Analysis
-
max time kernel
114s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 02:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe
-
Size
92KB
-
MD5
ce41948518cc7ea3e2d969d0b30b7c70
-
SHA1
e28ccb70ae6f552b0f4de9cddc55e568f7a72923
-
SHA256
e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849e
-
SHA512
24ad622aeff61897b9022092615ceee24b7822f0c877ed471056aa77708b4d0180a64bd9521a7c2dc23b0fb82b4b8faf99945d789f4f786610cf777c8fd7f919
-
SSDEEP
1536:o65CwJ7jkbtg9co+oDD3xFBIIruTkbzjXq+66DFUABABOVLefE3:bM0jYa+yfB9pbzj6+JB8M3
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmcmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncmknkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kldchgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcjqkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niednn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fobodn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hccfoehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lehfcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfkkhmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chccfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhknigfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooaiehhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqoqlfkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgndnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhbbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaqnmbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icidlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbgqbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bncboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkolil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdkhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdiciboh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoeqmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phabdmgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklpml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doclijgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apphpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neojknfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hioefjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqomai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbhmiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enagnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fglkeaqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njaoeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhfnca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkfnaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjpfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmmgafjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbaafak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmnfajm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Conmkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bccihj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbkdgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagfffbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2628 Olgboogb.exe 2996 Oepghe32.exe 2132 Opekenmh.exe 2964 Ohppjpkc.exe 2728 Omoehf32.exe 2784 Pooaaink.exe 1876 Phgfko32.exe 2092 Pcagkmaj.exe 2144 Pgopak32.exe 2364 Pgamgken.exe 1344 Plneoace.exe 1560 Qfifmghc.exe 2276 Aoakfl32.exe 2056 Anfggicl.exe 1456 Ajmhljip.exe 1284 Ajoebigm.exe 236 Agcekn32.exe 2516 Agebam32.exe 564 Bmbkid32.exe 860 Bcopkn32.exe 108 Bmgddcnf.exe 2040 Bbfibj32.exe 840 Bbhfgj32.exe 1720 Cmbghgdg.exe 868 Cappnf32.exe 2460 Cmgpcg32.exe 2980 Ccaipaho.exe 1708 Cpgieb32.exe 3052 Cfaaalep.exe 3004 Dlnjjc32.exe 2844 Didgig32.exe 2232 Dbmlal32.exe 1016 Dlepjbmo.exe 2648 Dkkmln32.exe 1772 Eipjmk32.exe 984 Echoepmo.exe 2908 Ecjkkp32.exe 2928 Ecmhqp32.exe 1752 Ecodfogg.exe 2176 Elgioe32.exe 2084 Fljfdd32.exe 1736 Febjmj32.exe 824 Fnnobl32.exe 2392 Gofajcog.exe 2708 Gqendf32.exe 1156 Gbfklolh.exe 620 Gmloigln.exe 916 Gbigao32.exe 1712 Gkaljdaf.exe 2404 Gbkdgn32.exe 1924 Goodpb32.exe 2960 Helmiiec.exe 2888 Hndaao32.exe 2768 Hcajjf32.exe 2936 Hminbkql.exe 2776 Hccfoehi.exe 2828 Hnikmnho.exe 1824 Hjplao32.exe 1248 Hchpjddc.exe 2984 Hiehbl32.exe 932 Ibmmkaik.exe 2172 Ilfadg32.exe 2660 Ifkfap32.exe 2244 Infjfblm.exe -
Loads dropped DLL 64 IoCs
