Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 02:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe
-
Size
113KB
-
MD5
14f4cda0fedbcfaf6e7778dac9374412
-
SHA1
bb95400bd196a3b967df23eb7ddd001144b994bf
-
SHA256
9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6
-
SHA512
55a9735b3398e105686d67157b813fb19684310bff2e4e5acc2fa4670b570d6510f6f189388172d1d9077bf4e2129e3950418c59e5a80a5d3f55df54f899dd75
-
SSDEEP
3072:Sqij0y8VIDdsu0OuGkZFfFSebHWrH8wTW0v:Sqij0PVIZsuJ7otSeWrPn
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekhkjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeehln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abhkfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffpki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlccdboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jagnlkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aihfap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqpflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcjhdbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgmahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqjmncna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpkbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanogipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbopmnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoiiijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foccjood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffpki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmbfggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hemqpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmagpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Affdle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpdeogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbcjnnpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgahoel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaimopli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpjkiogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldllgiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkbaii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eelkeeah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldpbpgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoajel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dacpkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkqnoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggdejno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiehm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jckgicnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaqnkafa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhgkil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkqnoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Becpap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfbpk32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2128 Mpgmijgc.exe 3044 Mfaefd32.exe 2788 Mioabp32.exe 2860 Nhgkil32.exe 2920 Nocpkf32.exe 2592 Nadimacd.exe 1844 Opifnm32.exe 1472 Oiakgcnl.exe 2024 Oehklddp.exe 1928 Oaaifdhb.exe 2772 Pdbahpec.exe 1352 Pohfehdi.exe 2052 Pahogc32.exe 2968 Pnopldgn.exe 1300 Pggdejno.exe 1140 Pdldnomh.exe 2392 Qogbdl32.exe 2180 Afajafoa.exe 2108 Abhkfg32.exe 2140 Afdgfelo.exe 752 Affdle32.exe 2900 Aapemc32.exe 556 Aekqmbod.exe 344 Aennba32.exe 3060 Bnhoag32.exe 2312 Bpjkiogm.exe 1356 Bffpki32.exe 2396 Blchcpko.exe 2804 Bfhmqhkd.exe 2952 Cemjae32.exe 2880 Clgbno32.exe 2652 Cbdgqimc.exe 1688 Cmmhaf32.exe 1636 Cdgpnqpo.exe 1648 Cdjmcpnl.exe 2040 Dlgnmb32.exe 1248 Ddnfop32.exe 2144 Dohgomgf.exe 2276 Dinklffl.exe 2284 Dlndnacm.exe 1612 Ekcaonhe.exe 2924 Eoajel32.exe 2120 Ekhkjm32.exe 2212 Eabcggll.exe 1580 Ekjgpm32.exe 1340 Elldgehk.exe 896 Eqjmncna.exe 1104 Fgcejm32.exe 2528 Fjbafi32.exe 1052 Foojop32.exe 2432 Fbmfkkbm.exe 1680 Fjdnlhco.exe 2372 Fmcjhdbc.exe 2688 Fcmben32.exe 2452 Fbpbpkpj.exe 2856 Fmegncpp.exe 1480 Foccjood.exe 2844 Fdpkbf32.exe 2832 Fkjdopeh.exe 1904 Fqglggcp.exe 1644 Fgadda32.exe 2236 Gnkmqkbi.exe 888 Ggcaiqhj.exe 1948 Gmpjagfa.exe -
Loads dropped DLL 64 IoCs
