Analysis
-
max time kernel
74s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 11:50
Static task
static1
Behavioral task
behavioral1
Sample
2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe
Resource
win10v2004-20241007-en
General
-
Target
2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe
-
Size
320KB
-
MD5
bd43a4c63e70916f7903746b597b5450
-
SHA1
b1aa714251c87fdd8329ef1d98f0ebd4475cc4da
-
SHA256
2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839
-
SHA512
849499817ee49150a0140ae3732eb7d463e3356f4db5fd698ae5a3187f3bc1dadc509dbc8e2c7128b565839453543bcacfbbef13cb039619933d974d792babb5
-
SSDEEP
6144:wfussu3Dvl3Y/m05XUEtMEX6vluZV4U/vlf0DrBqvl8ZV4U/vlfl+9Q:wfauTvMm05XEvG6IveDVqvQ6IvP
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oheppe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmoaoikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajdniep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiehbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllpclnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iplnpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jifhdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcoaebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchadifq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalnmahf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egimdmmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgpff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilpkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmicc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peapmhnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijffhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibadnhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hliieioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmheol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgpcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pieobaiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddagi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfogneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgacaaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajdniep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bppdlgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllomg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fclbgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mljnaocd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfldno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjgbmoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgbnbcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhnbklji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mogcelgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peapmhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgoakpjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpidai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjikaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkajkoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koelibnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cooddbfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpmegpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mffgfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopnca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjikaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcpqfgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onehadbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pieobaiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiocbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhngem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdooij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodqok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niqgof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocgll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icjmpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqlbnnej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odmgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khcbpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckajqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfadg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2164 Noepdo32.exe 2936 Ngqeha32.exe 