pid Process 3016 e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe 3016 e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe 2628 Olgboogb.exe 2628 Olgboogb.exe 2996 Oepghe32.exe 2996 Oepghe32.exe 2132 Opekenmh.exe 2132 Opekenmh.exe 2964 Ohppjpkc.exe 2964 Ohppjpkc.exe 2728 Omoehf32.exe 2728 Omoehf32.exe 2784 Pooaaink.exe 2784 Pooaaink.exe 1876 Phgfko32.exe 1876 Phgfko32.exe 2092 Pcagkmaj.exe 2092 Pcagkmaj.exe 2144 Pgopak32.exe 2144 Pgopak32.exe 2364 Pgamgken.exe 2364 Pgamgken.exe 1344 Plneoace.exe 1344 Plneoace.exe 1560 Qfifmghc.exe 1560 Qfifmghc.exe 2276 Aoakfl32.exe 2276 Aoakfl32.exe 2056 Anfggicl.exe 2056 Anfggicl.exe 1456 Ajmhljip.exe 1456 Ajmhljip.exe 1284 Ajoebigm.exe 1284 Ajoebigm.exe 236 Agcekn32.exe 236 Agcekn32.exe 2516 Agebam32.exe 2516 Agebam32.exe 564 Bmbkid32.exe 564 Bmbkid32.exe 860 Bcopkn32.exe 860 Bcopkn32.exe 108 Bmgddcnf.exe 108 Bmgddcnf.exe 2040 Bbfibj32.exe 2040 Bbfibj32.exe 840 Bbhfgj32.exe 840 Bbhfgj32.exe 1720 Cmbghgdg.exe 1720 Cmbghgdg.exe 868 Cappnf32.exe 868 Cappnf32.exe 2460 Cmgpcg32.exe 2460 Cmgpcg32.exe 2980 Ccaipaho.exe 2980 Ccaipaho.exe 1708 Cpgieb32.exe 1708 Cpgieb32.exe 3052 Cfaaalep.exe 3052 Cfaaalep.exe 3004 Dlnjjc32.exe 3004 Dlnjjc32.exe 2844 Didgig32.exe 2844 Didgig32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fihhch32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gkhenlcd.exe Gbpaef32.exe File created C:\Windows\SysWOW64\Jllggbde.exe Jebojh32.exe File opened for modification C:\Windows\SysWOW64\Kiomec32.exe Process not Found File created C:\Windows\SysWOW64\Oknqkmgf.dll Process not Found File created C:\Windows\SysWOW64\Nofnglhg.dll Nfcoel32.exe File created C:\Windows\SysWOW64\Eljihn32.exe Eadejede.exe File opened for modification C:\Windows\SysWOW64\Pfhlie32.exe Ompgqonl.exe File created C:\Windows\SysWOW64\Jkqpfmje.exe Jbhkngcd.exe File created C:\Windows\SysWOW64\Ohmljj32.exe Omhhma32.exe File created C:\Windows\SysWOW64\Iimhfj32.exe Icponb32.exe File created C:\Windows\SysWOW64\Olbqfb32.dll Ekndpa32.exe File opened for modification C:\Windows\SysWOW64\Hepffelp.exe Hlhamp32.exe File created C:\Windows\SysWOW64\Acaffc32.dll Process not Found File created C:\Windows\SysWOW64\Gbigao32.exe Gmloigln.exe File created C:\Windows\SysWOW64\Ngpfbjkg.dll Pdamhocm.exe File created C:\Windows\SysWOW64\Lfehmgfd.dll Hgbdge32.exe File opened for modification C:\Windows\SysWOW64\Joijpo32.exe Jddfbf32.exe File created C:\Windows\SysWOW64\Dlmcaijm.exe Process not Found File created C:\Windows\SysWOW64\Egpfheoa.exe Process not Found File created C:\Windows\SysWOW64\Demdkkpb.dll Process not Found File created C:\Windows\SysWOW64\Ibmmkaik.exe Hiehbl32.exe File created C:\Windows\SysWOW64\Ekblplgo.exe Eefdgeig.exe File opened for modification C:\Windows\SysWOW64\Bpfhfjgq.exe Bgndnd32.exe File opened for modification C:\Windows\SysWOW64\Dbighojl.exe Dllnphkd.exe File created C:\Windows\SysWOW64\Djddbkck.exe Dgclpp32.exe File created C:\Windows\SysWOW64\Ligldf32.dll Process not Found File created C:\Windows\SysWOW64\Bihpmkee.dll Ajoebigm.exe File created C:\Windows\SysWOW64\Mkkpjg32.exe Mfngbq32.exe File created C:\Windows\SysWOW64\Hnllcoed.exe Hgbdge32.exe File created C:\Windows\SysWOW64\Ajkokgia.exe Aeofcpjj.exe File opened for modification C:\Windows\SysWOW64\Ehkgnpbe.exe Dnecag32.exe File created C:\Windows\SysWOW64\Fifane32.dll Poldnf32.exe File created C:\Windows\SysWOW64\Kbkgfgam.exe Process not Found File opened for modification C:\Windows\SysWOW64\Foqadnpq.exe Falakjag.exe File created C:\Windows\SysWOW64\Qmjogi32.dll Qloiqcbn.exe File created C:\Windows\SysWOW64\Bdknfiea.exe Bnafjo32.exe File created C:\Windows\SysWOW64\Fibgfl32.dll Dilggefh.exe File created C:\Windows\SysWOW64\Lkmhbpqc.dll Process not Found File created C:\Windows\SysWOW64\Infomg32.dll Bdcmjg32.exe File created C:\Windows\SysWOW64\Hpkbmemd.dll Kgffpk32.exe File created C:\Windows\SysWOW64\Cndcgd32.dll Kmgekh32.exe File created C:\Windows\SysWOW64\Hbdmij32.dll Lllkaobc.exe File created C:\Windows\SysWOW64\Ffhkbn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Omgckcmm.exe Ocoobngl.exe File opened for modification C:\Windows\SysWOW64\Jcjffc32.exe Jhebij32.exe File opened for modification C:\Windows\SysWOW64\Cnbhcl32.exe Cpogjh32.exe File created C:\Windows\SysWOW64\Jcbbnmjj.dll Knmjmodm.exe File created C:\Windows\SysWOW64\Ealleg32.dll Dckdio32.exe File opened for modification C:\Windows\SysWOW64\Mnlkdk32.exe Meafpibb.exe File opened for modification C:\Windows\SysWOW64\Ocjfgo32.exe Nnnmoh32.exe File opened for modification C:\Windows\SysWOW64\Clphjc32.exe Cpigeblb.exe File created C:\Windows\SysWOW64\Afmack32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pdamhocm.exe Poddphee.exe File created C:\Windows\SysWOW64\Idiphpjd.dll Ngcebnen.exe File created C:\Windows\SysWOW64\Likaja32.dll Jggiah32.exe File created C:\Windows\SysWOW64\Qokmloio.dll Pqodho32.exe