pid Process 1984 9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe 1984 9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe 2128 Mpgmijgc.exe 2128 Mpgmijgc.exe 3044 Mfaefd32.exe 3044 Mfaefd32.exe 2788 Mioabp32.exe 2788 Mioabp32.exe 2860 Nhgkil32.exe 2860 Nhgkil32.exe 2920 Nocpkf32.exe 2920 Nocpkf32.exe 2592 Nadimacd.exe 2592 Nadimacd.exe 1844 Opifnm32.exe 1844 Opifnm32.exe 1472 Oiakgcnl.exe 1472 Oiakgcnl.exe 2024 Oehklddp.exe 2024 Oehklddp.exe 1928 Oaaifdhb.exe 1928 Oaaifdhb.exe 2772 Pdbahpec.exe 2772 Pdbahpec.exe 1352 Pohfehdi.exe 1352 Pohfehdi.exe 2052 Pahogc32.exe 2052 Pahogc32.exe 2968 Pnopldgn.exe 2968 Pnopldgn.exe 1300 Pggdejno.exe 1300 Pggdejno.exe 1140 Pdldnomh.exe 1140 Pdldnomh.exe 2392 Qogbdl32.exe 2392 Qogbdl32.exe 2180 Afajafoa.exe 2180 Afajafoa.exe 2108 Abhkfg32.exe 2108 Abhkfg32.exe 2140 Afdgfelo.exe 2140 Afdgfelo.exe 752 Affdle32.exe 752 Affdle32.exe 2900 Aapemc32.exe 2900 Aapemc32.exe 556 Aekqmbod.exe 556 Aekqmbod.exe 344 Aennba32.exe 344 Aennba32.exe 3060 Bnhoag32.exe 3060 Bnhoag32.exe 2312 Bpjkiogm.exe 2312 Bpjkiogm.exe 1356 Bffpki32.exe 1356 Bffpki32.exe 2396 Blchcpko.exe 2396 Blchcpko.exe 2804 Bfhmqhkd.exe 2804 Bfhmqhkd.exe 2952 Cemjae32.exe 2952 Cemjae32.exe 2880 Clgbno32.exe 2880 Clgbno32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hpbdmo32.exe Hemqpf32.exe File opened for modification C:\Windows\SysWOW64\Lbafdlod.exe Lldmleam.exe File opened for modification C:\Windows\SysWOW64\Ggcaiqhj.exe Gnkmqkbi.exe File created C:\Windows\SysWOW64\Hegnahjo.exe Hnmeen32.exe File created C:\Windows\SysWOW64\Ibfaopoi.exe Imiigiab.exe File created C:\Windows\SysWOW64\Afbqkf32.dll Micklk32.exe File created C:\Windows\SysWOW64\Khghgchk.exe Jehlkhig.exe File created C:\Windows\SysWOW64\Nenkqi32.exe Nmfbpk32.exe File created C:\Windows\SysWOW64\Hibjbgbh.exe Hegnahjo.exe File created C:\Windows\SysWOW64\Lneaqn32.exe Ljieppcb.exe File created C:\Windows\SysWOW64\Qqfkln32.exe Qkibcg32.exe File created C:\Windows\SysWOW64\Hcigco32.exe Hmoofdea.exe File created C:\Windows\SysWOW64\Aqonbm32.exe Aihfap32.exe File created C:\Windows\SysWOW64\Behilopf.exe Bbjmpcab.exe File opened for modification C:\Windows\SysWOW64\Cdjmcpnl.exe Cdgpnqpo.exe File opened for modification C:\Windows\SysWOW64\Kbgjkn32.exe Kkmand32.exe File created C:\Windows\SysWOW64\Agbpnh32.exe Adcdbl32.exe File created C:\Windows\SysWOW64\Ejgccq32.dll Ackmih32.exe File created C:\Windows\SysWOW64\Jncnhl32.dll Mcnbhb32.exe File opened for modification C:\Windows\SysWOW64\Pnbojmmp.exe Pcljmdmj.exe File created C:\Windows\SysWOW64\Bmlael32.exe Bjmeiq32.exe File created C:\Windows\SysWOW64\Oghnkh32.dll Bmbgfkje.exe File opened for modification C:\Windows\SysWOW64\Lghlndfa.exe Ldjpbign.exe File created C:\Windows\SysWOW64\Miehak32.exe Mchoid32.exe File opened for modification C:\Windows\SysWOW64\Aihfap32.exe Ackmih32.exe File opened for modification C:\Windows\SysWOW64\Ecploipa.exe Elfcbo32.exe File opened for modification C:\Windows\SysWOW64\Llbqfe32.exe Lfhhjklc.exe File created C:\Windows\SysWOW64\Oemgplgo.exe Oococb32.exe File created C:\Windows\SysWOW64\Hqjpab32.dll Agolnbok.exe File opened for modification C:\Windows\SysWOW64\Fcmben32.exe Fmcjhdbc.exe File created C:\Windows\SysWOW64\Dkigoimd.exe Demofaol.exe File created C:\Windows\SysWOW64\Famope32.exe Fkbgckgd.exe File created C:\Windows\SysWOW64\Jdnmma32.exe Jaoqqflp.exe File created C:\Windows\SysWOW64\Odedge32.exe Oaghki32.exe File created C:\Windows\SysWOW64\Mngjeamd.exe Mgmahg32.exe File created C:\Windows\SysWOW64\Fcnkhmdp.exe Famope32.exe File created C:\Windows\SysWOW64\Cefhdnca.dll Kgclio32.exe File created C:\Windows\SysWOW64\Lnhgim32.exe Ldpbpgoh.exe File created C:\Windows\SysWOW64\Jckgicnp.exe Jaijak32.exe File created C:\Windows\SysWOW64\Ppdlmc32.dll Ldoimh32.exe File opened for modification C:\Windows\SysWOW64\Hnjbeh32.exe Hgpjhn32.exe File opened for modification C:\Windows\SysWOW64\Ajqljc32.exe Agbpnh32.exe File created C:\Windows\SysWOW64\Ckndebll.dll Bceibfgj.exe File created C:\Windows\SysWOW64\Lmajfk32.dll Cfkloq32.exe File created C:\Windows\SysWOW64\Ojbapc32.dll Pnopldgn.exe File created C:\Windows\SysWOW64\Cmqmci32.dll Fjdnlhco.exe File opened for modification C:\Windows\SysWOW64\Meabakda.exe Mngjeamd.exe File opened for modification C:\Windows\SysWOW64\Nfnneb32.exe Npdfhhhe.exe File opened for modification C:\Windows\SysWOW64\Gmpjagfa.exe Ggcaiqhj.exe File created C:\Windows\SysWOW64\Knjmll32.dll Copjdhib.exe File created C:\Windows\SysWOW64\Dgdfdnfj.dll Gbohehoj.exe File created C:\Windows\SysWOW64\Hnjbeh32.exe Hgpjhn32.exe File created C:\Windows\SysWOW64\Dogpdg32.exe Ddblgn32.exe File created C:\Windows\SysWOW64\Ifjlcmmj.exe Ippdgc32.exe File created C:\Windows\SysWOW64\Pidfdofi.exe Pgfjhcge.exe File created C:\Windows\SysWOW64\Mfakaoam.dll Bmpkqklh.exe File created C:\Windows\SysWOW64\Labehg32.dll 9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe File opened for modification C:\Windows\SysWOW64\Nocpkf32.exe Nhgkil32.exe File created C:\Windows\SysWOW64\Nnoiph32.dll Oioggmmc.exe File created C:\Windows\SysWOW64\Bbjmpcab.exe Biaign32.exe File created C:\Windows\SysWOW64\Mfmndn32.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Ddnfop32.exe Dlgnmb32.exe File created C:\Windows\SysWOW64\Pljcllqe.exe Pkifdd32.exe File created C:\Windows\SysWOW64\Cpnidcen.dll Ccdmnj32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32†Dfkhndca.