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhhgkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccpcckck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iimfld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojmpooah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjpdjjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iliebpfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqfemqod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqdefddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jialfgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdaglmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eldglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lklgbadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhhdnlh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amaelomh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2324 Obdojcef.exe 2556 Oagoep32.exe 2248 Odhhgkib.exe 2888 Oonldcih.exe 2860 Omqlpp32.exe 2620 Opaebkmc.exe 2608 Odmabj32.exe 1556 Pmgbao32.exe 692 Ppfomk32.exe 2040 Pcghof32.exe 2012 Peedka32.exe 2960 Pkdihhag.exe 2972 Pdmnam32.exe 2344 Qododfek.exe 2784 Qdaglmcb.exe 1536 Ajqljc32.exe 2272 Agdmdg32.exe 1684 Amaelomh.exe 1468 Ackmih32.exe 324 Aqonbm32.exe 1828 Acnjnh32.exe 1940 Bfncpcoc.exe 592 Bmhkmm32.exe 1632 Bkklhjnk.exe 1912 Becpap32.exe 2884 Bbgqjdce.exe 2716 Befmfpbi.exe 2600 Behilopf.exe 2636 Bckjhl32.exe 2900 Bnqned32.exe 2168 Baojapfj.exe 768 Bcmfmlen.exe 1968 Bflbigdb.exe 1896 Cjgoje32.exe 2916 Cmfkfa32.exe 2788 Ccpcckck.exe 2988 Cgkocj32.exe 2928 Cfnoogbo.exe 796 Cillkbac.exe 2316 Cpfdhl32.exe 1120 Ccbphk32.exe 1688 Cjlheehe.exe 960 Cmjdaqgi.exe 2092 Clmdmm32.exe 1812 Ccdmnj32.exe 2516 Ciaefa32.exe 2292 Cmmagpef.exe 1624 Cnnnnh32.exe 2892 Cbiiog32.exe 3016 Cfeepelg.exe 2840 Cicalakk.exe 2604 Cpmjhk32.exe 2624 Copjdhib.exe 2388 Dejbqb32.exe 1740 Dhiomn32.exe 872 Dldkmlhl.exe 1944 Dbncjf32.exe 1144 Demofaol.exe 1716 Ddpobo32.exe 1884 Dkigoimd.exe 2432 Dmhdkdlg.exe 1256 Deollamj.exe 2044 Dhmhhmlm.exe 2000 Dfphcj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2520 c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe 2520 c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe 2324 Obdojcef.exe 2324 Obdojcef.exe 2556 Oagoep32.exe 2556 Oagoep32.exe 2248 Odhhgkib.exe 2248 Odhhgkib.exe 2888 Oonldcih.exe 2888 Oonldcih.exe 2860 Omqlpp32.exe 2860 Omqlpp32.exe 2620 Opaebkmc.exe 2620 Opaebkmc.exe 2608 Odmabj32.exe 2608 Odmabj32.exe 1556 Pmgbao32.exe 1556 Pmgbao32.exe 692 Ppfomk32.exe 692 Ppfomk32.exe 2040 Pcghof32.exe 2040 Pcghof32.exe 2012 Peedka32.exe 2012 Peedka32.exe 2960 Pkdihhag.exe 2960 Pkdihhag.exe 2972 Pdmnam32.exe 2972 Pdmnam32.exe 2344 Qododfek.exe 2344 Qododfek.exe 2784 Qdaglmcb.exe 2784 Qdaglmcb.exe 1536 Ajqljc32.exe 1536 Ajqljc32.exe 2272 Agdmdg32.exe 2272 Agdmdg32.exe 1684 Amaelomh.exe 1684 Amaelomh.exe 1468 Ackmih32.exe 1468 Ackmih32.exe 324 Aqonbm32.exe 324 Aqonbm32.exe 1828 Acnjnh32.exe 1828 Acnjnh32.exe 1940 Bfncpcoc.exe 1940 Bfncpcoc.exe 592 Bmhkmm32.exe 592 Bmhkmm32.exe 1632 Bkklhjnk.exe 1632 Bkklhjnk.exe 1912 Becpap32.exe 1912 Becpap32.exe 2884 Bbgqjdce.exe 2884 Bbgqjdce.exe 2716 Befmfpbi.exe 2716 Befmfpbi.exe 2600 Behilopf.exe 2600 Behilopf.exe 2636 Bckjhl32.exe 2636 Bckjhl32.exe 2900 Bnqned32.exe 2900 Bnqned32.exe 2168 Baojapfj.exe 2168 Baojapfj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pkdihhag.exe Peedka32.exe File created C:\Windows\SysWOW64\Nqcglmgd.dll Elipgofb.exe File created C:\Windows\SysWOW64\Hjcppidk.exe Hcigco32.exe File created C:\Windows\SysWOW64\Locjhqpa.exe Lhiakf32.exe File created C:\Windows\SysWOW64\Oiffkkbk.exe Obmnna32.exe File created C:\Windows\SysWOW64\Pidfdofi.exe Pgfjhcge.exe File opened for modification C:\Windows\SysWOW64\Bffbdadk.exe Bchfhfeh.exe File opened for modification C:\Windows\SysWOW64\Pkdihhag.exe Peedka32.exe File created C:\Windows\SysWOW64\Liihgqil.dll Gbhbdi32.exe File opened for modification C:\Windows\SysWOW64\Ldbofgme.exe Lfoojj32.exe File created C:\Windows\SysWOW64\Kagflkia.dll Nbhhdnlh.exe File created C:\Windows\SysWOW64\Ameaio32.dll Paknelgk.exe File created C:\Windows\SysWOW64\Famope32.exe Fkbgckgd.exe File created C:\Windows\SysWOW64\Ijehdl32.exe Ifjlcmmj.exe File created C:\Windows\SysWOW64\Jhbold32.exe Jioopgef.exe File opened for modification C:\Windows\SysWOW64\Eogmcjef.exe Elipgofb.exe File opened for modification C:\Windows\SysWOW64\Fcbecl32.exe Fogibnha.exe File created C:\Windows\SysWOW64\Fffjig32.dll Kekiphge.exe File created C:\Windows\SysWOW64\Lgehno32.exe Lcjlnpmo.exe File opened for modification C:\Windows\SysWOW64\Mmicfh32.exe Mimgeigj.exe File opened for modification C:\Windows\SysWOW64\Baojapfj.exe Bnqned32.exe File opened for modification C:\Windows\SysWOW64\Hemqpf32.exe Hfjpdjjo.exe File opened for modification C:\Windows\SysWOW64\Nplimbka.exe Nibqqh32.exe File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Caifjn32.exe File created C:\Windows\SysWOW64\Ppfomk32.exe Pmgbao32.exe File created C:\Windows\SysWOW64\Dfphcj32.exe Dhmhhmlm.exe File created C:\Windows\SysWOW64\Aoagccfn.exe Agjobffl.exe