File created C:\Windows\SysWOW64\Efahad32.dll Gbpaef32.exe File created C:\Windows\SysWOW64\Ahhgkdfo.exe Abkncmhh.exe File created C:\Windows\SysWOW64\Alfpab32.exe Abmkhmfe.exe File opened for modification C:\Windows\SysWOW64\Ojhdmgkl.exe Oamohenq.exe File opened for modification C:\Windows\SysWOW64\Hmqjoljn.exe Process not Found File created C:\Windows\SysWOW64\Nkmkgc32.exe Nbegonmd.exe File created C:\Windows\SysWOW64\Oamohenq.exe Oggkklnk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2844 2900 Process not Found 1422 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifloeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpigeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiepmajb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkgnpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnejqmie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbbidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmlal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogbolep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdcgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeeadi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhbbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Echoepmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmkilbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfpab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpgae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqpfchka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkafib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhlie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmpjfqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceclmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenppk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbgdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikbhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpobi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfhqmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fehjcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohifch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhmgbif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leaallcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kemcookp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idaimfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcopkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmloigln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdlmnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlifie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajoebigm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cncmei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phckglbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haoggh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjfmolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebiefle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqdend32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eadejede.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idepdhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almmlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllkaobc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmmaoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hioefjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnikmnho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhgkqmph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjiiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekmid32.dll" Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epinic32.dll" Klimcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnpbejpb.dll" Gmlokdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgamgken.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niaihojk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcdoefdh.dll" Ehiiop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phabdmgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjgobo32.dll" Hbcdfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdkdffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Conmkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppmjkhma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fplgljbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmkdf32.dll" Kemcookp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meaiia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmngpci.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgphke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiphp32.dll" Ifmbilhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjpdoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhbpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmalekk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgkqeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpcbhlki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocoobngl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghkhikg.dll" Hnapja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amglij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgihjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdqnp32.dll" Fijolbfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqendf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njpdiifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponokmah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bimdka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocgiim32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhdmahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglcbafp.dll" Ehnknfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebnfdkdf.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoppkj32.dll" Lebemmbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fehjcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogeckf32.dll" Dapnfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fplgljbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikqcgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjcangb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcgpi32.dll" Ifikehii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqjceidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odgchjhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phknlfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgapn32.dll" Dafchi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3016 wrote to memory of 2628 3016 e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe 29 PID 3016 wrote to memory of 2628 3016 e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe 29 PID 3016 wrote to memory of 2628 3016 e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe 29 PID 3016 wrote to memory of 2628 3016 e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe 29 PID 2628 wrote to memory of 2996 2628 Olgboogb.exe 30 PID 2628 wrote to memory of 2996 2628 Olgboogb.exe 30 PID 2628 wrote to memory of 2996 2628 Olgboogb.exe 30 PID 2628 wrote to memory of 2996 2628 Olgboogb.exe 30 PID 2996 wrote to memory of 2132 2996 Oepghe32.exe 31 PID 2996 wrote to memory of 2132 2996 Oepghe32.exe 31 PID 2996 wrote to memory of 2132 2996 Oepghe32.exe 31 PID 2996 wrote to memory of 2132 2996 Oepghe32.exe 31 PID 2132 wrote to memory of 2964 2132 Opekenmh.exe 32 PID 2132 wrote to memory of 2964 2132 Opekenmh.exe 32 PID 2132 wrote to memory of 2964 2132 Opekenmh.exe 32 PID 2132 wrote to memory of 2964 2132 Opekenmh.exe 32 PID 2964 wrote to memory of 2728 2964 Ohppjpkc.exe 33 PID 2964 wrote to memory of 2728 2964 Ohppjpkc.exe 33 PID 2964 wrote to memory of 2728 2964 Ohppjpkc.exe 33 PID 2964 wrote to memory of 2728 2964 Ohppjpkc.exe 33 PID 2728 wrote to memory of 2784 2728 Omoehf32.exe 34 PID 2728 wrote to memory of 2784 2728 Omoehf32.exe 34 PID 2728 wrote to memory of 2784 2728 Omoehf32.exe 34 PID 2728 wrote to memory of 2784 2728 Omoehf32.exe 34 PID 2784 wrote to memory of 1876 2784 Pooaaink.exe 35 PID 2784 wrote to memory of 1876 2784 Pooaaink.exe 35 PID 2784 wrote to memory of 1876 2784 Pooaaink.exe 35 PID 2784 wrote to memory of 1876 2784 Pooaaink.exe 35 PID 1876 wrote to memory of 2092 1876 Phgfko32.exe 36 PID 1876 wrote to memory of 2092 1876 Phgfko32.exe 36 PID 1876 wrote to memory of 2092 1876 Phgfko32.exe 36 PID 1876 wrote to memory of 2092 1876 Phgfko32.exe 36 PID 2092 wrote to memory of 2144 2092 Pcagkmaj.exe 37 PID 2092 wrote to memory of 2144 2092 Pcagkmaj.exe 37 PID 2092 wrote to memory of 2144 2092 Pcagkmaj.exe 37 PID 2092 wrote to memory of 2144 2092 Pcagkmaj.exe 37 PID 2144 wrote to memory of 2364 2144 Pgopak32.exe 38 PID 2144 wrote to memory of 2364 2144 Pgopak32.exe 38 PID 2144 wrote to memory of 2364 2144 Pgopak32.exe 38 PID 2144 wrote to memory of 2364 2144 Pgopak32.exe 38 PID 2364 wrote to memory of 1344 2364 Pgamgken.exe 39 PID 2364 wrote to memory of 1344 2364 Pgamgken.exe 39 PID 2364 wrote to memory of 1344 2364 Pgamgken.exe 39 PID 2364 wrote to memory of 1344 2364 Pgamgken.exe 39 PID 1344 wrote to memory of 1560 1344 Plneoace.exe 40 PID 1344 wrote to memory of 1560 1344 Plneoace.exe 40 PID 1344 wrote to memory of 1560 1344 Plneoace.exe 40 PID 1344 wrote to memory of 1560 