Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 16:02
Static task
static1
Behavioral task
behavioral1
Sample
07f4faaf1fef4df7179baafecfa6708bd7a43c2fa3199c55f5b1432c57e34955N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
07f4faaf1fef4df7179baafecfa6708bd7a43c2fa3199c55f5b1432c57e34955N.exe
Resource
win10v2004-20241007-en
General
-
Target
07f4faaf1fef4df7179baafecfa6708bd7a43c2fa3199c55f5b1432c57e34955N.exe
-
Size
2.3MB
-
MD5
a509e835671b46747e9b05f403eb0930
-
SHA1
0b1274f3d438c90030cce422b19ab0861edf1c35
-
SHA256
07f4faaf1fef4df7179baafecfa6708bd7a43c2fa3199c55f5b1432c57e34955
-
SHA512
88659443d134e0a0efec7c7d0918c245dbf7fefaa6da914fc23c144b8bfa4e6a42d93b95d2a3ed6a3f0e3471d14d74ba84239f31b85f1b7c2b59894b47170a80
-
SSDEEP
3072:XhltzBwggmlGq2iGivlUZ0I/I0Q5OPIN+/cuTQ2TgRX7Jg3A9z:XhlwTivlUZVgp54tRo7KA9z
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifeab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pojcjh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omgmeigd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaaib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klekfinp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcedmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbpdblmo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcmbee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkjiao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekljpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meamcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmbee32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfhkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njinmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bblnindg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poajkgnc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppqqn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmkoeqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefgbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoioli32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkepaam.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fflohaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmaopfjm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejoomhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbpmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdehlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdehlip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joqafgni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapfiqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpqjjjjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkmmaeap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmlla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okjnnj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdqfll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjeomld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnifekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oikjkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbjddh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbaclegm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooqqdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkqgno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifljdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfigpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdccbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gflhoo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlppno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 07f4faaf1fef4df7179baafecfa6708bd7a43c2fa3199c55f5b1432c57e34955N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjblje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommceclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpbnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmggfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqfngd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklbdm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nclikl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnkmnah.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3996 Jjdjoane.exe 860 Kghjhemo.exe 3412 Kbmoen32.exe 3536 Kbbhqn32.exe 2256 Kinmcg32.exe 64 Knkekn32.exe 3308 Liqihglg.exe 1952 Ljbfpo32.exe 2140 Lalnmiia.exe 3740 Licfngjd.exe 2052 Lkabjbih.exe 3212 Lnpofnhk.exe 732 Lejgch32.exe 4508 Lldopb32.exe 3016 Lbngllob.exe 1492 Lihpif32.exe 1960 Llflea32.exe 1972 Lbpdblmo.exe 3744 Lhmmjbkf.exe 3420 Mngegmbc.exe 3540 Meamcg32.exe 880 Mlkepaam.exe 2656 Mniallpq.exe 4076 Mecjif32.exe 2144 Mlmbfqoj.exe 3548 Mbgjbkfg.exe 1648 Mhdckaeo.exe 4316 Mnnkgl32.exe 1328 Mehcdfch.exe 4416 Mlbkap32.exe 2872 Maodigil.exe 4932 Mifljdjo.exe 3716 Njghbl32.exe 3028 Nemmoe32.exe 4400 Nlfelogp.exe 1632 Nbqmiinl.exe 212 Nijeec32.exe 3596 Nklbmllg.exe 2744 Neafjdkn.exe 3500 Nlkngo32.exe 4876 Nahgoe32.exe 2300 Nlnkmnah.exe 3380 Najceeoo.exe 2692 Nhdlao32.exe 2552 Objpoh32.exe 1552 Oidhlb32.exe 4824 Ooqqdi32.exe 1768 Oifeab32.exe 1164 Oocmii32.exe 372 Oemefcap.exe 2732 Okjnnj32.exe 1216 Oeoblb32.exe 2788 Olijhmgj.exe 464 Obcceg32.exe 1568 Ohpkmn32.exe 3476 Pojcjh32.exe 3556 Pkadoiip.exe 4136 Pakllc32.exe 772 Phedhmhi.exe 3056 Pcjiff32.exe 4552 Phganm32.exe 3012 Poajkgnc.exe 456 Pifnhpmi.exe 2132 Pkhjph32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gkmdecbg.exe Gphphj32.exe File opened for modification C:\Windows\SysWOW64\Nfihbk32.exe Nmaciefp.exe File created C:\Windows\SysWOW64\Bheffh32.exe Bblnindg.exe File created C:\Windows\SysWOW64\Cbphdn32.exe Cmcolgbj.exe File created C:\Windows\SysWOW64\Mkadfj32.exe Malpia32.exe File created C:\Windows\SysWOW64\Iipfmggc.exe Igajal32.exe File created C:\Windows\SysWOW64\Pjdhbppo.dll Jpaekqhh.exe File created C:\Windows\SysWOW64\Qabjcina.dll Gingkqkd.exe File created C:\Windows\SysWOW64\Hmpjmn32.exe Hckeoeno.exe File opened for modification C:\Windows\SysWOW64\Lklbdm32.exe Kqfngd32.exe File created C:\Windows\SysWOW64\Bhpopokm.dll Fbbpmb32.exe File created C:\Windows\SysWOW64\Aijjhbli.dll Cnaaib32.exe File created C:\Windows\SysWOW64\Mbdiknlb.exe Mcoljagj.exe File opened for modification C:\Windows\SysWOW64\Hjdedepg.exe Hkohchko.exe File opened for modification C:\Windows\SysWOW64\Lhpnlclc.exe Lbcedmnl.exe File created C:\Windows\SysWOW64\Ccbadp32.exe Cmhigf32.exe File created C:\Windows\SysWOW64\Anaemfem.dll Jlmfeg32.exe File created C:\Windows\SysWOW64\Dmlkhofd.exe Chnbbqpn.exe File created C:\Windows\SysWOW64\Cdolgfbp.exe Ckggnp32.exe File created C:\Windows\SysWOW64\Gnmlhf32.exe Fbfkceca.exe File created C:\Windows\SysWOW64\Lbqinm32.exe Kdpiqehp.exe File created C:\Windows\SysWOW64\Lbngllob.exe Lldopb32.exe File created C:\Windows\SysWOW64\Jhdnigno.dll Inqbclob.exe File opened for modification C:\Windows\SysWOW64\Idhiii32.exe Icfmci32.exe File created C:\Windows\SysWOW64\Oaifpi32.exe Npiiffqe.exe File created C:\Windows\SysWOW64\Ppnenlka.exe Pbjddh32.exe File created C:\Windows\SysWOW64\Cgdojhec.dll Hildmn32.exe File created C:\Windows\SysWOW64\Ggpcfd32.dll Efeihb32.exe File created C:\Windows\SysWOW64\Adepji32.exe Ajmladbl.exe File created C:\Windows\SysWOW64\Lnpofnhk.exe Lkabjbih.exe File created C:\Windows\SysWOW64\Bfngdn32.exe Aodogdmn.exe File created C:\Windows\SysWOW64\Ckpbnb32.exe Cjnffjkl.exe File created C:\Windows\SysWOW64\Icnklbmj.exe Inqbclob.exe File created C:\Windows\SysWOW64\Jjjojj32.dll Npbceggm.exe File opened for modification C:\Windows\SysWOW64\Apmhiq32.exe Apjkcadp.exe File opened for modification C:\Windows\SysWOW64\Bbaclegm.exe Biiobo32.exe File created C:\Windows\SysWOW64\Fiebmc32.dll Mlmbfqoj.exe File created C:\Windows\SysWOW64\Idjnmo32.dll Pifnhpmi.exe File opened for modification C:\Windows\SysWOW64\Hifcgion.exe Hbjoeojc.exe File created C:\Windows\SysWOW64\Joekag32.exe Jihbip32.exe File opened for modification C:\Windows\SysWOW64\Dmjmekgn.exe Dgpeha32.exe File created C:\Windows\SysWOW64\Fideeaco.exe Fbjmhh32.exe File created C:\Windows\SysWOW64\Qfohjf32.dll Pkgcea32.exe File created C:\Windows\SysWOW64\Klhacomg.dll Aimogakj.exe File opened for modification C:\Windows\SysWOW64\Egegjn32.exe Eddnic32.exe File opened for modification C:\Windows\SysWOW64\Ljeafb32.exe Lopmii32.exe File created C:\Windows\SysWOW64\Bepjbf32.dll Nfihbk32.exe File created C:\Windows\SysWOW64\Lphdhn32.dll Jlikkkhn.exe File created C:\Windows\SysWOW64\Acffllhk.dll Pfhmjf32.exe File created C:\Windows\SysWOW64\Gnohnffc.exe Ggepalof.exe File created C:\Windows\SysWOW64\Nfdjaieh.dll Iinqbn32.exe File opened for modification C:\Windows\SysWOW64\Aehgnied.exe Aajohjon.exe File opened for modification C:\Windows\SysWOW64\Aimogakj.exe Acqgojmb.exe File opened for modification C:\Windows\SysWOW64\Glengm32.exe Gjdaodja.exe File created C:\Windows\SysWOW64\Qmeigg32.exe Qfkqjmdg.exe File created C:\Windows\SysWOW64\Bojlop32.dll Hgdejd32.exe File created C:\Windows\SysWOW64\Qcjdoc32.dll Kqfngd32.exe File opened for modification C:\Windows\SysWOW64\Aajohjon.exe Alnfpcag.exe File created C:\Windows\SysWOW64\Fpekmi32.dll Iipfmggc.exe File opened for modification C:\Windows\SysWOW64\Pmiikh32.exe Omgmeigd.exe File created C:\Windows\SysWOW64\Gfbhcl32.dll Daollh32.exe File created C:\Windows\SysWOW64\Mlkepaam.exe Meamcg32.exe File opened for modification C:\Windows\SysWOW64\Nlfelogp.exe Nemmoe32.exe File created C:\Windows\SysWOW64\Eddnic32.exe