¿xe Dpapaj32.exe File created C:\Windows\system32†Dfkhndca.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5184 5152 WerFault.exe 464 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcejm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhnjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nallalep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcopdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcecbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgmijgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiakgcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpjagfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dohgomgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnneb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Becpap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckgicnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahifbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgamdef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabcggll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhakcfab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiljam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohccp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoqjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqonbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oococb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehklddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkmcldj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abhkfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejbqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgnaehm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpopnejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfkln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fajbke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nenkqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhhjklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oippjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagienkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aapemc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgadda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioooiack.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkaghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdldnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgoboc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbcmaje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcomhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgbkbjp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmjlhfof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbfepmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocddja32.dll" Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jojfgkfk.dll" Gkpfmnlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoojnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aennba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jenpajfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plolgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkgob32.dll" Dogpdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abbfnh32.dll" Fgadda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegabegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjkpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecinnn32.dll" Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopjkjhh.dll" Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehjkan32.dll" Dbifnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpjmnknl.dll" Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhebgh32.dll" Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpeeqig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhakcfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoiph32.dll" Oioggmmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgaebl32.dll" Kfkpknkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijehdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpenkfbe.dll" Eabcggll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mngjeamd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajjnjlc.dll" Cehfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejbqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhgpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbijlpke.dll" Gjfgqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqbbglbj.dll" Kcopdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpopnejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgblmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahifbpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohceeg32.dll" Ecploipa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll" Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdghaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpbpkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doiddc32.dll" Imnbbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbpdeogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldllgiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgfklg32.dll" Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfoghakb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhgkil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omcifpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oippjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhcmhdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfomkg32.dll" Hjipenda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knbhlkkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdmnam32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1984 wrote to memory of 2128 1984 9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe 30 PID 1984 wrote to memory of 2128 1984 9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe 30 PID 1984 wrote to memory of 2128 1984 9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe 30 PID 1984 wrote to memory of 2128 1984 9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe 30 PID 2128 wrote to memory of 3044 2128 Mpgmijgc.exe 31 PID 2128 wrote to memory of 3044 2128 Mpgmijgc.exe 31 PID 2128 wrote to memory of 3044 2128 Mpgmijgc.exe 31 PID 2128 wrote to memory of 3044 2128 Mpgmijgc.exe 31 PID 3044 wrote to memory of 2788 3044 Mfaefd32.exe 32 PID 3044 wrote to memory of 2788 3044 Mfaefd32.exe 32 PID 3044 wrote to memory of 2788 3044 Mfaefd32.exe 32 PID 3044 wrote to memory of 2788 3044 Mfaefd32.exe 32 PID 2788 wrote to memory of 2860 2788 Mioabp32.exe 33 PID 2788 wrote to memory of 2860 2788 Mioabp32.exe 33 PID 2788 wrote to memory of 2860 2788 Mioabp32.exe 33 PID 2788 wrote to memory of 2860 2788 Mioabp32.exe 33 PID 2860 wrote to memory of 2920 2860 Nhgkil32.exe 34 PID 2860 wrote to memory of 2920 2860 Nhgkil32.exe 34 PID 2860 wrote to memory of 2920 2860 Nhgkil32.exe 34 PID 2860 wrote to memory of 2920 2860 Nhgkil32.exe 34 PID 2920 wrote to memory of 2592 2920 Nocpkf32.exe 35 PID 2920 wrote to memory of 2592 2920 Nocpkf32.exe 35 PID 2920 wrote to memory of 2592 2920 Nocpkf32.exe 35 PID 2920 wrote to memory of 2592 2920 Nocpkf32.exe 35 PID 2592 wrote to memory of 1844 2592 Nadimacd.exe 36 PID 2592 wrote to memory of 1844 2592 Nadimacd.exe 36 PID 2592 wrote to memory of 1844 2592 Nadimacd.exe 36 PID 2592 wrote to memory of 1844 2592 Nadimacd.exe 36 PID 1844 wrote to memory of 1472 1844 Opifnm32.exe 37 PID 1844 wrote to memory of 1472 1844 Opifnm32.exe 37 PID 1844 wrote to memory of 1472 1844 Opifnm32.exe 37 PID 1844 wrote to memory of 1472 1844 Opifnm32.exe 37 PID 1472 wrote to memory of 2024 1472 Oiakgcnl.exe 38 PID 1472 wrote to memory of 2024 1472 Oiakgcnl.exe 38 PID 1472 wrote to memory of 2024 1472 Oiakgcnl.exe 38 PID 1472 wrote to memory of 2024 1472 Oiakgcnl.exe 38 PID 2024 wrote to memory of 1928 2024 Oehklddp.exe 39 PID 2024 wrote to memory of 1928 2024 Oehklddp.exe 39 PID 2024 wrote to memory of 1928 2024 Oehklddp.exe 39 PID 2024 wrote to memory of 1928 2024 Oehklddp.exe 39 PID 1928 wrote to memory of 2772 1928 Oaaifdhb.exe 40 PID 1928 wrote to memory of 2772 1928 Oaaifdhb.exe 40 PID 1928 wrote to memory of 2772 1928 Oaaifdhb.exe 40 PID 1928 wrote to memory of 2772 1928 Oaaifdhb.exe 40 PID 2772 wrote to memory of 1352 2772 Pdbahpec.exe 41 PID 2772 wrote to memory of 1352 2772 Pdbahpec.exe 41 PID 2772 wrote to memory of 1352 2772 Pdbahpec.exe 41 PID 2772 wrote to memory of 1352 2772 Pdbahpec.exe 41 PID 1352 wrote to memory of 2052 1352 Pohfehdi.exe 42 PID 1352 wrote to memory of 2052 1352 Pohfehdi.exe 42 PID 1352 wrote to memory of 2052 1352 Pohfehdi.exe 42 PID 1352 wrote to memory of 2052 1352 Pohfehdi.exe 42 PID 2052 wrote to memory of 2968 2052 Pahogc32.exe 43 PID 2052 wrote to memory of 2968 2052 Pahogc32.exe 43 PID 2052 wrote to memory of 2968 2052 Pahogc32.exe 43 PID 2052 wrote to memory of 2968 2052 Pahogc32.exe 43 PID 2968 wrote to memory of 1300 2968 Pnopldgn.exe 44 PID 2968 wrote to memory of 1300 2968 Pnopldgn.exe 44 PID 2968 wrote to memory of 1300 2968 Pnopldgn.exe 44 PID 2968 wrote to memory of 1300 2968 Pnopldgn.exe 44 PID 1300 wrote to memory of 1140 1300 Pggdejno.exe 45 PID 1300 wrote to memory of 1140 1300 Pggdejno.exe 45 PID 1300 wrote to memory of 1140 1300 Pggdejno.exe 45 PID 1300 wrote to memory of 1140 1300 Pggdejno.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe"C:\Users\Admin\AppData\Local\Temp\9ab787cef46a7d76741844547b892ed44a8d2cb8edae7354b368e5821869c4e6.