2932 Npppaejj.exe 3040 Olgpff32.exe 2016 Oddbqhkf.exe 2564 Pgjdmc32.exe 2988 Pgnnhbpm.exe 2984 Pmmcfi32.exe 1460 Qqbeel32.exe 2792 Akjfhdka.exe 1352 Agccbenc.exe 1148 Bppdlgjk.exe 1760 Bllomg32.exe 1532 Cooddbfh.exe 2452 Clinfk32.exe 1992 Cpidai32.exe 2732 Doamhe32.exe 1320 Dhlogjko.exe 1004 Dgalhgpg.exe 2764 Emggflfc.exe 1708 Fdgefn32.exe 2628 Fclbgj32.exe 2636 Fmdfppkb.exe 892 Gfogneop.exe 2104 Gbfhcf32.exe 2916 Ghenamai.exe 2168 Gekkpqnp.exe 1620 Hjkpng32.exe 3060 Hfdmhh32.exe 1628 Hpoofm32.exe 2864 Iboghh32.exe 2540 Ibadnhmb.exe 2260 Iplnpq32.exe 1040 Jakjjcnd.exe 2580 Jlekja32.exe 3024 Jofdll32.exe 2088 Johaalea.exe 1152 Khcbpa32.exe 2240 Kheofahm.exe 2656 Kgjlgm32.exe 2472 Kcamln32.exe 856 Kgoebmip.exe 1080 Lgabgl32.exe 1788 Lqjfpbmm.exe 1712 Lmqgec32.exe 1232 Lpapgnpb.exe 544 Lfkhch32.exe 2012 Lnfmhj32.exe 2368 Mljnaocd.exe 2128 Mlmjgnaa.exe 2660 Mffkgl32.exe 2844 Mhfhaoec.exe 2848 Mfkebkjk.exe 2928 Npcika32.exe 264 Nilndfgl.exe 916 Nebnigmp.exe 1836 Niqgof32.exe 2460 Oacbdg32.exe 696 Omjbihpn.exe 2268 Olopjddf.exe 2464 Oheppe32.exe 624 Peiaij32.exe 2000 Pobeao32.exe 1356 Phjjkefd.exe -
Loads dropped DLL 64 IoCs
pid Process 1736 2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe 1736 2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe 2164 Noepdo32.exe 2164 Noepdo32.exe 2936 Ngqeha32.exe 2936 Ngqeha32.exe 2932 Npppaejj.exe 2932 Npppaejj.exe 3040 Olgpff32.exe 3040 Olgpff32.exe 2016 Oddbqhkf.exe 2016 Oddbqhkf.exe 2564 Pgjdmc32.exe 2564 Pgjdmc32.exe 2988 Pgnnhbpm.exe 2988 Pgnnhbpm.exe 2984 Pmmcfi32.exe 2984 Pmmcfi32.exe 1460 Qqbeel32.exe 1460 Qqbeel32.exe 2792 Akjfhdka.exe 2792 Akjfhdka.exe 1352 Agccbenc.exe 1352 Agccbenc.exe 1148 Bppdlgjk.exe 1148 Bppdlgjk.exe 1760 Bllomg32.exe 1760 Bllomg32.exe 1532 Cooddbfh.exe 1532 Cooddbfh.exe 2452 Clinfk32.exe 2452 Clinfk32.exe 1992 Cpidai32.exe 1992 Cpidai32.exe 2732 Doamhe32.exe 2732 Doamhe32.exe 1320 Dhlogjko.exe 1320 Dhlogjko.exe 1004 Dgalhgpg.exe 1004 Dgalhgpg.exe 2764 Emggflfc.exe 2764 Emggflfc.exe 1708 Fdgefn32.exe 1708 Fdgefn32.exe 2628 Fclbgj32.exe 2628 Fclbgj32.exe 2636 Fmdfppkb.exe 2636 Fmdfppkb.exe 892 Gfogneop.exe 892 Gfogneop.exe 2104 Gbfhcf32.exe 2104 Gbfhcf32.exe 2916 Ghenamai.exe 2916 Ghenamai.exe 2168 Gekkpqnp.exe 2168 Gekkpqnp.exe 1620 Hjkpng32.exe 1620 Hjkpng32.exe 3060 Hfdmhh32.exe 3060 Hfdmhh32.exe 1628 Hpoofm32.exe 1628 Hpoofm32.exe 2864 Iboghh32.exe 2864 Iboghh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Djammg32.dll Bjgbmoda.exe File opened for modification C:\Windows\SysWOW64\Andkbien.exe Qcjjakip.exe File created C:\Windows\SysWOW64\Ilfadg32.exe Icjmpd32.exe File created C:\Windows\SysWOW64\Nloedjin.exe Npieoi32.exe File created C:\Windows\SysWOW64\Alknnodh.exe Acbieing.exe File created C:\Windows\SysWOW64\Jcoimalh.dll Aqanke32.exe File created C:\Windows\SysWOW64\Iadnon32.exe Ihkifi32.exe File opened for modification C:\Windows\SysWOW64\Kpmpjm32.exe Kcipqi32.exe File created C:\Windows\SysWOW64\Obcgaill.exe Oikcicfl.exe File created C:\Windows\SysWOW64\Dahobdpe.exe Cgpjin32.exe File opened for modification C:\Windows\SysWOW64\Mfamko32.exe Mnfhfmhc.exe File created C:\Windows\SysWOW64\Opqdcgib.exe Nidoamch.exe File created C:\Windows\SysWOW64\Lfkhch32.exe Lpapgnpb.exe File created C:\Windows\SysWOW64\Qcpnob32.dll Peiaij32.exe File created C:\Windows\SysWOW64\Cligkdlm.exe Cjikaa32.exe File created C:\Windows\SysWOW64\Hngngo32.exe Hqbnnj32.exe File opened for modification C:\Windows\SysWOW64\Doamhe32.exe Cpidai32.exe File created C:\Windows\SysWOW64\Mhfhaoec.exe Mffkgl32.exe File created C:\Windows\SysWOW64\Bcdbjl32.exe Bfqaph32.exe File created C:\Windows\SysWOW64\Bcgoolln.exe Bcdbjl32.exe File created C:\Windows\SysWOW64\Mjhlcioh.dll Dfnjqifb.exe File opened for modification C:\Windows\SysWOW64\Kccbgh32.exe Khmnio32.exe File created C:\Windows\SysWOW64\Jajlng32.dll Njopgh32.exe File created C:\Windows\SysWOW64\Ajaagi32.exe Aqimoc32.exe File opened for modification C:\Windows\SysWOW64\Ceioieei.exe Ckajqo32.exe File opened for modification C:\Windows\SysWOW64\Gklkdn32.exe Gkiooocb.exe File opened for modification C:\Windows\SysWOW64\Jjlqpp32.exe Jdplmflg.exe File created C:\Windows\SysWOW64\Khcbpa32.exe Johaalea.exe File created C:\Windows\SysWOW64\Pgacaaij.exe Phmfpddb.exe File created C:\Windows\SysWOW64\Keedbkkd.dll Mbmebgpi.exe File created