Ekljpm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5236 5212 WerFault.exe 620 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifnhpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonlfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmoih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbfbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoikmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igajal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiglnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdbhifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kibeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mngegmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjliajmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgclpkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acqgojmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmlkhofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgohklm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggepalof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najceeoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojcjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblgpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblpgjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhifjkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebdcld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcpakn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijbbfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklbmllg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcimdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcoljagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnenlka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egegjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phedhmhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcclld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljqhkckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckggnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcneeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpjel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmfchle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdehlip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kolabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlklj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnohnffc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qadoba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bipecnkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llflea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhpfqcln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlepcdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimogakj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhpqhlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglfbkin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kinmcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaifpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjeplijj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijeec32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejoomhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbfnhm32.dll" Naecop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddkbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iojkeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpqjjjjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkabjbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pehbea32.dll" Cbgnemjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajmdgelp.dll" Dcpmen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljnlecmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchdqkfl.dll" Nfaemp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhdbhifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeclnmik.dll" Lpepbgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlggjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjbac32.dll" Ekljpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfgklkoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akoqpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoong32.dll" Elbhjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbjmhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdaaaeqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmifiap.dll" Fmfgek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqlhmf32.dll" Hlepcdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghojbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obonfmck.dll" Kinmcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnoigkk.dll" Ocnabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjnmo32.dll" Pifnhpmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkhjph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kofdhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acqgojmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmeal32.dll" Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhmleng.dll" Onocomdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdolgfbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpmcmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkegbpca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlgjal32.dll" Bafndi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bipecnkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckoph32.dll" Hmnmgnoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmdae32.dll" Hfcnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddnic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koljgppp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngqpijkf.dll" Cfnqklgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgclpkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjhpcmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkaclqkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jopaaj32.dll" Hejjanpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkadoiip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bahdob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdbhifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hecjke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njjmni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefgbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbqaei32.dll" Dmdhcddh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpnmbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bochmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leboon32.dll" Khgbqkhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khlklj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdcmkgmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbddhbhn.dll" Idhiii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lejgch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhpnlclc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Backpf32.dll" Hpjmnjqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahqkaaa.dll" Bdbnjdfg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3920 wrote to memory of 3996 3920 07f4faaf1fef4df7179baafecfa6708bd7a43c2fa3199c55f5b1432c57e34955N.exe 83 PID 3920 wrote to memory of 3996 3920 07f4faaf1fef4df7179baafecfa6708bd7a43c2fa3199c55f5b1432c57e34955N.exe 83 PID 3920 wrote to memory of 3996 3920 07f4faaf1fef4df7179baafecfa6708bd7a43c2fa3199c55f5b1432c57e34955N.exe 83 PID 3996 wrote to memory of 860 3996 Jjdjoane.exe 84 PID 3996 wrote to memory of 860 3996 Jjdjoane.exe 84 PID 3996 wrote to memory of 860 3996 Jjdjoane.exe 84 PID 860 wrote to memory of 3412 860 Kghjhemo.exe 88 PID 860 wrote to memory of 3412 860 Kghjhemo.exe 88 PID 860 wrote to memory of 3412 860 Kghjhemo.exe 88 PID 3412 wrote to memory of 3536 3412 Kbmoen32.exe 89 PID 3412 wrote to memory of 3536 3412 Kbmoen32.exe 89 PID 3412 wrote to memory of 3536 3412 Kbmoen32.exe 89 PID 3536 wrote to memory of 2256 3536 Kbbhqn32.exe 90 PID 3536 wrote to memory of 2256 3536 Kbbhqn32.exe 90 PID 3536 wrote to memory of 2256 3536 Kbbhqn32.exe 90 PID 2256 wrote to memory of 64 2256 Kinmcg32.exe 91 PID 2256 wrote to memory of 64 2256 Kinmcg32.exe 91 PID 2256 wrote to memory of 64 2256 Kinmcg32.exe 91 PID 64 wrote to memory of 3308 64 Knkekn32.exe 92 PID 64 wrote to memory of 3308 64 Knkekn32.exe 92 PID 64 wrote to memory of 3308 64 Knkekn32.exe 92 PID 3308 wrote to memory of 1952 3308 Liqihglg.exe 93 PID 3308 wrote to memory of 1952 3308 Liqihglg.exe 93 PID 3308 wrote to memory of 1952 3308 Liqihglg.exe 93 PID 1952 wrote to memory of 2140 1952 Ljbfpo32.exe 94 PID 1952 wrote to memory of 2140 1952 Ljbfpo32.exe 94 PID 1952 wrote to memory of 2140 1952 Ljbfpo32.exe 94 PID 2140 wrote to memory of 3740 2140 Lalnmiia.exe 95 PID 2140 wrote to memory of 3740 2140 Lalnmiia.exe 95 PID 2140 wrote to memory of 3740 2140 Lalnmiia.exe 95 PID 3740 wrote to memory of 2052 3740 Licfngjd.exe 96 PID 3740 wrote to memory of 2052 3740 Licfngjd.exe 96 PID 3740 wrote to memory of 2052 3740 Licfngjd.exe 96 PID 2052 wrote to memory of 3212 2052 Lkabjbih.exe 97 PID 2052 wrote to memory of 3212 2052 Lkabjbih.exe 97 PID 2052 wrote to memory of 3212 2052 Lkabjbih.exe 97 PID 3212 wrote to memory of 732 3212 Lnpofnhk.exe 98 PID 3212 wrote to memory of 732 3212 Lnpofnhk.exe 98 PID 3212 wrote to memory of 732 3212 Lnpofnhk.exe 98 PID 732 wrote to memory of 4508 732 Lejgch32.exe 99 PID 