Analysis
-
max time kernel
68s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 07:51
Static task
static1
Behavioral task
behavioral1
Sample
a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe
Resource
win10v2004-20241007-en
General
-
Target
a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe
-
Size
890KB
-
MD5
1653af0c7444d49b8e33b573647fe860
-
SHA1
900b8be0172dae8b1b57db1c4bf3ce8a57fe3d69
-
SHA256
a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754
-
SHA512
689b3efeaa85e865bc828896866e364c14a2b55466bfdc3cd99e82409fd12b4a7af68bb716d1d34d87da1ea015ce5ad76924d810a381cf8335032cdcbae6e231
-
SSDEEP
12288:ezDxZ1b6/Ng1/Nmr/Ng1/Nblt01PBNkEG:ezD1brlkcEG
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akmgoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejeknelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgkqmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemjieol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnhegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdpfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Linoeccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdmdlc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdcinjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmholgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlopkmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbjoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glkinb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhopcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Endmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopfpkng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfqmkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnhdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjcleqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aikine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhffikob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiplecnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlfaag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknlfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcaanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlmnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdcdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpmbndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfppije.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbbod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Linfpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbadfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Babdhlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhcoei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehbdif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhmonoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abnbccia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giakoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjglcmbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Licpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jennjblp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dheljhof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjbbmmih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amlhmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffeoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biakbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipgeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmjmodm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbglgcbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhhmki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqnlpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbeqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kblooa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgcdcjpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdqpdja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fagcnmie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqidme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgehfodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmglbgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lihifhoq.