C:\Windows\SysWOW64\Nmmlccfp.exe Njopgh32.exe File created C:\Windows\SysWOW64\Dmcibdad.exe Dmalmdcg.exe File created C:\Windows\SysWOW64\Mfkebkjk.exe Mhfhaoec.exe File created C:\Windows\SysWOW64\Hmdldmja.exe Gfjcgc32.exe File created C:\Windows\SysWOW64\Fefpfi32.exe Fpihnbmk.exe File opened for modification C:\Windows\SysWOW64\Hedllgjk.exe Hmighemp.exe File created C:\Windows\SysWOW64\Fcoaebjc.exe Fcmdpcle.exe File created C:\Windows\SysWOW64\Nadann32.dll Cobjmq32.exe File opened for modification C:\Windows\SysWOW64\Agaifnhi.exe Ajmhljip.exe File created C:\Windows\SysWOW64\Ckajqo32.exe Cakfcfoc.exe File created C:\Windows\SysWOW64\Olpggg32.dll Hmheol32.exe File opened for modification C:\Windows\SysWOW64\Ilpkel32.exe Ilmool32.exe File opened for modification C:\Windows\SysWOW64\Mmmpdp32.exe Mqfooonp.exe File opened for modification C:\Windows\SysWOW64\Aqimoc32.exe Agaifnhi.exe File created C:\Windows\SysWOW64\Ldpllj32.dll Cbfeam32.exe File created C:\Windows\SysWOW64\Fpihnbmk.exe Feccqime.exe File created C:\Windows\SysWOW64\Akjfhdka.exe Qqbeel32.exe File created C:\Windows\SysWOW64\Eenabkfk.exe Eghdanac.exe File created C:\Windows\SysWOW64\Cicggcke.exe Bcgoolln.exe File created C:\Windows\SysWOW64\Fclbgj32.exe Fdgefn32.exe File opened for modification C:\Windows\SysWOW64\Oheppe32.exe Olopjddf.exe File opened for modification C:\Windows\SysWOW64\Mqfooonp.exe Mogcelgm.exe File opened for modification C:\Windows\SysWOW64\Pihbbgjj.exe Oakaheoa.exe File created C:\Windows\SysWOW64\Bipaodah.exe Bebiifka.exe File created C:\Windows\SysWOW64\Madikm32.dll Nilndfgl.exe File created C:\Windows\SysWOW64\Iindag32.dll Qfimhmlo.exe File opened for modification C:\Windows\SysWOW64\Pojdem32.exe Peapmhnk.exe File created C:\Windows\SysWOW64\Phoeomjc.exe Phmiimlf.exe File created C:\Windows\SysWOW64\Dbqajk32.exe Dmcibdad.exe File opened for modification C:\Windows\SysWOW64\Clinfk32.exe Cooddbfh.exe File created C:\Windows\SysWOW64\Keehmobp.exe Jinghn32.exe File opened for modification C:\Windows\SysWOW64\Cligkdlm.exe Cjikaa32.exe File created C:\Windows\SysWOW64\Kkajkoml.exe Kmmiaknb.exe File created C:\Windows\SysWOW64\Ajibckpc.exe Aqanke32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2284 1960 WerFault.exe 362 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgmjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilndfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhekfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmljnfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpdeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helmiiec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fldbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakaheoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppegdapd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clinfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpoofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpqfgol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcjjakip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgjdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjblcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcipqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njammhei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhmai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclbgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnfmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijghmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajdniep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnemidj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdeab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimmpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keehmobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dimfmeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafilj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkepdbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfhaoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjcgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcpbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqendf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchadifq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doamhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghenamai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmjanpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifhdphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgqpjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqkqbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgbnbcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkgpmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oppbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocodbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidoamch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicggcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmmiaknb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mljnaocd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphdpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiobcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajaagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmdpcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqgngk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llainlje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lodoefed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnoklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjcleqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gopnca32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgnnhbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppiapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nalnmahf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jofdll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqfipj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdooij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnakjaoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akmlacdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbljgpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqfooonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjgagh32.dll" Pojdem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcankb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gekkpqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgbnbcmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcmdpcle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmcibdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfioeef.dll" Eiocbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejlogbpb.dll" Hcpqfgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjbdfbnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nalnmahf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomagi32.dll" Qqbeel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doamhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofpmegpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olopjddf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adffdidl.dll" Ckajqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfckhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Didgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngqeha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Johaalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngobfm32.dll" Llomhllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmjim32.dll" Ggbljogc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phjjkefd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nemfepee.dll" Blodefdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcipqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apdminod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcamln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgbolhoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpfcohfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfjijn32.dll" Gopnca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noepdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clinfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmhikf32.dll" Lfkhch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjopen32.dll" Oelcho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gklkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnkblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmlhga32.dll" Kcdljghj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nidoamch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmglpc32.dll" Bebiifka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfiekc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlabjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlbphm32.dll" Abjcleqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eijffhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlekja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mffkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfile32.dll" Iilocklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpchcao.dll" Bppdlgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npldppbn.dll" Agaifnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijngqak.dll" Faikbkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqcgln32.dll" Omlahqeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfqaph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afakja32.dll" Pmmcfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gimmpj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2164 1736 2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe 30 PID 1736 wrote to memory of 2164 1736 2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe 30 PID 1736 wrote to memory of 2164 1736 2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe 30 PID 1736 wrote to memory of 2164 1736 2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe 30 PID 2164 wrote to memory of 2936 2164 Noepdo32.exe 31 PID 2164 wrote to memory of 2936 2164 Noepdo32.exe 31 PID 2164 wrote to memory of 2936 2164 Noepdo32.exe 31 PID 2164 wrote to memory of 2936 2164 Noepdo32.exe 31 PID 2936 wrote to memory of 2932 2936 Ngqeha32.exe 32 PID 2936 wrote to memory of 2932 2936 Ngqeha32.exe 32 PID 2936 wrote to memory of 2932 2936 Ngqeha32.exe 32 PID 2936 wrote to memory of 2932 2936 Ngqeha32.exe 32 PID 2932 wrote to memory of 3040 2932 Npppaejj.exe 33 PID 2932 wrote to memory of 3040 2932 Npppaejj.exe 33 PID 2932 wrote to memory of 3040 2932 Npppaejj.exe 33 PID 2932 wrote to memory of 3040 2932 Npppaejj.exe 33 PID 3040 wrote to memory of 2016 3040 Olgpff32.exe 34 PID 3040 wrote to memory of 2016 3040 Olgpff32.exe 34 PID 3040 wrote to memory of 2016 3040 Olgpff32.exe 34 PID 3040 wrote to memory of 2016 3040 Olgpff32.exe 34 PID 2016 wrote to memory of 2564 2016 Oddbqhkf.exe 35 PID 2016 wrote to memory of 2564 2016 Oddbqhkf.exe 35 PID 2016 wrote to memory of 2564 2016 Oddbqhkf.exe 35 PID 2016 wrote to memory of 2564 2016 Oddbqhkf.exe 35 PID 2564 wrote to memory of 2988 2564 Pgjdmc32.exe 36 PID 2564 wrote to memory of 2988 2564 Pgjdmc32.exe 36 PID 2564 wrote to memory of 2988 2564 Pgjdmc32.exe 36 PID 2564 wrote to memory of 2988 2564 Pgjdmc32.exe 36 PID 2988 wrote to memory of 2984 2988 Pgnnhbpm.exe 37 PID 2988 wrote to memory of 2984 2988 Pgnnhbpm.exe 37 PID 2988 wrote to memory of 2984 2988 Pgnnhbpm.exe 37 PID 2988 wrote to memory of 2984 2988 Pgnnhbpm.exe 37 PID 2984 wrote to memory of 1460 2984 Pmmcfi32.exe 38 PID 2984 wrote to memory of 1460 2984 Pmmcfi32.exe 38 PID 2984 wrote to memory of 1460 2984 Pmmcfi32.exe 38 PID 2984 wrote to memory of 1460 2984 Pmmcfi32.exe 38 PID 1460 wrote to memory of 2792 1460 Qqbeel32.exe 39 PID 1460 wrote to memory of 2792 1460 Qqbeel32.exe 39 PID 1460 wrote to memory of 2792 1460 Qqbeel32.exe 39 PID 1460 wrote to memory of 2792 1460 Qqbeel32.exe 39 PID 2792 wrote to memory of 1352 2792 Akjfhdka.exe 40 PID 2792 wrote to memory of 1352 2792 Akjfhdka.exe 40 PID 2792 wrote to memory of 1352 2792 Akjfhdka.exe 40 PID 2792 wrote to memory of 1352 2792 Akjfhdka.exe 40 PID 1352 wrote to memory of 1148 1352 Agccbenc.exe 41 PID 1352 wrote to memory of 1148 1352 Agccbenc.exe 41 PID 1352 wrote to memory of 1148 1352 Agccbenc.exe 41 PID 1352 wrote to memory of 1148 1352 Agccbenc.exe 41 PID 1148 wrote to memory of 1760 1148 Bppdlgjk.exe 42 PID 1148 wrote to memory of 1760 1148 Bppdlgjk.exe 42 PID 1148 wrote to memory of 1760 1148 Bppdlgjk.exe 42 PID 1148 wrote to memory of 1760 1148 Bppdlgjk.exe 42 PID 1760 wrote to memory of 1532 1760 Bllomg32.exe 43 PID 1760 wrote to memory of 1532 1760 Bllomg32.exe 43 PID 1760 wrote to memory of 1532 1760 Bllomg32.exe 43 PID 1760 wrote to memory of 1532 1760 Bllomg32.exe 43 PID 1532 wrote to memory of 2452 1532 Cooddbfh.exe 44 PID 1532 wrote to memory of 2452 1532 Cooddbfh.exe 44 PID 1532 wrote to memory of 2452 1532 Cooddbfh.exe 44 