732 wrote to memory of 4508 732 Lejgch32.exe 99 PID 732 wrote to memory of 4508 732 Lejgch32.exe 99 PID 4508 wrote to memory of 3016 4508 Lldopb32.exe 100 PID 4508 wrote to memory of 3016 4508 Lldopb32.exe 100 PID 4508 wrote to memory of 3016 4508 Lldopb32.exe 100 PID 3016 wrote to memory of 1492 3016 Lbngllob.exe 101 PID 3016 wrote to memory of 1492 3016 Lbngllob.exe 101 PID 3016 wrote to memory of 1492 3016 Lbngllob.exe 101 PID 1492 wrote to memory of 1960 1492 Lihpif32.exe 102 PID 1492 wrote to memory of 1960 1492 Lihpif32.exe 102 PID 1492 wrote to memory of 1960 1492 Lihpif32.exe 102 PID 1960 wrote to memory of 1972 1960 Llflea32.exe 103 PID 1960 wrote to memory of 1972 1960 Llflea32.exe 103 PID 1960 wrote to memory of 1972 1960 Llflea32.exe 103 PID 1972 wrote to memory of 3744 1972 Lbpdblmo.exe 104 PID 1972 wrote to memory of 3744 1972 Lbpdblmo.exe 104 PID 1972 wrote to memory of 3744 1972 Lbpdblmo.exe 104 PID 3744 wrote to memory of 3420 3744 Lhmmjbkf.exe 105 PID 3744 wrote to memory of 3420 3744 Lhmmjbkf.exe 105 PID 3744 wrote to memory of 3420 3744 Lhmmjbkf.exe 105 PID 3420 wrote to memory of 3540 3420 Mngegmbc.exe 106 PID 3420 wrote to memory of 3540 3420 Mngegmbc.exe 106 PID 3420 wrote to memory of 3540 3420 Mngegmbc.exe 106 PID 3540 wrote to memory of 880 3540 Meamcg32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\07f4faaf1fef4df7179baafecfa6708bd7a43c2fa3199c55f5b1432c57e34955N.exe"C:\Users\Admin\AppData\Local\Temp\07f4faaf1fef4df7179baafecfa6708bd7a43c2fa3199c55f5b1432c57e34955N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Kghjhemo.exeC:\Windows\system32\Kghjhemo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Kbmoen32.exeC:\Windows\system32\Kbmoen32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3412 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Knkekn32.exeC:\Windows\system32\Knkekn32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:732 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Llflea32.exeC:\Windows\system32\Llflea32.exe18⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Windows\SysWOW64\Mngegmbc.exeC:\Windows\system32\Mngegmbc.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3540 -
C:\Windows\SysWOW64\Mlkepaam.exeC:\Windows\system32\Mlkepaam.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe24⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Mecjif32.exeC:\Windows\system32\Mecjif32.exe25⤵
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe27⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe28⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Mnnkgl32.exeC:\Windows\system32\Mnnkgl32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4316 -
C:\Windows\SysWOW64\Mehcdfch.exeC:\Windows\system32\Mehcdfch.exe30⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe31⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe32⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:3716 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe36⤵
- Executes dropped EXE
PID:4400 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe37⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Nijeec32.exeC:\Windows\system32\Nijeec32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:212 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Windows\SysWOW64\Neafjdkn.exeC:\Windows\system32\Neafjdkn.exe40⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Nlkngo32.exeC:\Windows\system32\Nlkngo32.exe41⤵
- Executes dropped EXE
PID:3500 -
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe42⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Nlnkmnah.exeC:\Windows\system32\Nlnkmnah.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3380 -
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe45⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe46⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Oidhlb32.exeC:\Windows\system32\Oidhlb32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Oifeab32.exeC:\Windows\system32\Oifeab32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe51⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe53⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe54⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe55⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe56⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe58⤵PID:3904
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3556 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe60⤵
- Executes dropped EXE
PID:4136 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe62⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe63⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Pifnhpmi.exeC:\Windows\system32\Pifnhpmi.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe67⤵PID:1780
