Analysis
-
max time kernel
26s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 07:50
Static task
static1
Behavioral task
behavioral1
Sample
7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe
Resource
win10v2004-20241007-en
General
-
Target
7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe
-
Size
492KB
-
MD5
27ea95608782e10d26b0079d541ffd90
-
SHA1
1a78b650bc3a0fb325c0ae7a4da7fe9f221116b8
-
SHA256
7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49
-
SHA512
89c96cfb96345a8c8d8071643809aca7a153d8cde0d67329ec7667373b02c62a761daae3b84c195f34e32255ab54f26f14c234b27132e4e0d0ecc34ffd610332
-
SSDEEP
12288:Et7ZaB+JbWGRdA6sQsWGRdA6sQxuEuZH8bWGRdA6sQhPbWGRdA6sQyy:Et70cJiecvsy
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qakmghbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoegoqng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifloeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqpjndio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmejaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieligmho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehiiop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdcbjal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnqln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdcbjal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aellfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcljdpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehdpcahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjahfkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbmgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmejaqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgphke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdeaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clkfjman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njipabhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeold32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kblooa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnneabff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmffhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcihdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfnjqifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mliibj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eidchjbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcmkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaeiqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnobfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlnjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfiekc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niaihojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbjon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafhmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnneabff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcmkoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncejcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkccob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbddfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odfjdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcbie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haejcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biakbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbmgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbinad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cneiki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clkfjman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehpgha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieqbbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbinad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcadq32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2608 Oafhmf32.exe 2476 Pppnia32.exe 2852 Pllhib32.exe 2412 Qakmghbm.exe 2964 Anfggicl.exe 2584 Boqgep32.exe 2812 Bcopkn32.exe 2364 Cmdcngbd.exe 2164 Dlnjjc32.exe 1788 Ddqeodjj.exe 1040 Eidchjbi.exe 1692 Fnkblm32.exe 2296 Fdlqjf32.exe 2484 Gdgcnj32.exe 600 Hbnqln32.exe 700 Henjnica.exe 2052 Haejcj32.exe 916 Hiblmldn.exe 936 Hjbhgolp.exe 1176 Ieligmho.exe 1220 Ienfml32.exe 2180 Ieqbbl32.exe 1520 Iecohl32.exe 2600 Jdhlih32.exe 3032 Jfiekc32.exe 2944 Jbpfpd32.exe 2968 Jgmofbpk.exe 332 Jeblgodb.exe 3052 Kiqdmm32.exe 676 Kheaoj32.exe 2332 Khhndi32.exe 2232 Khjkiikl.exe 2216 Lgphke32.exe 2140 Lgbdpena.exe 2548 Lgdafeln.exe 2044 Mkkpjg32.exe 956 Mqhhbn32.exe 2136 Mdeaim32.exe 2700 Mnneabff.exe 1008 Mfijfdca.exe 2248 Mcmkoi32.exe 952 Njipabhe.exe 2620 Nbddfe32.exe 1172 Niaihojk.exe 2072 Nbinad32.exe 1820 Nhffikob.exe 1704 Ohhcokmp.exe 832 Ohkpdj32.exe 888 Opfdim32.exe 3020 Ofbikf32.exe 2908 Odfjdk32.exe 1384 Pdamhocm.exe 2868 Peaibajp.exe 2168 Qgdbpi32.exe 3000 Qpmgho32.exe 2648 Aellfe32.exe 3040 Aaeiqf32.exe 2040 