PID 1532 wrote to memory of 2452 1532 Cooddbfh.exe 44 PID 2452 wrote to memory of 1992 2452 Clinfk32.exe 45 PID 2452 wrote to memory of 1992 2452 Clinfk32.exe 45 PID 2452 wrote to memory of 1992 2452 Clinfk32.exe 45 PID 2452 wrote to memory of 1992 2452 Clinfk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe"C:\Users\Admin\AppData\Local\Temp\2675bd1c9b94bbb9ff6328cd298ccb196fdc4474e7d67c3c6453b225b68a5839N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Npppaejj.exeC:\Windows\system32\Npppaejj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Olgpff32.exeC:\Windows\system32\Olgpff32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Oddbqhkf.exeC:\Windows\system32\Oddbqhkf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Pgjdmc32.exeC:\Windows\system32\Pgjdmc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Pgnnhbpm.exeC:\Windows\system32\Pgnnhbpm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Qqbeel32.exeC:\Windows\system32\Qqbeel32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Akjfhdka.exeC:\Windows\system32\Akjfhdka.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Agccbenc.exeC:\Windows\system32\Agccbenc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Bppdlgjk.exeC:\Windows\system32\Bppdlgjk.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Cooddbfh.exeC:\Windows\system32\Cooddbfh.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Clinfk32.exeC:\Windows\system32\Clinfk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Doamhe32.exeC:\Windows\system32\Doamhe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Dhlogjko.exeC:\Windows\system32\Dhlogjko.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Dgalhgpg.exeC:\Windows\system32\Dgalhgpg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Emggflfc.exeC:\Windows\system32\Emggflfc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Fclbgj32.exeC:\Windows\system32\Fclbgj32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Gfogneop.exeC:\Windows\system32\Gfogneop.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Hjkpng32.exeC:\Windows\system32\Hjkpng32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Hfdmhh32.exeC:\Windows\system32\Hfdmhh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe35⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Jlekja32.exeC:\Windows\system32\Jlekja32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Jofdll32.exeC:\Windows\system32\Jofdll32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Johaalea.exeC:\Windows\system32\Johaalea.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Khcbpa32.exeC:\Windows\system32\Khcbpa32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Kheofahm.exeC:\Windows\system32\Kheofahm.exe40⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Kgjlgm32.exeC:\Windows\system32\Kgjlgm32.exe41⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Kcamln32.exeC:\Windows\system32\Kcamln32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Kgoebmip.exeC:\Windows\system32\Kgoebmip.exe43⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Lgabgl32.exeC:\Windows\system32\Lgabgl32.exe44⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe45⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe46⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Lnfmhj32.exeC:\Windows\system32\Lnfmhj32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe51⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Mffkgl32.exeC:\Windows\system32\Mffkgl32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe54⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe55⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Nebnigmp.exeC:\Windows\system32\Nebnigmp.exe57⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Oacbdg32.exeC:\Windows\system32\Oacbdg32.exe59⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe60⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Olopjddf.exeC:\Windows\system32\Olopjddf.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Oheppe32.exeC:\Windows\system32\Oheppe32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Peiaij32.exeC:\Windows\system32\Peiaij32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Pobeao32.exeC:\Windows\system32\Pobeao32.exe64⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Phjjkefd.exeC:\Windows\system32\Phjjkefd.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Phmfpddb.exeC:\Windows\system32\Phmfpddb.exe66⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Pjblcl32.exeC:\Windows\system32\Pjblcl32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe69⤵