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2820 Cghkepdm.exe 2956 Cmdcngbd.exe 2316 Dbmlal32.exe 828 Dlepjbmo.exe 2848 Dgoakpjn.exe 2708 Fleihi32.exe 2248 Gielchpp.exe 2356 Hbpmbndm.exe 2128 Ilhnjfmi.exe 2816 Iniglajj.exe 2664 Kbflqccl.exe 1140 Kdooij32.exe 2184 Lngpac32.exe 2120 Mhopcl32.exe 572 Neemgp32.exe 1284 Nhffikob.exe 2432 Ppogok32.exe 1508 Pbppqf32.exe 1752 Pmlngdhk.exe 1776 Phabdmgq.exe 956 Qkbkfh32.exe 1552 Acplpjpj.exe 2100 Acdfki32.exe 872 Abjcleqm.exe 3008 Bkddjkej.exe 2960 Bgkeol32.exe 1600 Biakbc32.exe 2744 Bbjoki32.exe 3024 Cgkanomj.exe 2608 Ceoagcld.exe 1660 Cngfqi32.exe 2220 Dajlhc32.exe 1620 Dmcibdad.exe 2604 Eehqme32.exe 2468 Epdncb32.exe 2636 Fmholgpj.exe 3064 Fpihnbmk.exe 2276 Fhdlbd32.exe 2644 Fehmlh32.exe 916 Fkeedo32.exe 1328 Fejjah32.exe 400 Gdpfbd32.exe 1548 Goekpm32.exe 1796 Ghmohcbl.exe 1992 Gqidme32.exe 2060 Gknhjn32.exe 1516 Gnoaliln.exe 2056 Hqpjndio.exe 2832 Hikobfgj.exe 2136 Hdapggln.exe 2844 Hogddpld.exe 2792 Hedllgjk.exe 2460 Hojqjp32.exe 1264 Hefibg32.exe 2240 Iamjghnm.exe 1012 Imdjlida.exe 3036 Igioiacg.exe 2392 Iabcbg32.exe 2180 Iefeaj32.exe 900 Jbjejojn.exe 2152 Jnafop32.exe 2700 Jaaoakmc.exe 756 Jjjdjp32.exe 2652 Jdbhcfjd.exe -
Loads dropped DLL 64 IoCs
pid Process 1820 a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe 1820 a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe 2820 Cghkepdm.exe 2820 Cghkepdm.exe 2956 Cmdcngbd.exe 2956 Cmdcngbd.exe 2316 Dbmlal32.exe 2316 Dbmlal32.exe 828 Dlepjbmo.exe 828 Dlepjbmo.exe 2848 Dgoakpjn.exe 2848 Dgoakpjn.exe 2708 Fleihi32.exe 2708 Fleihi32.exe 2248 Gielchpp.exe 2248 Gielchpp.exe 2356 Hbpmbndm.exe 2356 Hbpmbndm.exe 2128 Ilhnjfmi.exe 2128 Ilhnjfmi.exe 2816 Iniglajj.exe 2816 Iniglajj.exe 2664 Kbflqccl.exe 2664 Kbflqccl.exe 1140 Kdooij32.exe 1140 Kdooij32.exe 2184 Lngpac32.exe 2184 Lngpac32.exe 2120 Mhopcl32.exe 2120 Mhopcl32.exe 572 Neemgp32.exe 572 Neemgp32.exe 1284 Nhffikob.exe 1284 Nhffikob.exe 2432 Ppogok32.exe 2432 Ppogok32.exe 1508 Pbppqf32.exe 1508 Pbppqf32.exe 1752 Pmlngdhk.exe 1752 Pmlngdhk.exe 1776 Phabdmgq.exe 1776 Phabdmgq.exe 956 Qkbkfh32.exe 956 Qkbkfh32.exe 1552 Acplpjpj.exe 1552 Acplpjpj.exe 2100 Acdfki32.exe 2100 Acdfki32.exe 872 Abjcleqm.exe 872 Abjcleqm.exe 3008 Bkddjkej.exe 3008 Bkddjkej.exe 2960 Bgkeol32.exe 2960 Bgkeol32.exe 1600 Biakbc32.exe 1600 Biakbc32.exe 2744 Bbjoki32.exe 2744 Bbjoki32.exe 3024 Cgkanomj.exe 3024 Cgkanomj.exe 2608 Ceoagcld.exe 2608 Ceoagcld.exe 1660 Cngfqi32.exe 1660 Cngfqi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gaoihhbo.dll Ajkokgia.exe File created C:\Windows\SysWOW64\Ijhbkmbo.dll Hedllgjk.exe File created C:\Windows\SysWOW64\Kgnkpb32.dll Lpmhgc32.exe File opened for modification C:\Windows\SysWOW64\Gpdfph32.exe Gfkagc32.exe File created C:\Windows\SysWOW64\Minnmomo.exe Mbdepe32.exe File opened for modification C:\Windows\SysWOW64\Mphfji32.exe Minnmomo.exe File opened for modification C:\Windows\SysWOW64\Cioohh32.exe Bbegkn32.exe File created C:\Windows\SysWOW64\Fleihi32.exe Dgoakpjn.exe File created C:\Windows\SysWOW64\Jaaoakmc.exe Jnafop32.exe File created C:\Windows\SysWOW64\Nghhnhbf.dll Lhbjmg32.exe File created C:\Windows\SysWOW64\Gkfkoi32.exe Fangfcki.exe File opened for modification C:\Windows\SysWOW64\Okgpfjbo.exe Odmhjp32.exe File opened for modification C:\Windows\SysWOW64\Cbpbek32.exe Caligc32.exe File created C:\Windows\SysWOW64\Liacqlhg.dll Kdeehe32.exe File opened for modification C:\Windows\SysWOW64\Feppqc32.exe Fhlogo32.exe File created C:\Windows\SysWOW64\Ohhmhk32.dll Hjkneb32.exe File created C:\Windows\SysWOW64\Iipgeb32.exe Iccnmk32.exe File opened for modification C:\Windows\SysWOW64\Kjfhgp32.exe Kmbgnl32.exe File opened for modification C:\Windows\SysWOW64\Hedllgjk.exe Hogddpld.exe File opened for modification C:\Windows\SysWOW64\Omkidb32.exe Olhmnb32.exe File created C:\Windows\SysWOW64\Almhmg32.dll Noffadai.exe File opened for modification C:\Windows\SysWOW64\Dcffmb32.exe Dllnphkd.exe File opened for modification C:\Windows\SysWOW64\Eqjceidf.exe Ejpkho32.exe File created C:\Windows\SysWOW64\Bepajh32.dll Iogkaf32.exe File created C:\Windows\SysWOW64\Mljgmiaq.dll Iabcbg32.exe File created C:\Windows\SysWOW64\Oljagk32.dll Johlpoij.exe File opened for modification C:\Windows\SysWOW64\Elaego32.exe Edfqclni.exe File created C:\Windows\SysWOW64\Ngnlaehe.dll Fkmhij32.exe File created C:\Windows\SysWOW64\Beignlig.exe Bdhjfc32.exe File created C:\Windows\SysWOW64\Gbolncpj.dll