Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11/11/2024, 12:32
Static task
static1
Behavioral task
behavioral1
Sample
04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe
Resource
win10v2004-20241007-en
General
-
Target
04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe
-
Size
363KB
-
MD5
823b5a75f54a3f96e9ec72eb27e8cda0
-
SHA1
c660a2037f436a43415c02d98535d7d1f0b30f60
-
SHA256
04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9
-
SHA512
a1a993ba3a2d5c9dbfd6e520b70c400acd986249c549be6b02f98bf1e271790dfe50f5c8e3af47127b78085b87060f3bb7b3d79712880ddb04a8584e13fb6c35
-
SSDEEP
6144:tuqVU5tTbVXksax8n5tTDUZNSN58VU5tT:tfG5tP6sus5t6NSN6G5t
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkbcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggipg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockinl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljnkodm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqleifna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnemfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hljaigmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbadagln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikimeff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lafahdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pebbcdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckmpkpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmnngl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcelp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnjqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nddcimag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhpad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ochcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqaode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbimkpmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimkbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhaeldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfbjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laaabo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpqlemaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckfjjqhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bedamd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibnop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deeqch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcmod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodjjign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiaqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Donojm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halcmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeoeclek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpokjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkmdodf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkjpggkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opjkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oleepo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nomkfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdefnjkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpkhoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffgfancd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiofnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmcebkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klkfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adgein32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgokfnij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnjeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbbomjnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkghqpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdlipplq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhhed32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2780 Jfohgepi.exe 2556 Jpjifjdg.exe 2572 Jibnop32.exe 2568 Klcgpkhh.exe 2348 Kocpbfei.exe 912 Kkjpggkn.exe 2368 Kpgionie.exe 632 Lplbjm32.exe 2332 Lmpcca32.exe 1900 Lpqlemaj.exe 788 Lofifi32.exe 316 Lafahdcc.exe 2204 Mkofaj32.exe 2980 Mhcfjnhm.exe 1308 Mnblhddb.exe 1252 Mlieoqgg.exe 1692 Nfbjhf32.exe 2864 Nhbciaki.exe 1956 Nomkfk32.exe 2192 Nghpjn32.exe 600 Nnahgh32.exe 2848 Ndlpdbnj.exe 1476 Njhilimb.exe 2388 Nqbaic32.exe 1724 Omiand32.exe 2752 Opjkpo32.exe 2744 Omnkicen.exe 2836 Ochcem32.exe 2552 Opodknco.exe 2184 Ofilgh32.exe 1096 Oleepo32.exe 1324 Pfkimhhi.exe 2504 Plhaeofp.exe 1976 Pljnkodm.exe 1072 Pebbcdkn.exe 1448 Pllkpn32.exe 952 Paiche32.exe 2216 Ppopja32.exe 2380 Qdlipplq.exe 2984 Qjfalj32.exe 1316 Qlgndbil.exe 1752 Aepbmhpl.exe 2412 Aohgfm32.exe 2860 Aebobgmi.exe 2288 Aokckm32.exe 984 Aedlhg32.exe 296 Aompambg.exe 2428 Aeghng32.exe 2936 Akdafn32.exe 2636 Adleoc32.exe 2716 Akfnkmei.exe 828 Bpcfcddp.exe 2140 Bhjneadb.exe 2440 Babbng32.exe 1392 Bgokfnij.exe 1916 Bllcnega.exe 1952 Bcflko32.exe 2340 Blnpddeo.exe 1772 Bchhqo32.exe 1300 Bjbqmi32.exe 928 Bckefnki.exe 1528 Ckfjjqhd.exe 1716 Cbpbgk32.exe 2172 Clefdcog.exe -
Loads dropped DLL 64 IoCs