1344 Plneoace.exe 40 PID 1560 wrote to memory of 2276 1560 Qfifmghc.exe 41 PID 1560 wrote to memory of 2276 1560 Qfifmghc.exe 41 PID 1560 wrote to memory of 2276 1560 Qfifmghc.exe 41 PID 1560 wrote to memory of 2276 1560 Qfifmghc.exe 41 PID 2276 wrote to memory of 2056 2276 Aoakfl32.exe 42 PID 2276 wrote to memory of 2056 2276 Aoakfl32.exe 42 PID 2276 wrote to memory of 2056 2276 Aoakfl32.exe 42 PID 2276 wrote to memory of 2056 2276 Aoakfl32.exe 42 PID 2056 wrote to memory of 1456 2056 Anfggicl.exe 43 PID 2056 wrote to memory of 1456 2056 Anfggicl.exe 43 PID 2056 wrote to memory of 1456 2056 Anfggicl.exe 43 PID 2056 wrote to memory of 1456 2056 Anfggicl.exe 43 PID 1456 wrote to memory of 1284 1456 Ajmhljip.exe 44 PID 1456 wrote to memory of 1284 1456 Ajmhljip.exe 44 PID 1456 wrote to memory of 1284 1456 Ajmhljip.exe 44 PID 1456 wrote to memory of 1284 1456 Ajmhljip.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe"C:\Users\Admin\AppData\Local\Temp\e55cf6e62235b9c56af467eadd66aa8f971935586a4f9c6370eeb06365d5849eN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Opekenmh.exeC:\Windows\system32\Opekenmh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Plneoace.exeC:\Windows\system32\Plneoace.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Aoakfl32.exeC:\Windows\system32\Aoakfl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Agcekn32.exeC:\Windows\system32\Agcekn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2516 -
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Bcopkn32.exeC:\Windows\system32\Bcopkn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:108 -
C:\Windows\SysWOW64\Bbfibj32.exeC:\Windows\system32\Bbfibj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Cmbghgdg.exeC:\Windows\system32\Cmbghgdg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Cappnf32.exeC:\Windows\system32\Cappnf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:868 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Ccaipaho.exeC:\Windows\system32\Ccaipaho.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Cfaaalep.exeC:\Windows\system32\Cfaaalep.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Dlepjbmo.exeC:\Windows\system32\Dlepjbmo.exe34⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Dkkmln32.exeC:\Windows\system32\Dkkmln32.exe35⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Eipjmk32.exeC:\Windows\system32\Eipjmk32.exe36⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Ecjkkp32.exeC:\Windows\system32\Ecjkkp32.exe38⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ecmhqp32.exeC:\Windows\system32\Ecmhqp32.exe39⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Ecodfogg.exeC:\Windows\system32\Ecodfogg.exe40⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe41⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe42⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Febjmj32.exeC:\Windows\system32\Febjmj32.exe43⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Fnnobl32.exeC:\Windows\system32\Fnnobl32.exe44⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Gofajcog.exeC:\Windows\system32\Gofajcog.exe45⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Gqendf32.exeC:\Windows\system32\Gqendf32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Gbfklolh.exeC:\Windows\system32\Gbfklolh.exe47⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Gbigao32.exeC:\Windows\system32\Gbigao32.exe49⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Gkaljdaf.exeC:\Windows\system32\Gkaljdaf.exe50⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Gbkdgn32.exeC:\Windows\system32\Gbkdgn32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Goodpb32.exeC:\Windows\system32\Goodpb32.exe52⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Helmiiec.exeC:\Windows\system32\Helmiiec.exe53⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Hndaao32.exeC:\Windows\system32\Hndaao32.exe54⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Hcajjf32.exeC:\Windows\system32\Hcajjf32.exe55⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Hminbkql.exeC:\Windows\system32\Hminbkql.exe56⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Hnikmnho.exeC:\Windows\system32\Hnikmnho.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Hjplao32.exeC:\Windows\system32\Hjplao32.exe59⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe60⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Hiehbl32.exeC:\Windows\system32\Hiehbl32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Ibmmkaik.exeC:\Windows\system32\Ibmmkaik.exe62⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Ilfadg32.exeC:\Windows\system32\Ilfadg32.exe63⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ifkfap32.exeC:\Windows\system32\Ifkfap32.exe64⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Infjfblm.exeC:\Windows\system32\Infjfblm.exe65⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Ieqbbl32.exeC:\Windows\system32\Ieqbbl32.exe66⤵PID:976