- Drops file in System32 directory
PID:760 -
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe70⤵PID:2008
-
C:\Windows\SysWOW64\Aqanke32.exeC:\Windows\system32\Aqanke32.exe71⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Ajibckpc.exeC:\Windows\system32\Ajibckpc.exe72⤵PID:2924
-
C:\Windows\SysWOW64\Aeccdila.exeC:\Windows\system32\Aeccdila.exe73⤵PID:2572
-
C:\Windows\SysWOW64\Akmlacdn.exeC:\Windows\system32\Akmlacdn.exe74⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe75⤵PID:1784
-
C:\Windows\SysWOW64\Aehmoh32.exeC:\Windows\system32\Aehmoh32.exe76⤵PID:2480
-
C:\Windows\SysWOW64\Bejiehfi.exeC:\Windows\system32\Bejiehfi.exe77⤵PID:980
-
C:\Windows\SysWOW64\Bjgbmoda.exeC:\Windows\system32\Bjgbmoda.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1304 -
C:\Windows\SysWOW64\Bjiobnbn.exeC:\Windows\system32\Bjiobnbn.exe79⤵PID:2476
-
C:\Windows\SysWOW64\Bgmolb32.exeC:\Windows\system32\Bgmolb32.exe80⤵PID:2280
-
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe81⤵
- System Location Discovery: System Language Discovery
PID:680 -
C:\Windows\SysWOW64\Blodefdg.exeC:\Windows\system32\Blodefdg.exe82⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Bmoaoikj.exeC:\Windows\system32\Bmoaoikj.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2300 -
C:\Windows\SysWOW64\Cbljgpja.exeC:\Windows\system32\Cbljgpja.exe84⤵
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe85⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Cligkdlm.exeC:\Windows\system32\Cligkdlm.exe87⤵PID:1624
-
C:\Windows\SysWOW64\Cpkmehol.exeC:\Windows\system32\Cpkmehol.exe88⤵PID:2180
-
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Ddhekfeb.exeC:\Windows\system32\Ddhekfeb.exe90⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\Dalfdjdl.exeC:\Windows\system32\Dalfdjdl.exe91⤵PID:3028
-
C:\Windows\SysWOW64\Dcpoab32.exeC:\Windows\system32\Dcpoab32.exe92⤵PID:2676
-
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe93⤵PID:904
-
C:\Windows\SysWOW64\Dhodpidl.exeC:\Windows\system32\Dhodpidl.exe94⤵PID:3008
-
C:\Windows\SysWOW64\Edohki32.exeC:\Windows\system32\Edohki32.exe95⤵PID:2292
-
C:\Windows\SysWOW64\Fqfipj32.exeC:\Windows\system32\Fqfipj32.exe96⤵
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Fgbnbcmd.exeC:\Windows\system32\Fgbnbcmd.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe98⤵PID:1744
-
C:\Windows\SysWOW64\Fihcdkom.exeC:\Windows\system32\Fihcdkom.exe99⤵PID:1020
-
C:\Windows\SysWOW64\Gfldno32.exeC:\Windows\system32\Gfldno32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe101⤵PID:2192
-
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Gednek32.exeC:\Windows\system32\Gednek32.exe103⤵PID:2964
-
C:\Windows\SysWOW64\Ggdfff32.exeC:\Windows\system32\Ggdfff32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Gfjcgc32.exeC:\Windows\system32\Gfjcgc32.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe106⤵PID:2996
-
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2664 -
C:\Windows\SysWOW64\Hcpqfgol.exeC:\Windows\system32\Hcpqfgol.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Hhbfpj32.exeC:\Windows\system32\Hhbfpj32.exe110⤵PID:2228
-
C:\Windows\SysWOW64\Hefginae.exeC:\Windows\system32\Hefginae.exe111⤵PID:1572
-
C:\Windows\SysWOW64\Hlpofh32.exeC:\Windows\system32\Hlpofh32.exe112⤵PID:2440
-
C:\Windows\SysWOW64\Idkcjk32.exeC:\Windows\system32\Idkcjk32.exe113⤵PID:1820
-
C:\Windows\SysWOW64\Imchcplm.exeC:\Windows\system32\Imchcplm.exe114⤵PID:1824
-
C:\Windows\SysWOW64\Ijghmd32.exeC:\Windows\system32\Ijghmd32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Iaaaiobc.exeC:\Windows\system32\Iaaaiobc.exe116⤵PID:2880
-
C:\Windows\SysWOW64\Ihkifi32.exeC:\Windows\system32\Ihkifi32.exe117⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Iadnon32.exeC:\Windows\system32\Iadnon32.exe118⤵PID:2860
-
C:\Windows\SysWOW64\Iiobcq32.exeC:\Windows\system32\Iiobcq32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe120⤵
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Jhfljm32.exeC:\Windows\system32\Jhfljm32.exe122⤵PID:2532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-