pid Process 2688 04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe 2688 04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe 2780 Jfohgepi.exe 2780 Jfohgepi.exe 2556 Jpjifjdg.exe 2556 Jpjifjdg.exe 2572 Jibnop32.exe 2572 Jibnop32.exe 2568 Klcgpkhh.exe 2568 Klcgpkhh.exe 2348 Kocpbfei.exe 2348 Kocpbfei.exe 912 Kkjpggkn.exe 912 Kkjpggkn.exe 2368 Kpgionie.exe 2368 Kpgionie.exe 632 Lplbjm32.exe 632 Lplbjm32.exe 2332 Lmpcca32.exe 2332 Lmpcca32.exe 1900 Lpqlemaj.exe 1900 Lpqlemaj.exe 788 Lofifi32.exe 788 Lofifi32.exe 316 Lafahdcc.exe 316 Lafahdcc.exe 2204 Mkofaj32.exe 2204 Mkofaj32.exe 2980 Mhcfjnhm.exe 2980 Mhcfjnhm.exe 1308 Mnblhddb.exe 1308 Mnblhddb.exe 1252 Mlieoqgg.exe 1252 Mlieoqgg.exe 1692 Nfbjhf32.exe 1692 Nfbjhf32.exe 2864 Nhbciaki.exe 2864 Nhbciaki.exe 1956 Nomkfk32.exe 1956 Nomkfk32.exe 2192 Nghpjn32.exe 2192 Nghpjn32.exe 600 Nnahgh32.exe 600 Nnahgh32.exe 2848 Ndlpdbnj.exe 2848 Ndlpdbnj.exe 1476 Njhilimb.exe 1476 Njhilimb.exe 2388 Nqbaic32.exe 2388 Nqbaic32.exe 2756 Oninhgae.exe 2756 Oninhgae.exe 2752 Opjkpo32.exe 2752 Opjkpo32.exe 2744 Omnkicen.exe 2744 Omnkicen.exe 2836 Ochcem32.exe 2836 Ochcem32.exe 2552 Opodknco.exe 2552 Opodknco.exe 2184 Ofilgh32.exe 2184 Ofilgh32.exe 1096 Oleepo32.exe 1096 Oleepo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hjggap32.exe Hdjoii32.exe File opened for modification C:\Windows\SysWOW64\Cdngip32.exe Cncolfcl.exe File created C:\Windows\SysWOW64\Cgmofa32.dll Pljnkodm.exe File created C:\Windows\SysWOW64\Ffgfancd.exe Fpmned32.exe File created C:\Windows\SysWOW64\Olahgd32.dll Dnjalhpp.exe File created C:\Windows\SysWOW64\Eqngcc32.exe Egebjmdn.exe File created C:\Windows\SysWOW64\Eaednh32.exe Ehmpeb32.exe File created C:\Windows\SysWOW64\Ebfqfpop.exe Eaednh32.exe File opened for modification C:\Windows\SysWOW64\Ockinl32.exe Ojceef32.exe File created C:\Windows\SysWOW64\Cdaimdkg.dll Ppgcol32.exe File created C:\Windows\SysWOW64\Cdngip32.exe Cncolfcl.exe File created C:\Windows\SysWOW64\Bckefnki.exe Bjbqmi32.exe File opened for modification C:\Windows\SysWOW64\Flhhed32.exe Fenphjei.exe File created C:\Windows\SysWOW64\Dcipgdao.dll Lofifi32.exe File created C:\Windows\SysWOW64\Npabemib.dll Bhkghqpb.exe File opened for modification C:\Windows\SysWOW64\Jpjifjdg.exe Jfohgepi.exe File created C:\Windows\SysWOW64\Fehokjjf.dll Ingmmn32.exe File opened for modification C:\Windows\SysWOW64\Ldkdckff.exe Lalhgogb.exe File created C:\Windows\SysWOW64\Lgpfpe32.exe Llkbcl32.exe File created C:\Windows\SysWOW64\Ogbldk32.exe Ofaolcmh.exe File created C:\Windows\SysWOW64\Nqbaic32.exe Njhilimb.exe File opened for modification C:\Windows\SysWOW64\Opodknco.exe Ochcem32.exe File created C:\Windows\SysWOW64\Khdlbn32.dll Aicmadmm.exe File opened for modification C:\Windows\SysWOW64\Cncolfcl.exe Chggdoee.exe File created C:\Windows\SysWOW64\Iianmlfn.exe Igpaec32.exe File opened for modification C:\Windows\SysWOW64\Enhaeldn.exe Eikimeff.exe File created C:\Windows\SysWOW64\Miclhpjp.exe Mpkhoj32.exe File created C:\Windows\SysWOW64\Nnjklb32.exe Ngpcohbm.exe File created C:\Windows\SysWOW64\Omnkicen.exe Opjkpo32.exe File created C:\Windows\SysWOW64\Qleikgfd.dll Dbadagln.exe File created C:\Windows\SysWOW64\Ebockkal.exe Eqngcc32.exe File created C:\Windows\SysWOW64\Gmlablaa.exe Gkmefaan.exe File opened for modification C:\Windows\SysWOW64\Kiofnm32.exe Klkfdi32.exe File opened for modification C:\Windows\SysWOW64\Igkhjdde.exe Iqapnjli.exe File created C:\Windows\SysWOW64\Dofohkkf.dll Kbnhpdke.exe File created C:\Windows\SysWOW64\Plhaeofp.exe Pfkimhhi.exe File created C:\Windows\SysWOW64\Dilchhgg.exe Dqaode32.exe File created C:\Windows\SysWOW64\Gpnchjga.dll Lafahdcc.exe File opened for modification C:\Windows\SysWOW64\Bcflko32.exe Bllcnega.exe File created C:\Windows\SysWOW64\Dblknlpo.dll Heqimm32.exe File created C:\Windows\SysWOW64\Gcmcebkc.exe Glckihcg.exe File created C:\Windows\SysWOW64\Nliqma32.dll Cnhhge32.exe File opened for modification C:\Windows\SysWOW64\Emdhhdqb.exe Ebockkal.exe File created C:\Windows\SysWOW64\Nclgkc32.dll Pfkimhhi.exe File opened for modification C:\Windows\SysWOW64\Mlmoilni.exe Lgpfpe32.exe File created C:\Windows\SysWOW64\Jlpfci32.dll Dfkclf32.exe File opened for modification C:\Windows\SysWOW64\Eqkjmcmq.exe Efffpjmk.exe File created C:\Windows\SysWOW64\Nghpjn32.exe Nomkfk32.exe File opened for modification C:\Windows\SysWOW64\Nnahgh32.exe Nghpjn32.exe File created C:\Windows\SysWOW64\Hdefnjkj.exe Hcdifa32.exe File created C:\Windows\SysWOW64\Djgaeaao.dll Ikagogco.exe File opened for modification C:\Windows\SysWOW64\Ejfbfo32.exe Eejjnhgc.exe File opened for modification C:\Windows\SysWOW64\Hlmnogkl.exe Hdefnjkj.exe File created C:\Windows\SysWOW64\Iqapnjli.exe Hjggap32.exe File created C:\Windows\SysWOW64\Egbigm32.dll Dhdfmbjc.exe File created C:\Windows\SysWOW64\Halcmn32.exe Hhcndhap.exe File opened for modification C:\Windows\SysWOW64\Jahbmlil.exe Jjnjqb32.exe File created C:\Windows\SysWOW64\Hefnockl.dll Nnahgh32.exe File created C:\Windows\SysWOW64\Omiand32.exe Nqbaic32.exe File created C:\Windows\SysWOW64\Aokckm32.exe