Aagfffbo.exe 3048 Afeold32.exe 984 Bblpae32.exe 2372 Bkgqpjch.exe 284 Bdoeipjh.exe 1968 Bmjjmbgc.exe 2152 Biakbc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2340 7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe 2340 7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe 2608 Oafhmf32.exe 2608 Oafhmf32.exe 2476 Pppnia32.exe 2476 Pppnia32.exe 2852 Pllhib32.exe 2852 Pllhib32.exe 2412 Qakmghbm.exe 2412 Qakmghbm.exe 2964 Anfggicl.exe 2964 Anfggicl.exe 2584 Boqgep32.exe 2584 Boqgep32.exe 2812 Bcopkn32.exe 2812 Bcopkn32.exe 2364 Cmdcngbd.exe 2364 Cmdcngbd.exe 2164 Dlnjjc32.exe 2164 Dlnjjc32.exe 1788 Ddqeodjj.exe 1788 Ddqeodjj.exe 1040 Eidchjbi.exe 1040 Eidchjbi.exe 1692 Fnkblm32.exe 1692 Fnkblm32.exe 2296 Fdlqjf32.exe 2296 Fdlqjf32.exe 2484 Gdgcnj32.exe 2484 Gdgcnj32.exe 600 Hbnqln32.exe 600 Hbnqln32.exe 700 Henjnica.exe 700 Henjnica.exe 2052 Haejcj32.exe 2052 Haejcj32.exe 916 Hiblmldn.exe 916 Hiblmldn.exe 936 Hjbhgolp.exe 936 Hjbhgolp.exe 1176 Ieligmho.exe 1176 Ieligmho.exe 1220 Ienfml32.exe 1220 Ienfml32.exe 2180 Ieqbbl32.exe 2180 Ieqbbl32.exe 1520 Iecohl32.exe 1520 Iecohl32.exe 2600 Jdhlih32.exe 2600 Jdhlih32.exe 3032 Jfiekc32.exe 3032 Jfiekc32.exe 2944 Jbpfpd32.exe 2944 Jbpfpd32.exe 2968 Jgmofbpk.exe 2968 Jgmofbpk.exe 332 Jeblgodb.exe 332 Jeblgodb.exe 3052 Kiqdmm32.exe 3052 Kiqdmm32.exe 676 Kheaoj32.exe 676 Kheaoj32.exe 2332 Khhndi32.exe 2332 Khhndi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dcihdo32.exe Dedkbb32.exe File created C:\Windows\SysWOW64\Emomop32.dll Bcopkn32.exe File opened for modification C:\Windows\SysWOW64\Gdgcnj32.exe Fdlqjf32.exe File created C:\Windows\SysWOW64\Hbnqln32.exe Gdgcnj32.exe File created C:\Windows\SysWOW64\Aaijbd32.dll Opfdim32.exe File opened for modification C:\Windows\SysWOW64\Aaeiqf32.exe Aenileon.exe File created C:\Windows\SysWOW64\Jaaoakmc.exe Jblbpnhk.exe File created C:\Windows\SysWOW64\Jdhlih32.exe Iecohl32.exe File created C:\Windows\SysWOW64\Joeido32.dll Mcmkoi32.exe File created C:\Windows\SysWOW64\Bimdkidd.dll Afeold32.exe File created C:\Windows\SysWOW64\Hjoqmd32.dll Eolljk32.exe File created C:\Windows\SysWOW64\Ooneiddj.dll Ifceemdj.exe File created C:\Windows\SysWOW64\Jpalpp32.dll Nhffikob.exe File created C:\Windows\SysWOW64\Pgihlk32.dll Jffakm32.exe File opened for modification C:\Windows\SysWOW64\Lnobfn32.exe Lahaqm32.exe File opened for modification C:\Windows\SysWOW64\Hjbhgolp.exe Hiblmldn.exe File created C:\Windows\SysWOW64\Ieligmho.exe Hjbhgolp.exe File created C:\Windows\SysWOW64\Jbpfpd32.exe Jfiekc32.exe File created C:\Windows\SysWOW64\Jgmofbpk.exe Jbpfpd32.exe File created C:\Windows\SysWOW64\Nhffikob.exe Nbinad32.exe File created C:\Windows\SysWOW64\Gcljdpke.exe Ggeiooea.exe File created C:\Windows\SysWOW64\Hoegoqng.exe Hqpjndio.exe File opened for modification C:\Windows\SysWOW64\Ifloeo32.exe Imdjlida.exe File opened for modification C:\Windows\SysWOW64\Jfiekc32.exe Jdhlih32.exe File created C:\Windows\SysWOW64\Lhkjdkib.dll Mdeaim32.exe File created C:\Windows\SysWOW64\Peaibajp.exe Pdamhocm.exe File created C:\Windows\SysWOW64\Pficnc32.dll Ehdpcahk.exe File created C:\Windows\SysWOW64\Ehiiop32.exe Eoqeekme.exe File created C:\Windows\SysWOW64\Hleggpll.dll Ifloeo32.exe File opened for modification C:\Windows\SysWOW64\Kkajkoml.exe Kfcadq32.exe File created C:\Windows\SysWOW64\Jblbpnhk.exe Jffakm32.exe File created C:\Windows\SysWOW64\Jjjdjp32.exe Jaaoakmc.exe File opened for modification C:\Windows\SysWOW64\Mbmgkp32.exe Mhdcbjal.exe File created C:\Windows\SysWOW64\Pkoqijad.dll Ldlghhde.exe File created C:\Windows\SysWOW64\Mliibj32.exe Lpbhmiji.exe File opened for modification C:\Windows\SysWOW64\Njmejaqb.exe Nglmifca.exe File created C:\Windows\SysWOW64\Miijkkno.dll Fdlqjf32.exe File created C:\Windows\SysWOW64\Jkbkei32.dll Nbddfe32.exe File opened for modification C:\Windows\SysWOW64\Opfdim32.exe Ohkpdj32.exe File opened for modification C:\Windows\SysWOW64\Ckdpinhf.exe Conpdm32.exe File created C:\Windows\SysWOW64\Lnobfn32.exe Lahaqm32.exe File created C:\Windows\SysWOW64\Moboogoa.dll Jgmofbpk.exe File created C:\Windows\SysWOW64\Cienge32.dll Qpmgho32.exe File created C:\Windows\SysWOW64\Dcihdo32.exe Dedkbb32.exe File opened for modification C:\Windows\SysWOW64\Ddnaonia.exe Djcpqidc.exe File opened for modification C:\Windows\SysWOW64\Mhdcbjal.exe Mchjjc32.exe File created C:\Windows\SysWOW64\Koehka32.dll Hqpjndio.exe File created C:\Windows\SysWOW64\Khkdmh32.exe Kblooa32.exe File created C:\Windows\SysWOW64\Dbkgliff.dll Lpbhmiji.exe File created C:\Windows\SysWOW64\Fnffkn32.dll Khhndi32.exe File created C:\Windows\SysWOW64\Joeioaao.dll Njipabhe.exe File created C:\Windows\SysWOW64\Aqkaef32.dll Ohhcokmp.exe File created C:\Windows\SysWOW64\Aidpiiop.dll Cneiki32.exe File created C:\Windows\SysWOW64\Gdbchd32.exe Ghkbccdn.exe File created C:\Windows\SysWOW64\Ncejcg32.exe Njmejaqb.exe File created C:\Windows\SysWOW64\Ngcbie32.exe Ncejcg32.exe File opened for modification C:\Windows\SysWOW64\Jeblgodb.exe Jgmofbpk.exe File opened for modification C:\Windows\SysWOW64\Ofbikf32.exe Opfdim32.exe File opened for modification C:\Windows\SysWOW64\Biakbc32.exe Bmjjmbgc.exe File created C:\Windows\SysWOW64\Eneehhmp.dll Djcpqidc.exe File created C:\Windows\SysWOW64\Ebjldp32.dll Kfcadq32.exe File created C:\Windows\SysWOW64\Eamdlf32.exe Ehdpcahk.exe File created C:\Windows\SysWOW64\Mlnhkclm.dll Ghkbccdn.exe File created C:\Windows\SysWOW64\Gojnhfhh.dll Imkqmh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2644 2588 WerFault.exe 160 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecohl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgphke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkkpjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnneabff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aellfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdbchd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncejcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcbie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecgafkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeiooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllhib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhlih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhcokmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdpcahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odfjdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imdjlida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehiiop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feccqime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbehbqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcendc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdafeln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peaibajp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgdbpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciknhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjahfkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfijfdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgqpjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddnaonia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpihnbmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdamhocm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjqifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmcjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfiekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaeiqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conpdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lahaqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjkiikl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmgho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpbhmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbddfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgbioee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbdpena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaaoakmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boqgep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbhgolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qakmghbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddqeodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biakbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jffakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnemidj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiblmldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieqbbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqpjndio.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khjkiikl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehdpcahk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jffakm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmejaqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olgehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kheaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphoal32.dll" Mkkpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joeido32.dll" Mcmkoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gklkdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaaoakmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciomamim.dll" Lddagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleggpll.dll" Ifloeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khkdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnobfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbmgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbqegdp.dll" Henjnica.