Minnmomo.exe File created C:\Windows\SysWOW64\Nhffikob.exe Neemgp32.exe File created C:\Windows\SysWOW64\Iefbpdca.dll Hqemlbqi.exe File opened for modification C:\Windows\SysWOW64\Oqomkimg.exe Ngfhbd32.exe File created C:\Windows\SysWOW64\Mfglbp32.dll Jkjbml32.exe File opened for modification C:\Windows\SysWOW64\Aecdpmbm.exe Aoilcc32.exe File opened for modification C:\Windows\SysWOW64\Lfgbmf32.exe Llbnpm32.exe File opened for modification C:\Windows\SysWOW64\Lngpac32.exe Kdooij32.exe File opened for modification C:\Windows\SysWOW64\Fkeedo32.exe Fehmlh32.exe File created C:\Windows\SysWOW64\Bnkpjd32.exe Bfnnpbnn.exe File opened for modification C:\Windows\SysWOW64\Plbaafak.exe Ofehiocd.exe File created C:\Windows\SysWOW64\Ccbpjajc.dll Aihjpman.exe File created C:\Windows\SysWOW64\Jhjillah.dll Jaaoakmc.exe File created C:\Windows\SysWOW64\Ddbbod32.exe Cgnbepjp.exe File created C:\Windows\SysWOW64\Fcehpbdm.exe Fmkpchmp.exe File opened for modification C:\Windows\SysWOW64\Hjdfgojp.exe Gmklbk32.exe File opened for modification C:\Windows\SysWOW64\Gokmnlcf.exe Ginefe32.exe File created C:\Windows\SysWOW64\Licpki32.exe Lpkkbcle.exe File opened for modification C:\Windows\SysWOW64\Bcbhmehg.exe Baakem32.exe File created C:\Windows\SysWOW64\Pmoiknoh.dll Dhcoei32.exe File created C:\Windows\SysWOW64\Coqaknog.exe Cidhcg32.exe File created C:\Windows\SysWOW64\Gbdobc32.exe Giljinne.exe File created C:\Windows\SysWOW64\Obncbb32.dll Ikibkhla.exe File opened for modification C:\Windows\SysWOW64\Ebkibk32.exe Ejcaanfg.exe File created C:\Windows\SysWOW64\Mlnbmikh.exe Mgomoboc.exe File opened for modification C:\Windows\SysWOW64\Qomcdf32.exe Pojgnf32.exe File created C:\Windows\SysWOW64\Cmmnclpk.dll Alqplmlb.exe File created C:\Windows\SysWOW64\Gokmnlcf.exe Ginefe32.exe File created C:\Windows\SysWOW64\Ddhfnf32.dll Nnidchqp.exe File opened for modification C:\Windows\SysWOW64\Hahoodqi.exe Hjkneb32.exe File created C:\Windows\SysWOW64\Dldldj32.dll Llnhgn32.exe File created C:\Windows\SysWOW64\Belcck32.exe Blcokf32.exe File created C:\Windows\SysWOW64\Iniglajj.exe Ilhnjfmi.exe File opened for modification C:\Windows\SysWOW64\Neemgp32.exe Mhopcl32.exe File opened for modification C:\Windows\SysWOW64\Pojgnf32.exe Nqbdllld.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1148 2380 WerFault.exe 519 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boiagp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edieng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biakbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngdadoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhhcdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hikobfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqemlbqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lihifhoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgkqmph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaamobdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhffikob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncllifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgibijkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfioaaah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enijcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olhmnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefpmiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmbgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imdjlida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hedllgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpohb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beignlig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aecdpmbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecklgdag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkiiom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjnolap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdpkdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfpoimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcdgei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopfpkng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehqme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpihnbmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfekbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfalpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkphnmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnpkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coqaknog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gielchpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoilcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjnikpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkfil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licpki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhgeao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiljjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjnpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeicenni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhdmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfgoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfqmkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hblgkkfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fejjah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoaliln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddjmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjpfmic.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gokmnlcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emaejfgn.dll" Kblhdkgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpigjb32.dll" Ffeoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Balkfa32.dll" Fagcnmie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inonmdda.dll" Hikobfgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkpfjnnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jknlfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nagegjio.dll" Cefpmiji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coqaknog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioopon32.dll" Kchfpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhpbkob.dll" Hfiofefm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqidme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mamjchoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfbibki.dll" Algida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Algida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpihnbmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kblhdkgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpdjaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiheok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moikinib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgjnpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjndif32.dll" Iankbldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mphfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akbdil32.dll" Dhhkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoakai32.dll" Kmmiaknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbdkdffm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnecjgch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Licpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nolbcaeh.dll" Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbqbioeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcmfal32.dll" Bpahad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkphnmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alqplmlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baecgdbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qamleagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giakoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbgqo32.dll" Mkldli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qedjib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckgapo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogiqffhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecfednma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cebplg32.dll" Goekpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbmdcf32.dll" Blkoocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnmglbgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iblqfmni.dll" Mibgho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdapggln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcdcjpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eccdmmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbojchdc.dll" Gokmnlcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohodnlfk.dll" Kdmdlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcbhmehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjfbikh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqodho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmahbhei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaffja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiplecnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iioinckp.dll" Gpccgppq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2820 