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe68⤵
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\Qadoba32.exeC:\Windows\system32\Qadoba32.exe69⤵
- System Location Discovery: System Language Discovery
PID:5072 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe70⤵PID:3040
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe71⤵
- System Location Discovery: System Language Discovery
PID:5156 -
C:\Windows\SysWOW64\Ajndioga.exeC:\Windows\system32\Ajndioga.exe72⤵PID:5196
-
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe73⤵
- Modifies registry class
PID:5236 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe74⤵PID:5276
-
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe75⤵PID:5316
-
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe76⤵PID:5356
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe77⤵PID:5396
-
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe78⤵PID:5436
-
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe79⤵PID:5476
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe80⤵PID:5516
-
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe81⤵PID:5556
-
C:\Windows\SysWOW64\Afkknogn.exeC:\Windows\system32\Afkknogn.exe82⤵PID:5600
-
C:\Windows\SysWOW64\Aleckinj.exeC:\Windows\system32\Aleckinj.exe83⤵PID:5640
-
C:\Windows\SysWOW64\Aodogdmn.exeC:\Windows\system32\Aodogdmn.exe84⤵
- Drops file in System32 directory
PID:5684 -
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe85⤵PID:5728
-
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe86⤵
- System Location Discovery: System Language Discovery
PID:5772 -
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe87⤵PID:5816
-
C:\Windows\SysWOW64\Bjlpjm32.exeC:\Windows\system32\Bjlpjm32.exe88⤵PID:5856
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5896 -
C:\Windows\SysWOW64\Bbgeno32.exeC:\Windows\system32\Bbgeno32.exe90⤵PID:5936
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe91⤵PID:5976
-
C:\Windows\SysWOW64\Bcfahbpo.exeC:\Windows\system32\Bcfahbpo.exe92⤵PID:6016
-
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe93⤵
- System Location Discovery: System Language Discovery
PID:6056 -
C:\Windows\SysWOW64\Bkafmd32.exeC:\Windows\system32\Bkafmd32.exe94⤵PID:6096
-
C:\Windows\SysWOW64\Bblnindg.exeC:\Windows\system32\Bblnindg.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:6136 -
C:\Windows\SysWOW64\Bheffh32.exeC:\Windows\system32\Bheffh32.exe96⤵PID:220
-
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe97⤵PID:3572
-
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4532 -
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe99⤵
- Drops file in System32 directory
PID:4164 -
C:\Windows\SysWOW64\Cbphdn32.exeC:\Windows\system32\Cbphdn32.exe100⤵PID:4404
-
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe101⤵PID:3280
-
C:\Windows\SysWOW64\Codhnb32.exeC:\Windows\system32\Codhnb32.exe102⤵PID:5188
-
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe103⤵
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Cmhigf32.exeC:\Windows\system32\Cmhigf32.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Ccbadp32.exeC:\Windows\system32\Ccbadp32.exe105⤵PID:5384
-
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe106⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Ckmehb32.exeC:\Windows\system32\Ckmehb32.exe107⤵PID:5524
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe108⤵
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Cjnffjkl.exeC:\Windows\system32\Cjnffjkl.exe109⤵
- Drops file in System32 directory
PID:5676 -
C:\Windows\SysWOW64\Ckpbnb32.exeC:\Windows\system32\Ckpbnb32.exe110⤵PID:5760
-
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe111⤵PID:5840
-
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe112⤵PID:5904
-
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe113⤵PID:5984
-
C:\Windows\SysWOW64\Dblgpl32.exeC:\Windows\system32\Dblgpl32.exe114⤵
- System Location Discovery: System Language Discovery
PID:6048 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe115⤵PID:6120
-
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe116⤵PID:4080
-
C:\Windows\SysWOW64\Dfjpfj32.exeC:\Windows\system32\Dfjpfj32.exe117⤵PID:4140
-
C:\Windows\SysWOW64\Dmdhcddh.exeC:\Windows\system32\Dmdhcddh.exe118⤵
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Dbqqkkbo.exeC:\Windows\system32\Dbqqkkbo.exe119⤵PID:864
-
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe120⤵PID:5180
-
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe121⤵
- Modifies registry class
PID:5272 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe122⤵PID:2736
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-