File created C:\Windows\SysWOW64\Eoepingi.dll Kdnild32.exe File created C:\Windows\SysWOW64\Kainfp32.dll Acnjnh32.exe File created C:\Windows\SysWOW64\Ddfebnoo.exe Dahifbpk.exe File created C:\Windows\SysWOW64\Ekdehk32.dll Fhdjgoha.exe File created C:\Windows\SysWOW64\Gqahqd32.exe Gncldi32.exe File created C:\Windows\SysWOW64\Ikidod32.dll Hnheohcl.exe File opened for modification C:\Windows\SysWOW64\Jolghndm.exe Jhbold32.exe File opened for modification C:\Windows\SysWOW64\Jhdlad32.exe Jialfgcc.exe File created C:\Windows\SysWOW64\Dimkiekk.dll Llbqfe32.exe File opened for modification C:\Windows\SysWOW64\Offmipej.exe Objaha32.exe File created C:\Windows\SysWOW64\Mhhigm32.dll Befmfpbi.exe File created C:\Windows\SysWOW64\Diaaeepi.exe Dgbeiiqe.exe File created C:\Windows\SysWOW64\Hgccgk32.dll Hpnkbpdd.exe File created C:\Windows\SysWOW64\Clojhf32.exe Ceebklai.exe File created C:\Windows\SysWOW64\Ddonghfa.dll Fogibnha.exe File created C:\Windows\SysWOW64\Hjofdi32.exe Hgpjhn32.exe File created C:\Windows\SysWOW64\Phbeeddm.dll Hlgimqhf.exe File opened for modification C:\Windows\SysWOW64\Mmbmeifk.exe Mjcaimgg.exe File created C:\Windows\SysWOW64\Pleofj32.exe Pnbojmmp.exe File created C:\Windows\SysWOW64\Cbblda32.exe Cocphf32.exe File opened for modification C:\Windows\SysWOW64\Cebeem32.exe Cbdiia32.exe File created C:\Windows\SysWOW64\Gbjojh32.exe Golbnm32.exe File created C:\Windows\SysWOW64\Hcijqc32.dll Ggicgopd.exe File created C:\Windows\SysWOW64\Gcmbji32.dll Hjacjifm.exe File created C:\Windows\SysWOW64\Inhanl32.exe Iliebpfc.exe File created C:\Windows\SysWOW64\Gjcgnola.dll Jbefcm32.exe File opened for modification C:\Windows\SysWOW64\Bceibfgj.exe Bdcifi32.exe File created C:\Windows\SysWOW64\Dgdfdnfj.dll Gqahqd32.exe File created C:\Windows\SysWOW64\Nefdpjkl.exe Nbhhdnlh.exe File created C:\Windows\SysWOW64\Adpqglen.dll Ajpepm32.exe File opened for modification C:\Windows\SysWOW64\Cfkloq32.exe Ccmpce32.exe File created C:\Windows\SysWOW64\Bfncpcoc.exe Acnjnh32.exe File created C:\Windows\SysWOW64\Qaemhl32.dll Hkiicmdh.exe File created C:\Windows\SysWOW64\Jmiacp32.dll Mmbmeifk.exe File opened for modification C:\Windows\SysWOW64\Bcjcme32.exe Bmpkqklh.exe File created C:\Windows\SysWOW64\Idkhmgco.dll Ppfomk32.exe File created C:\Windows\SysWOW64\Nmlfpfpl.dll Aebmjo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4728 4648 WerFault.exe 416 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qododfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejbqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaaeepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjacjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlheehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijdkcgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkgkcpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjlnpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgnaehm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlmpfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injndk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcnbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqlpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emagacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opnbbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcgphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqned32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpcckck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demofaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhkfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijehdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmeiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkompgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdlad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbgckgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjcme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkloq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caifjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabmbbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdojcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfncpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhnkfpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmagpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkecij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcldhnkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlkik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbefcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibqqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjccb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aglfmjon.dll" Abpcooea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kleajenp.dll" Inlkik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gncakm32.dll" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiffkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiapeffl.dll" Opglafab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oagoep