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgbdpena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbaefjef.dll" Conpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imkqmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaikpd32.dll" Pppnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohhcokmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifjgemj.dll" Olgehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midfibhi.dll" Jfiekc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqhhbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdamhocm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oikgjlgb.dll" Dmffhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flbehbqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfcadq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpbhmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qegdad32.dll" Ncejcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anfggicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhojoaaa.dll" Ieqbbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnffkn32.dll" Khhndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgdafeln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkkpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqkaef32.dll" Ohhcokmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibnoen32.dll" Bkgqpjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keodflee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmifofko.dll" Keodflee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkccob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkoqijad.dll" Ldlghhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joeioaao.dll" Njipabhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcihdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eamdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agldbd32.dll" Gdbchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koiohb32.dll" Imdjlida.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khkdmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boqgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkkpjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckdpinhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfnjqifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifpbfc32.dll" Gkgbioee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgphke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iioimj32.dll" Peaibajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfkfdg32.dll" Qakmghbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfein32.dll" Mnneabff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niaihojk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoqeekme.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2340 wrote to memory of 2608 2340 7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe 29 PID 2340 wrote to memory of 2608 2340 7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe 29 PID 2340 wrote to memory of 2608 2340 7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe 29 PID 2340 wrote to memory of 2608 2340 7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe 29 PID 2608 wrote to memory of 2476 2608 Oafhmf32.exe 30 PID 2608 wrote to memory of 2476 2608 Oafhmf32.exe 30 PID 2608 wrote to memory of 2476 2608 Oafhmf32.exe 30 PID 2608 wrote to memory of 2476 2608 Oafhmf32.exe 30 PID 2476 wrote to memory of 2852 2476 Pppnia32.exe 31 PID 2476 wrote to memory of 2852 2476 Pppnia32.exe 31 PID 2476 wrote to memory of 2852 2476 Pppnia32.exe 31 PID 2476 wrote to memory of 2852 2476 Pppnia32.exe 31 PID 2852 wrote to memory of 2412 2852 Pllhib32.exe 32 PID 2852 wrote to memory of 2412 2852 Pllhib32.exe 32 PID 2852 wrote to memory of 2412 2852 Pllhib32.exe 32 PID 2852 wrote to memory of 2412 2852 Pllhib32.exe 32 PID 2412 wrote to memory of 2964 2412 Qakmghbm.exe 33 PID 2412 wrote to memory of 2964 2412 Qakmghbm.exe 33 PID 2412 wrote to memory of 2964 2412 Qakmghbm.exe 33 PID 2412 wrote to memory of 2964 2412 Qakmghbm.exe 33 PID 2964 wrote to memory of 2584 2964 Anfggicl.exe 34 PID 2964 wrote to memory of 2584 2964 Anfggicl.exe 34 PID 2964 wrote to memory of 2584 2964 Anfggicl.exe 34 PID 2964 wrote to memory of 2584 2964 Anfggicl.exe 34 PID 2584 wrote to memory of 2812 2584 Boqgep32.exe 35 PID 2584 wrote to memory of 2812 2584 Boqgep32.exe 35 PID 2584 wrote to memory of 2812 2584 Boqgep32.exe 35 PID 2584 wrote to memory of 2812 2584 Boqgep32.exe 35 PID 2812 wrote to memory of 2364 2812 Bcopkn32.exe 36 PID 2812 wrote to memory of 2364 2812 Bcopkn32.exe 36 PID 2812 wrote to memory of 2364 2812 Bcopkn32.exe 36 PID 2812 wrote to memory of 2364 2812 Bcopkn32.exe 36 PID 2364 wrote to memory of 2164 2364 Cmdcngbd.exe 37 PID 2364 wrote to memory of 2164 2364 Cmdcngbd.exe 37 PID 2364 wrote to memory of 2164 2364 Cmdcngbd.exe 37 PID 2364 wrote to memory of 2164 2364 Cmdcngbd.exe 37 PID 2164 wrote to memory of 1788 2164 Dlnjjc32.exe 38 PID 2164 wrote to memory of 