1820 a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe 29 PID 1820 wrote to memory of 2820 1820 a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe 29 PID 1820 wrote to memory of 2820 1820 a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe 29 PID 1820 wrote to memory of 2820 1820 a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe 29 PID 2820 wrote to memory of 2956 2820 Cghkepdm.exe 30 PID 2820 wrote to memory of 2956 2820 Cghkepdm.exe 30 PID 2820 wrote to memory of 2956 2820 Cghkepdm.exe 30 PID 2820 wrote to memory of 2956 2820 Cghkepdm.exe 30 PID 2956 wrote to memory of 2316 2956 Cmdcngbd.exe 31 PID 2956 wrote to memory of 2316 2956 Cmdcngbd.exe 31 PID 2956 wrote to memory of 2316 2956 Cmdcngbd.exe 31 PID 2956 wrote to memory of 2316 2956 Cmdcngbd.exe 31 PID 2316 wrote to memory of 828 2316 Dbmlal32.exe 32 PID 2316 wrote to memory of 828 2316 Dbmlal32.exe 32 PID 2316 wrote to memory of 828 2316 Dbmlal32.exe 32 PID 2316 wrote to memory of 828 2316 Dbmlal32.exe 32 PID 828 wrote to memory of 2848 828 Dlepjbmo.exe 33 PID 828 wrote to memory of 2848 828 Dlepjbmo.exe 33 PID 828 wrote to memory of 2848 828 Dlepjbmo.exe 33 PID 828 wrote to memory of 2848 828 Dlepjbmo.exe 33 PID 2848 wrote to memory of 2708 2848 Dgoakpjn.exe 34 PID 2848 wrote to memory of 2708 2848 Dgoakpjn.exe 34 PID 2848 wrote to memory of 2708 2848 Dgoakpjn.exe 34 PID 2848 wrote to memory of 2708 2848 Dgoakpjn.exe 34 PID 2708 wrote to memory of 2248 2708 Fleihi32.exe 35 PID 2708 wrote to memory of 2248 2708 Fleihi32.exe 35 PID 2708 wrote to memory of 2248 2708 Fleihi32.exe 35 PID 2708 wrote to memory of 2248 2708 Fleihi32.exe 35 PID 2248 wrote to memory of 2356 2248 Gielchpp.exe 36 PID 2248 wrote to memory of 2356 2248 Gielchpp.exe 36 PID 2248 wrote to memory of 2356 2248 Gielchpp.exe 36 PID 2248 wrote to memory of 2356 2248 Gielchpp.exe 36 PID 2356 wrote to memory of 2128 2356 Hbpmbndm.exe 37 PID 2356 wrote to memory of 2128 2356 Hbpmbndm.exe 37 PID 2356 wrote to memory of 2128 2356 Hbpmbndm.exe 37 PID 2356 wrote to memory of 2128 2356 Hbpmbndm.exe 37 PID 2128 wrote to memory of 2816 2128 Ilhnjfmi.exe 38 PID 2128 wrote to memory of 2816 2128 Ilhnjfmi.exe 38 PID 2128 wrote to memory of 2816 2128 Ilhnjfmi.exe 38 PID 2128 wrote to memory of 2816 2128 Ilhnjfmi.exe 38 PID 2816 wrote to memory of 2664 2816 Iniglajj.exe 39 PID 2816 wrote to memory of 2664 2816 Iniglajj.exe 39 PID 2816 wrote to memory of 2664 2816 Iniglajj.exe 39 PID 2816 wrote to memory of 2664 2816 Iniglajj.exe 39 PID 2664 wrote to memory of 1140 2664 Kbflqccl.exe 40 PID 2664 wrote to memory of 1140 2664 Kbflqccl.exe 40 PID 2664 wrote to memory of 1140 2664 Kbflqccl.exe 40 PID 2664 wrote to memory of 1140 2664 Kbflqccl.exe 40 PID 1140 wrote to memory of 2184 1140 Kdooij32.exe 41 PID 1140 wrote to memory of 2184 1140 Kdooij32.exe 41 PID 1140 wrote to memory of 2184 1140 Kdooij32.exe 41 PID 1140 wrote to memory of 2184 1140 Kdooij32.exe 41 PID 2184 wrote to memory of 2120 2184 Lngpac32.exe 42 PID 2184 wrote to memory of 2120 2184 Lngpac32.exe 42 PID 2184 wrote to memory of 2120 2184 Lngpac32.exe 42 PID 2184 wrote to memory of 2120 2184 Lngpac32.exe 42 PID 2120 wrote to memory of 572 2120 Mhopcl32.exe 43 PID 2120 wrote to memory of 572 2120 Mhopcl32.exe 43 PID 2120 wrote to memory of 572 2120 Mhopcl32.exe 43 PID 2120 wrote to memory of 572 2120 Mhopcl32.exe 43 PID 572 wrote to memory of 1284 572 Neemgp32.exe 44 PID 572 wrote to memory of 1284 572 Neemgp32.exe 44 PID 572 wrote to memory of 1284 572 Neemgp32.exe 44 PID 572 wrote to memory of 1284 572 Neemgp32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe"C:\Users\Admin\AppData\Local\Temp\a10f9e4ea19f3e7c915cea7105eaaf968badb87be3800d42a1a923519285b754N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Cghkepdm.exeC:\Windows\system32\Cghkepdm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Dlepjbmo.exeC:\Windows\system32\Dlepjbmo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Fleihi32.exeC:\Windows\system32\Fleihi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Hbpmbndm.exeC:\Windows\system32\Hbpmbndm.