Aebobgmi.exe File opened for modification C:\Windows\SysWOW64\Lgnjke32.exe Laaabo32.exe File opened for modification C:\Windows\SysWOW64\Egebjmdn.exe Eqkjmcmq.exe File created C:\Windows\SysWOW64\Cbpbgk32.exe Ckfjjqhd.exe File created C:\Windows\SysWOW64\Hlmnogkl.exe Hdefnjkj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3936 3652 WerFault.exe 310 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halcmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eacghhkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjmnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpelq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogdap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbmom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfbjhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjneadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Babbng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalhgogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opodknco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbbomjnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdjoii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keango32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnblhddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkjmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iblola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimkbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgcol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkfdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miclhpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnignob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojceef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpddmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fenphjei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmqcmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdjno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemomb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhhed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfglfdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllcnega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncolfcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fegjgkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnjeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pllkpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfjjqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clefdcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkjgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enneln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebknblho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqleifna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbadagln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedfgejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qncfphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckefnki.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejnfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeackjhh.dll" Epcddopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Micfag32.dll" Njhilimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fogdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnhnfckm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbpbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgqao32.dll" Lpaehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfokdde.dll" Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdfmbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ninlepim.dll" Mkofaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfbjhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oekehomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkmdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloocg32.dll" Ndlpdbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmjlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhlmfio.dll" Hhcndhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogiamne.dll" Ldkdckff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomjld32.dll" Emdhhdqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpmdgef.dll" Aejnfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgaajh32.dll" Bhpqcpkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcflko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcppkbia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laaabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqioe32.dll" Oninhgae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhjneadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkmefaan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onndkg32.dll" Fedfgejh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkobdolo.dll" Aompambg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdjphodi.dll" Enneln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fogdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbpcpn32.dll" Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpnchjga.dll" Lafahdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjkfmc32.dll" Ppopja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnabffeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epcddopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qncfphff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjfalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mchdpibh.dll" Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebenek32.dll" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkofaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhcndhap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kokahpfn.dll" Piadma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll" Lplbjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnflae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqplf32.dll" Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebockkal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlmnogkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dilchhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaednh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkjpdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiciig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oninhgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bobhaimm.dll" Djdjalea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjoof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pebbcdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpcfcddp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppgcol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejapnc32.dll" Mhkfnlme.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2688 wrote to memory of 2780 2688 04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe 30 PID 2688 wrote to memory of 2780 2688 04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe 30 PID 2688 wrote to memory of 2780 2688 04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe 30 PID 2688 wrote to memory of 2780 2688 04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe 30 PID 2780 wrote to memory of 2556 2780 Jfohgepi.exe 31 PID 2780 wrote to memory of 2556 2780 Jfohgepi.exe 31 PID 2780 wrote to memory of 2556 2780 Jfohgepi.exe 31 PID 2780 wrote to memory of 2556 2780 Jfohgepi.exe 31 PID 2556 wrote to memory of 2572 2556 Jpjifjdg.exe 32 PID 2556 wrote to memory of 2572 2556 Jpjifjdg.exe 32 PID 2556 wrote to memory of 2572 2556 Jpjifjdg.exe 32 PID 2556 wrote to memory of 2572 2556 Jpjifjdg.exe 32 PID 2572 wrote to memory of 2568 2572 Jibnop32.exe 33 PID 2572 wrote to memory of 2568 2572 Jibnop32.exe 33 PID 2572 wrote to memory of 2568 2572 Jibnop32.exe 33 PID 2572 wrote to memory of 2568 2572 Jibnop32.exe 33 PID 2568 wrote to memory of 2348 2568 Klcgpkhh.exe 34 PID 2568 wrote to memory of 2348 2568 Klcgpkhh.exe 34 PID 2568 wrote to memory of 2348 2568 Klcgpkhh.exe 34 PID 2568 wrote to memory of 2348 2568 Klcgpkhh.exe 34 PID 2348 wrote to memory of 912 2348 Kocpbfei.exe 35 PID 2348 wrote to memory of 912 2348 Kocpbfei.exe 35 PID 2348 wrote to memory of 912 2348 Kocpbfei.exe 35 PID 2348 wrote to memory of 912 2348 Kocpbfei.exe 35 PID 912 wrote to memory of 2368 912 Kkjpggkn.exe 36 PID 912 wrote to memory of 2368 912 Kkjpggkn.exe 36 PID 912 wrote to memory of 2368 912 Kkjpggkn.exe 36 PID 912 wrote to memory of 2368 912 Kkjpggkn.exe 36 PID 2368 wrote to memory of 632 2368 Kpgionie.exe 37 PID 2368 wrote to memory of 632 2368 Kpgionie.exe 37 PID 2368 wrote to memory of 632 2368 Kpgionie.exe 37 PID 2368 wrote to memory of 632 2368 Kpgionie.exe 37 PID 632 wrote to memory of 2332 632 Lplbjm32.exe 38 PID 632 wrote to memory of 2332 632 Lplbjm32.exe 38 PID 632 wrote to memory of 2332 632 Lplbjm32.exe 38 PID 632 wrote to memory of 2332 632 Lplbjm32.exe 38 PID 2332 wrote to memory of 1900 2332 Lmpcca32.exe 39 PID 2332 wrote to memory of 1900 2332 Lmpcca32.exe 39 PID 2332 wrote to memory of 1900 2332 Lmpcca32.exe 39 PID 2332 wrote to memory of 1900 2332 Lmpcca32.exe 39 PID 1900 wrote to memory of 788 1900 Lpqlemaj.exe 40 PID 1900 wrote to memory of 788 1900 Lpqlemaj.exe 40 PID 1900 wrote to memory of 788 1900 Lpqlemaj.exe 40 PID 1900 wrote to memory of 788 1900 Lpqlemaj.exe 40 PID 788 wrote to memory of 316 788 Lofifi32.exe 41 PID 788 wrote to memory of 316 788 Lofifi32.exe 41 PID 788 wrote to memory of 316 788 Lofifi32.exe 41 PID 788 wrote to memory of 316 788 Lofifi32.exe 41 PID 316 wrote to memory of 2204 316 Lafahdcc.exe 42 PID 316 wrote to memory of 2204 316 Lafahdcc.exe 42 PID 316 wrote to memory of 2204 316 Lafahdcc.exe 42 PID 316 wrote to memory of 2204 316 Lafahdcc.exe 42 PID 2204 wrote to memory of 2980 2204 Mkofaj32.exe 43 PID 2204 wrote to memory of 2980 2204 Mkofaj32.exe 43 PID 2204 wrote to memory of 2980 2204 Mkofaj32.exe 43 PID 2204 wrote to memory of 2980 2204 Mkofaj32.exe 43 PID 2980 wrote to memory of 1308 2980 Mhcfjnhm.exe 44 PID 2980 wrote to memory of 1308 2980 Mhcfjnhm.exe 44 PID 2980 wrote to memory of 1308 2980 Mhcfjnhm.exe 44 PID 2980 wrote to memory of 1308 2980 Mhcfjnhm.exe 44 PID 1308 wrote to memory of 1252 1308 Mnblhddb.exe 45 PID 1308 wrote to memory of 1252 1308 Mnblhddb.exe 45 PID 1308 wrote to memory of 1252 1308 Mnblhddb.exe 45 PID 1308 wrote to memory of 1252 1308 Mnblhddb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe"C:\Users\Admin\AppData\Local\Temp\04692d8c92c36eba3231bd92b5241bb6294c3fcc2665ad42b00f3a7157476da9N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Jfohgepi.exeC:\Windows\system32\Jfohgepi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Jpjifjdg.exeC:\Windows\system32\Jpjifjdg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Klcgpkhh.exeC:\Windows\system32\Klcgpkhh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Kkjpggkn.exeC:\Windows\system32\Kkjpggkn.