1788 2164 Dlnjjc32.exe 38 PID 2164 wrote to memory of 1788 2164 Dlnjjc32.exe 38 PID 2164 wrote to memory of 1788 2164 Dlnjjc32.exe 38 PID 1788 wrote to memory of 1040 1788 Ddqeodjj.exe 39 PID 1788 wrote to memory of 1040 1788 Ddqeodjj.exe 39 PID 1788 wrote to memory of 1040 1788 Ddqeodjj.exe 39 PID 1788 wrote to memory of 1040 1788 Ddqeodjj.exe 39 PID 1040 wrote to memory of 1692 1040 Eidchjbi.exe 40 PID 1040 wrote to memory of 1692 1040 Eidchjbi.exe 40 PID 1040 wrote to memory of 1692 1040 Eidchjbi.exe 40 PID 1040 wrote to memory of 1692 1040 Eidchjbi.exe 40 PID 1692 wrote to memory of 2296 1692 Fnkblm32.exe 41 PID 1692 wrote to memory of 2296 1692 Fnkblm32.exe 41 PID 1692 wrote to memory of 2296 1692 Fnkblm32.exe 41 PID 1692 wrote to memory of 2296 1692 Fnkblm32.exe 41 PID 2296 wrote to memory of 2484 2296 Fdlqjf32.exe 42 PID 2296 wrote to memory of 2484 2296 Fdlqjf32.exe 42 PID 2296 wrote to memory of 2484 2296 Fdlqjf32.exe 42 PID 2296 wrote to memory of 2484 2296 Fdlqjf32.exe 42 PID 2484 wrote to memory of 600 2484 Gdgcnj32.exe 43 PID 2484 wrote to memory of 600 2484 Gdgcnj32.exe 43 PID 2484 wrote to memory of 600 2484 Gdgcnj32.exe 43 PID 2484 wrote to memory of 600 2484 Gdgcnj32.exe 43 PID 600 wrote to memory of 700 600 Hbnqln32.exe 44 PID 600 wrote to memory of 700 600 Hbnqln32.exe 44 PID 600 wrote to memory of 700 600 Hbnqln32.exe 44 PID 600 wrote to memory of 700 600 Hbnqln32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe"C:\Users\Admin\AppData\Local\Temp\7baaf983b2b55bb8da0279a2fe21ccff4edd7f6baadf4310a2aa482c542c4d49N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Pppnia32.exeC:\Windows\system32\Pppnia32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Pllhib32.exeC:\Windows\system32\Pllhib32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Boqgep32.exeC:\Windows\system32\Boqgep32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Bcopkn32.exeC:\Windows\system32\Bcopkn32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Eidchjbi.exeC:\Windows\system32\Eidchjbi.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\SysWOW64\Fnkblm32.exeC:\Windows\system32\Fnkblm32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Fdlqjf32.exeC:\Windows\system32\Fdlqjf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Haejcj32.exeC:\Windows\system32\Haejcj32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Hiblmldn.exeC:\Windows\system32\Hiblmldn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Hjbhgolp.exeC:\Windows\system32\Hjbhgolp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1176 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1220 -
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Jdhlih32.exeC:\Windows\system32\Jdhlih32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2968 -
C:\Windows\SysWOW64\Jeblgodb.exeC:\Windows\system32\Jeblgodb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:332 -
C:\Windows\SysWOW64\Kiqdmm32.exeC:\Windows\system32\Kiqdmm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Kheaoj32.exeC:\Windows\system32\Kheaoj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Khhndi32.exeC:\Windows\system32\Khhndi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Khjkiikl.exeC:\Windows\system32\Khjkiikl.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Lgbdpena.exeC:\Windows\system32\Lgbdpena.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Lgdafeln.exeC:\Windows\system32\Lgdafeln.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Mqhhbn32.exeC:\Windows\system32\Mqhhbn32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Mdeaim32.exeC:\Windows\system32\Mdeaim32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Mcmkoi32.exeC:\Windows\system32\Mcmkoi32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Njipabhe.exeC:\Windows\system32\Njipabhe.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Ohhcokmp.exeC:\Windows\system32\Ohhcokmp.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1704 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:832 -
C:\Windows\SysWOW64\Opfdim32.exeC:\Windows\system32\Opfdim32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Odfjdk32.exeC:\Windows\system32\Odfjdk32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1384 -
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Qpmgho32.exeC:\Windows\system32\Qpmgho32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Aellfe32.exeC:\Windows\system32\Aellfe32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe58⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Afeold32.exeC:\Windows\system32\Afeold32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe62⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Bkgqpjch.exeC:\Windows\system32\Bkgqpjch.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Bdoeipjh.exeC:\Windows\system32\Bdoeipjh.exe64⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Bmjjmbgc.exeC:\Windows\system32\Bmjjmbgc.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Conpdm32.exeC:\Windows\system32\Conpdm32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Ckdpinhf.exeC:\Windows\system32\Ckdpinhf.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:108 -