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mngnjmjh.dll" Eogmcjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeaepd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obmnna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agjobffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmpce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peedka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgddfe32.dll" Lnhgim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbcoio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahifbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjhcegll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddpobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgqde32.dll" Dmhdkdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdndgcj.dll" Lcofio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgcbbda.dll" Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfcho32.dll" Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnnnbbh.dll" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgcchb32.dll" Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojefmknj.dll" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Incleo32.dll" Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obdojcef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjdaldla.dll" Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iakgefqe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcifjof.dll" Paiaplin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgfkmgnj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkdihhag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcijqc32.dll" Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbjpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacinhhc.dll" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Bnknoogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqmndme.dll" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkdihhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmhhmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdlca32.dll" Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bngpjpqe.dll" Bjmeiq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2324 2520 c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe 30 PID 2520 wrote to memory of 2324 2520 c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe 30 PID 2520 wrote to memory of 2324 2520 c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe 30 PID 2520 wrote to memory of 2324 2520 c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe 30 PID 2324 wrote to memory of 2556 2324 Obdojcef.exe 31 PID 2324 wrote to memory of 2556 2324 Obdojcef.exe 31 PID 2324 wrote to memory of 2556 2324 Obdojcef.exe 31 PID 2324 wrote to memory of 2556 2324 Obdojcef.exe 31 PID 2556 wrote to memory of 2248 2556 Oagoep32.exe 32 PID 2556 wrote to memory of 2248 2556 Oagoep32.exe 32 PID 2556 wrote to memory of 2248 2556 Oagoep32.exe 32 PID 2556 wrote to memory of 2248 2556 Oagoep32.exe 32 PID 2248 wrote to memory of 2888 2248 Odhhgkib.exe 33 PID 2248 wrote to memory of 2888 2248 Odhhgkib.exe 33 PID 2248 wrote to memory of 2888 2248 Odhhgkib.exe 33 PID 2248 wrote to memory of 2888 2248 Odhhgkib.exe 33 PID 2888 wrote to memory of 2860 2888 Oonldcih.exe 34 PID 2888 wrote to memory of 2860 2888 Oonldcih.exe 34 PID 2888 wrote to memory of 2860 2888 Oonldcih.exe 34 PID 2888 wrote to memory of 2860 2888 Oonldcih.exe 34 PID 2860 wrote to memory of 2620 2860 Omqlpp32.exe 35 PID 2860 wrote to memory of 2620 2860 Omqlpp32.exe 35 PID 2860 wrote to memory of 2620 2860 Omqlpp32.exe 35 PID 2860 wrote to memory of 2620 2860 Omqlpp32.exe 35 PID 2620 wrote to memory of 2608 2620 Opaebkmc.exe 36 PID 2620 wrote to memory of 2608 2620 Opaebkmc.exe 36 PID 2620 wrote to memory of 2608 2620 Opaebkmc.exe 36 PID 2620 wrote to memory of 2608 2620 Opaebkmc.exe 36 PID 2608 wrote to memory of 1556 2608 Odmabj32.exe 37 PID 2608 wrote to memory of 1556 2608 Odmabj32.exe 37 PID 2608 wrote to memory of 1556 2608 Odmabj32.exe 37 PID 2608 wrote to memory of 1556 2608 Odmabj32.exe 37 PID 1556 wrote to memory of 692 1556 Pmgbao32.exe 38 PID 1556 wrote to memory of 692 1556 Pmgbao32.exe 38 PID 1556 wrote to memory of 692 1556 Pmgbao32.exe 38 PID 1556 wrote to memory of 692 1556 Pmgbao32.exe 38 PID 692 wrote to memory of 2040 692 Ppfomk32.exe 39 PID 692 wrote to memory of 2040 692 Ppfomk32.exe 39 PID 692 wrote to memory of 2040 692 Ppfomk32.exe 39 PID 692 wrote to memory of 2040 692 Ppfomk32.exe 39 PID 2040 wrote to memory of 2012 2040 Pcghof32.exe 40 PID 2040 wrote to memory of 2012 2040 Pcghof32.exe 40 PID 2040 wrote to memory of 2012 2040 Pcghof32.exe 40 PID 2040 wrote to memory of 2012 2040 Pcghof32.exe 40 PID 2012 wrote to memory of 2960 2012 Peedka32.exe 41 PID 2012 wrote to memory of 2960 2012 Peedka32.exe 41 PID 2012 wrote to memory of 2960 2012 Peedka32.exe 41 PID 2012 wrote to memory of 2960 2012 Peedka32.exe 41 PID 2960 wrote to memory of 2972 2960 Pkdihhag.exe 42 PID 2960 wrote to memory of 2972 2960 Pkdihhag.exe 42 PID 2960 wrote to memory of 2972 2960 Pkdihhag.exe 42 