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Pahogc32.exeC:\Windows\system32\Pahogc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1140 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Afajafoa.exeC:\Windows\system32\Afajafoa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Affdle32.exeC:\Windows\system32\Affdle32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:556 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe33⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe34⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe36⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe38⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe40⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe41⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe42⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe46⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe47⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe50⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe51⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe52⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe55⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe57⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe60⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe61⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:888 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1804 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe67⤵
- System Location Discovery: System Language Discovery
PID:580 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe69⤵
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe70⤵PID:352
-
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe71⤵PID:2976
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe72⤵PID:1260
-
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe73⤵PID:1968
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe74⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe75⤵
- Modifies registry class
PID:2732 -
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe76⤵PID:2672
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe77⤵
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe78⤵
- Drops file in System32 directory
PID:1860 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe79⤵
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe80⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe81⤵PID:2196
-
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:568 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:532 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe85⤵PID:1308
-
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe86⤵
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe87⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe88⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe89⤵
- Drops file in System32 directory
PID:1572 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe90⤵PID:2292
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe91⤵PID:2728
-
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe92⤵PID:2668
-
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe93⤵PID:3000
-
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe94⤵
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe95⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe96⤵PID:928
-
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe97⤵PID:2444
-
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe98⤵PID:944
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe99⤵PID:1760
-
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe101⤵
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe102⤵PID:1908
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe103⤵
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe104⤵PID:2864
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe105⤵PID:2708
-
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2596 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe107⤵PID:2496
-
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe108⤵
- Drops file in System32 directory
PID:1992 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe110⤵PID:624
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe111⤵PID:408
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe112⤵
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe113⤵
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe115⤵PID:2468
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe116⤵PID:2060
-
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe117⤵PID:2136
-
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe118⤵PID:2820
-
C:\Windows\SysWOW64\Kkmand32.exeC:\Windows\system32\Kkmand32.exe119⤵
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe120⤵PID:2664
-
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe121⤵PID:1428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-