C:\Windows\SysWOW64\Cneiki32.exeC:\Windows\system32\Cneiki32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe70⤵
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Clkfjman.exeC:\Windows\system32\Clkfjman.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:972 -
C:\Windows\SysWOW64\Dedkbb32.exeC:\Windows\system32\Dedkbb32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Djcpqidc.exeC:\Windows\system32\Djcpqidc.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Ddnaonia.exeC:\Windows\system32\Ddnaonia.exe75⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Dmffhd32.exeC:\Windows\system32\Dmffhd32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Dfnjqifb.exeC:\Windows\system32\Dfnjqifb.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe79⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe80⤵
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Ehdpcahk.exeC:\Windows\system32\Ehdpcahk.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Eamdlf32.exeC:\Windows\system32\Eamdlf32.exe82⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Eoqeekme.exeC:\Windows\system32\Eoqeekme.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Ehiiop32.exeC:\Windows\system32\Ehiiop32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Fcbjon32.exeC:\Windows\system32\Fcbjon32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe86⤵PID:1600
-
C:\Windows\SysWOW64\Feccqime.exeC:\Windows\system32\Feccqime.exe87⤵
- System Location Discovery: System Language Discovery
PID:596 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe88⤵
- System Location Discovery: System Language Discovery
PID:304 -
C:\Windows\SysWOW64\Fondonbc.exeC:\Windows\system32\Fondonbc.exe89⤵PID:2292
-
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Gkgbioee.exeC:\Windows\system32\Gkgbioee.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ghkbccdn.exeC:\Windows\system32\Ghkbccdn.exe92⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Gdbchd32.exeC:\Windows\system32\Gdbchd32.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Gjahfkfg.exeC:\Windows\system32\Gjahfkfg.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Ggeiooea.exeC:\Windows\system32\Ggeiooea.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Gcljdpke.exeC:\Windows\system32\Gcljdpke.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2640 -
C:\Windows\SysWOW64\Hqpjndio.exeC:\Windows\system32\Hqpjndio.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Hoegoqng.exeC:\Windows\system32\Hoegoqng.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Imdjlida.exeC:\Windows\system32\Imdjlida.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Iglkoaad.exeC:\Windows\system32\Iglkoaad.exe102⤵PID:2148
-
C:\Windows\SysWOW64\Imkqmh32.exeC:\Windows\system32\Imkqmh32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:644 -
C:\Windows\SysWOW64\Ifceemdj.exeC:\Windows\system32\Ifceemdj.exe104⤵
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Jffakm32.exeC:\Windows\system32\Jffakm32.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Jblbpnhk.exeC:\Windows\system32\Jblbpnhk.exe106⤵
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Jaaoakmc.exeC:\Windows\system32\Jaaoakmc.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Jjjdjp32.exeC:\Windows\system32\Jjjdjp32.exe108⤵
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Jafilj32.exeC:\Windows\system32\Jafilj32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Kfcadq32.exeC:\Windows\system32\Kfcadq32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Kkajkoml.exeC:\Windows\system32\Kkajkoml.exe111⤵PID:2556
-
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Keodflee.exeC:\Windows\system32\Keodflee.exe114⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Lddagi32.exeC:\Windows\system32\Lddagi32.exe115⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Lahaqm32.exeC:\Windows\system32\Lahaqm32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Lnobfn32.exeC:\Windows\system32\Lnobfn32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Lkccob32.exeC:\Windows\system32\Lkccob32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Ldlghhde.exeC:\Windows\system32\Ldlghhde.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Lpbhmiji.exeC:\Windows\system32\Lpbhmiji.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Mliibj32.exeC:\Windows\system32\Mliibj32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1612 -
C:\Windows\SysWOW64\Mcendc32.exeC:\Windows\system32\Mcendc32.exe122⤵
- System Location Discovery: System Language Discovery
PID:2356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-