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Ilhnjfmi.exeC:\Windows\system32\Ilhnjfmi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Iniglajj.exeC:\Windows\system32\Iniglajj.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Kbflqccl.exeC:\Windows\system32\Kbflqccl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Kdooij32.exeC:\Windows\system32\Kdooij32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Mhopcl32.exeC:\Windows\system32\Mhopcl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Pbppqf32.exeC:\Windows\system32\Pbppqf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Acplpjpj.exeC:\Windows\system32\Acplpjpj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Bgkeol32.exeC:\Windows\system32\Bgkeol32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Cgkanomj.exeC:\Windows\system32\Cgkanomj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Dajlhc32.exeC:\Windows\system32\Dajlhc32.exe33⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Dmcibdad.exeC:\Windows\system32\Dmcibdad.exe34⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Eehqme32.exeC:\Windows\system32\Eehqme32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe36⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Fmholgpj.exeC:\Windows\system32\Fmholgpj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Fpihnbmk.exeC:\Windows\system32\Fpihnbmk.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Fhdlbd32.exeC:\Windows\system32\Fhdlbd32.exe39⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Fehmlh32.exeC:\Windows\system32\Fehmlh32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Fkeedo32.exeC:\Windows\system32\Fkeedo32.exe41⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Fejjah32.exeC:\Windows\system32\Fejjah32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:400 -
C:\Windows\SysWOW64\Goekpm32.exeC:\Windows\system32\Goekpm32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe45⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Gqidme32.exeC:\Windows\system32\Gqidme32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1992 -
C:\Windows\SysWOW64\Gknhjn32.exeC:\Windows\system32\Gknhjn32.exe47⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Gnoaliln.exeC:\Windows\system32\Gnoaliln.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Hqpjndio.exeC:\Windows\system32\Hqpjndio.exe49⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Hikobfgj.exeC:\Windows\system32\Hikobfgj.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Hogddpld.exeC:\Windows\system32\Hogddpld.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2844 -
C:\Windows\SysWOW64\Hedllgjk.exeC:\Windows\system32\Hedllgjk.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe54⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Hefibg32.exeC:\Windows\system32\Hefibg32.exe55⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Iamjghnm.exeC:\Windows\system32\Iamjghnm.exe56⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Imdjlida.exeC:\Windows\system32\Imdjlida.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1012 -
C:\Windows\SysWOW64\Igioiacg.exeC:\Windows\system32\Igioiacg.exe58⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Iabcbg32.exeC:\Windows\system32\Iabcbg32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Iefeaj32.exeC:\Windows\system32\Iefeaj32.exe60⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe61⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Jnafop32.exeC:\Windows\system32\Jnafop32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Jaaoakmc.exeC:\Windows\system32\Jaaoakmc.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Jjjdjp32.exeC:\Windows\system32\Jjjdjp32.exe64⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Jdbhcfjd.exeC:\Windows\system32\Jdbhcfjd.exe65⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Johlpoij.exeC:\Windows\system32\Johlpoij.exe66⤵