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Lmpcca32.exeC:\Windows\system32\Lmpcca32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Lpqlemaj.exeC:\Windows\system32\Lpqlemaj.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Lafahdcc.exeC:\Windows\system32\Lafahdcc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1252 -
C:\Windows\SysWOW64\Nfbjhf32.exeC:\Windows\system32\Nfbjhf32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1476 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe26⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe27⤵
- Loads dropped DLL
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2836 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe35⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1976 -
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1448 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe39⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe43⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe44⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Aebobgmi.exeC:\Windows\system32\Aebobgmi.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe47⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe50⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe52⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe53⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe60⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe61⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1528 -
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe68⤵PID:792
-
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe69⤵PID:2672
-
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe70⤵PID:2796
-
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe72⤵PID:656
-
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe73⤵PID:680
-
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe76⤵PID:1988
-
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe77⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe78⤵PID:620
-
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe81⤵
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe82⤵
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe83⤵PID:2476
-
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe84⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:308 -
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe88⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe89⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe90⤵
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe92⤵PID:1760
-
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe93⤵PID:2080
-
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe94⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Eaednh32.exeC:\Windows\system32\Eaednh32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe97⤵PID:2632
-
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe98⤵
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Fbimkpmm.exeC:\Windows\system32\Fbimkpmm.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1572 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe100⤵
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe101⤵
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1872 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Fapgblob.exeC:\Windows\system32\Fapgblob.exe104⤵PID:2588
-
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe105⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe106⤵PID:2928
-
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe107⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe109⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Gmlablaa.exeC:\Windows\system32\Gmlablaa.exe112⤵PID:2680
-
C:\Windows\SysWOW64\Gpjmnh32.exeC:\Windows\system32\Gpjmnh32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2720 -
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe114⤵PID:2564
-
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe116⤵PID:1676
-
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe117⤵
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe119⤵PID:2972
-
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1940 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe121⤵
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe122⤵PID:2692
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-