PID 2960 wrote to memory of 2972 2960 Pkdihhag.exe 42 PID 2972 wrote to memory of 2344 2972 Pdmnam32.exe 43 PID 2972 wrote to memory of 2344 2972 Pdmnam32.exe 43 PID 2972 wrote to memory of 2344 2972 Pdmnam32.exe 43 PID 2972 wrote to memory of 2344 2972 Pdmnam32.exe 43 PID 2344 wrote to memory of 2784 2344 Qododfek.exe 44 PID 2344 wrote to memory of 2784 2344 Qododfek.exe 44 PID 2344 wrote to memory of 2784 2344 Qododfek.exe 44 PID 2344 wrote to memory of 2784 2344 Qododfek.exe 44 PID 2784 wrote to memory of 1536 2784 Qdaglmcb.exe 45 PID 2784 wrote to memory of 1536 2784 Qdaglmcb.exe 45 PID 2784 wrote to memory of 1536 2784 Qdaglmcb.exe 45 PID 2784 wrote to memory of 1536 2784 Qdaglmcb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe"C:\Users\Admin\AppData\Local\Temp\c7b0ab36971eb1ab3c555226422bd02bab527a1fc204565f79ed4ce7a0cb2819N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Odmabj32.exeC:\Windows\system32\Odmabj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:324 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1828 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe33⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe35⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe36⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe38⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe39⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe40⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe41⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe42⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe44⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe45⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe46⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe47⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe49⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe50⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe52⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe53⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe56⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe58⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe61⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe63⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe65⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe66⤵PID:1976
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe67⤵PID:1784
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe70⤵
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe72⤵PID:2764
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe74⤵PID:588
-
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe75⤵PID:1512
-
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe76⤵PID:1196
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe77⤵PID:2580
-
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe78⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe80⤵PID:3032
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe81⤵PID:1092
-
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe82⤵PID:2064
-
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe83⤵PID:696
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe85⤵PID:1788
-
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe86⤵
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe90⤵PID:2628
-
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe91⤵
- Modifies registry class
PID:1668 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe92⤵PID:1184
-
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe93⤵PID:1880
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe94⤵PID:288
-
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe95⤵PID:2984
-
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe96⤵PID:2924
-
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe97⤵PID:1640
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe98⤵
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe99⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe101⤵PID:2252
-
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe102⤵PID:596
-
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe105⤵PID:524
-
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe106⤵PID:2504
-
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe107⤵PID:2820
-
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe109⤵PID:2980
-
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe110⤵
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe111⤵PID:448
-
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe112⤵PID:2084
-
C:\Windows\SysWOW64\Fjlmpfhg.exeC:\Windows\system32\Fjlmpfhg.exe113⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe115⤵
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe117⤵PID:2152
-
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe118⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2268 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe120⤵
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe121⤵
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe122⤵PID:1052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-