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Kdeehe32.exeC:\Windows\system32\Kdeehe32.exe67⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Kmmiaknb.exeC:\Windows\system32\Kmmiaknb.exe68⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Kbjbibli.exeC:\Windows\system32\Kbjbibli.exe69⤵PID:2156
-
C:\Windows\SysWOW64\Kblooa32.exeC:\Windows\system32\Kblooa32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Kppohf32.exeC:\Windows\system32\Kppohf32.exe71⤵PID:2748
-
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe72⤵PID:2724
-
C:\Windows\SysWOW64\Kpblne32.exeC:\Windows\system32\Kpblne32.exe73⤵PID:884
-
C:\Windows\SysWOW64\Kikpgk32.exeC:\Windows\system32\Kikpgk32.exe74⤵PID:744
-
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe75⤵PID:2612
-
C:\Windows\SysWOW64\Lnmfpnqn.exeC:\Windows\system32\Lnmfpnqn.exe76⤵PID:2320
-
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe77⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Laknfmgd.exeC:\Windows\system32\Laknfmgd.exe78⤵PID:1864
-
C:\Windows\SysWOW64\Ldlghhde.exeC:\Windows\system32\Ldlghhde.exe79⤵PID:2112
-
C:\Windows\SysWOW64\Ljhppo32.exeC:\Windows\system32\Ljhppo32.exe80⤵PID:1056
-
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe81⤵
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Mgomoboc.exeC:\Windows\system32\Mgomoboc.exe82⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Mlnbmikh.exeC:\Windows\system32\Mlnbmikh.exe83⤵PID:1808
-
C:\Windows\SysWOW64\Mhgpgjoj.exeC:\Windows\system32\Mhgpgjoj.exe84⤵PID:2504
-
C:\Windows\SysWOW64\Nqbdllld.exeC:\Windows\system32\Nqbdllld.exe85⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe86⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe87⤵PID:1988
-
C:\Windows\SysWOW64\Qlqdmj32.exeC:\Windows\system32\Qlqdmj32.exe88⤵PID:2284
-
C:\Windows\SysWOW64\Qamleagn.exeC:\Windows\system32\Qamleagn.exe89⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Akfaof32.exeC:\Windows\system32\Akfaof32.exe90⤵PID:3032
-
C:\Windows\SysWOW64\Adnegldo.exeC:\Windows\system32\Adnegldo.exe91⤵PID:2192
-
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe92⤵PID:2164
-
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe93⤵PID:1528
-
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Agchdfmk.exeC:\Windows\system32\Agchdfmk.exe95⤵PID:1616
-
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe97⤵PID:672
-
C:\Windows\SysWOW64\Boainhic.exeC:\Windows\system32\Boainhic.exe98⤵PID:2268
-
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe99⤵
- Drops file in System32 directory
PID:1388 -
C:\Windows\SysWOW64\Bnkpjd32.exeC:\Windows\system32\Bnkpjd32.exe100⤵PID:1912
-
C:\Windows\SysWOW64\Bgcdcjpf.exeC:\Windows\system32\Bgcdcjpf.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Cbihpbpl.exeC:\Windows\system32\Cbihpbpl.exe102⤵PID:1748
-
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe103⤵PID:2172
-
C:\Windows\SysWOW64\Cmbiap32.exeC:\Windows\system32\Cmbiap32.exe104⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe105⤵PID:2044
-
C:\Windows\SysWOW64\Cconcjae.exeC:\Windows\system32\Cconcjae.exe106⤵PID:1968
-
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe107⤵PID:2988
-
C:\Windows\SysWOW64\Cbdkdffm.exeC:\Windows\system32\Cbdkdffm.exe108⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Deedfacn.exeC:\Windows\system32\Deedfacn.exe109⤵PID:816
-
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Danaqbgp.exeC:\Windows\system32\Danaqbgp.exe111⤵PID:1740
-
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe112⤵
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe113⤵PID:2388
-
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe114⤵PID:2352
-
C:\Windows\SysWOW64\Eccdmmpk.exeC:\Windows\system32\Eccdmmpk.exe115⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Eiplecnc.exeC:\Windows\system32\Eiplecnc.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe117⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe118⤵PID:1252
-
C:\Windows\SysWOW64\Emqaaabg.exeC:\Windows\system32\Emqaaabg.exe119⤵PID:632
-
C:\Windows\SysWOW64\Fhlogo32.exeC:\Windows\system32\Fhlogo32.exe120⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Feppqc32.exeC:\Windows\system32\Feppqc32.exe121⤵PID:2876
-
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe122⤵
- Drops file in System32 directory
PID:2092
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-