-
C:\Windows\SysWOW64\Ijmkkc32.exeC:\Windows\system32\Ijmkkc32.exe67⤵PID:1352
-
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe68⤵
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\Iokdaa32.exeC:\Windows\system32\Iokdaa32.exe69⤵PID:3044
-
C:\Windows\SysWOW64\Ieelnkpd.exeC:\Windows\system32\Ieelnkpd.exe70⤵PID:2508
-
C:\Windows\SysWOW64\Jjbdfbnl.exeC:\Windows\system32\Jjbdfbnl.exe71⤵PID:2824
-
C:\Windows\SysWOW64\Jpomnilc.exeC:\Windows\system32\Jpomnilc.exe72⤵PID:2948
-
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe73⤵PID:2848
-
C:\Windows\SysWOW64\Jpajdi32.exeC:\Windows\system32\Jpajdi32.exe74⤵PID:1796
-
C:\Windows\SysWOW64\Jkfnaa32.exeC:\Windows\system32\Jkfnaa32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Jpcfih32.exeC:\Windows\system32\Jpcfih32.exe76⤵PID:2852
-
C:\Windows\SysWOW64\Jgmofbpk.exeC:\Windows\system32\Jgmofbpk.exe77⤵PID:3020
-
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe78⤵PID:2552
-
C:\Windows\SysWOW64\Jbdokceo.exeC:\Windows\system32\Jbdokceo.exe79⤵PID:3024
-
C:\Windows\SysWOW64\Kphpdhdh.exeC:\Windows\system32\Kphpdhdh.exe80⤵PID:2196
-
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe81⤵PID:2256
-
C:\Windows\SysWOW64\Kaliaphd.exeC:\Windows\system32\Kaliaphd.exe82⤵PID:1644
-
C:\Windows\SysWOW64\Klamohhj.exeC:\Windows\system32\Klamohhj.exe83⤵PID:1260
-
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe84⤵PID:396
-
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe85⤵PID:1480
-
C:\Windows\SysWOW64\Kpcbhlki.exeC:\Windows\system32\Kpcbhlki.exe86⤵
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Kngcbpjc.exeC:\Windows\system32\Kngcbpjc.exe87⤵PID:2420
-
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe88⤵
- Modifies registry class
PID:2328 -
C:\Windows\SysWOW64\Lllpclnk.exeC:\Windows\system32\Lllpclnk.exe89⤵PID:2856
-
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe90⤵PID:2456
-
C:\Windows\SysWOW64\Lpjiik32.exeC:\Windows\system32\Lpjiik32.exe91⤵PID:2868
-
C:\Windows\SysWOW64\Lhenmm32.exeC:\Windows\system32\Lhenmm32.exe92⤵PID:2788
-
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe93⤵PID:2360
-
C:\Windows\SysWOW64\Lcmopepp.exeC:\Windows\system32\Lcmopepp.exe94⤵PID:1800
-
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe95⤵PID:2220
-
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe96⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Mkkpjg32.exeC:\Windows\system32\Mkkpjg32.exe97⤵PID:2568
-
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe98⤵PID:2480
-
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe99⤵PID:2388
-
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe100⤵PID:2704
-
C:\Windows\SysWOW64\Mnneabff.exeC:\Windows\system32\Mnneabff.exe101⤵PID:2520
-
C:\Windows\SysWOW64\Mcknjidn.exeC:\Windows\system32\Mcknjidn.exe102⤵PID:1652
-
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe103⤵PID:1384
-
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe104⤵PID:1592
-
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe105⤵PID:2320
-
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe106⤵PID:1252
-
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe107⤵PID:2820
-
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe108⤵PID:2596
-
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe109⤵PID:1724
-
C:\Windows\SysWOW64\Niaihojk.exeC:\Windows\system32\Niaihojk.exe110⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Nbinad32.exeC:\Windows\system32\Nbinad32.exe111⤵PID:1512
-
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe112⤵PID:920
-
C:\Windows\SysWOW64\Nnpofe32.exeC:\Windows\system32\Nnpofe32.exe113⤵PID:1648
-
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe114⤵PID:2840
-
C:\Windows\SysWOW64\Omekgakg.exeC:\Windows\system32\Omekgakg.exe115⤵PID:2588
-
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe116⤵PID:2808
-
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe117⤵
- Drops file in System32 directory
PID:2124 -
C:\Windows\SysWOW64\Ohmljj32.exeC:\Windows\system32\Ohmljj32.exe118⤵PID:1500
-
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe119⤵PID:1896
-
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe120⤵
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe121⤵PID:2204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-