Analysis
-
max time kernel
53s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 05:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe
-
Size
78KB
-
MD5
e4aa71d3811eb0c9f538708c885da100
-
SHA1
3ed3d6740f879e5a3ebf9dcb7e425e6043cfa419
-
SHA256
b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582e
-
SHA512
bb1fa3960f263872c4933b2caf9a6f19519217537569a153da4ddcc71c243e60ae7d44391023c6479596c8ec811b873992839832b6e4d2da992ca8a356168457
-
SSDEEP
1536:s1iEI0F9B/2uL2FStAV+RiVPbN+zL20gJi1ie:s0wZ2uKUtA4RiVPbgzL20WKt
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfmgdeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fejmda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paqoef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqdioaqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anigaeoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iblcjohm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqaigijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dehdpnok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlaffbqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Benpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifngiqlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olclimif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efeaqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fecool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcjfgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgddin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ainhln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bglhcihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gebflaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbkkbpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdflhppk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmegbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfgoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqaigijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diofenki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foacmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Engnno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odhhdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejldfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abqlpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjpehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haggkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jodkkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbfalpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paldmbmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgahcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Belcck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfnlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folknlae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhnnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edieng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhkiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbhpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpdeghgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmogkkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jennjblp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnohmog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bichbckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klinmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghqqpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlijan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbegkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadfbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmbgngb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjmpfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimpppoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnghjm32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2144 Ehilgikj.exe 2528 Fabppo32.exe 3032 Fdbibjok.exe 3016 Ffcbce32.exe 2936 Foacmg32.exe 2744 Gemhpq32.exe 2132 Gohjnf32.exe 2616 Giakoc32.exe 1680 Gnocdb32.exe 2472 Hifdjcif.exe 2488 Hcohbh32.exe 1244 Hoeigi32.exe 3040 Hlijan32.exe 2280 Hafbid32.exe 1508 Hojbbiae.exe 2420 Ikqcgj32.exe 688 Imkbeqem.exe 1712 Jibcja32.exe 2124 Jchhhjjg.exe 1980 Jbmdig32.exe 856 Jennjblp.exe 1880 Jccjln32.exe 2360 Kaihjbno.exe 2068 Kffpcilf.exe 2392 Kcjqlm32.exe 2948 Klgbfo32.exe 2808 Lpekln32.exe 2980 Lllkaobc.exe 2864 Lomdcj32.exe 2852 Lkfbmj32.exe 1168 Mlikkbga.exe 672 Mmigdend.exe 2000 Nqjmec32.exe 2476 Nnnmoh32.exe 2952 Ofibcj32.exe 1140 Oqnfqcjk.exe 760 Ohikeegf.exe 2176 Obbonk32.exe 2492 Onipbl32.exe 3044 Oindpd32.exe 2200 Pjbnmm32.exe 1072 Pnpfckmc.exe 1216 Pghklq32.exe 1568 Paqoef32.exe 1656 Pfmgmm32.exe 1948 Paclje32.exe 1572 Pmimpf32.exe 1644 Pbfehn32.exe 2136 Qbiamm32.exe 2344 Qlaffbqk.exe 668 Anbohn32.exe 2896 Ahjcqcdm.exe 2524 Aofhcmig.exe 2820 Adcakdhn.exe 2900 Adenqd32.exe 2184 Aibfik32.exe 2212 Bbkkbpjc.exe 1884 Bmpooiji.exe 1116 Belcck32.exe 1612 Bpahad32.exe 2192 Benpik32.exe 2784 Bofebqlb.exe 2424 Bepmokco.exe 2860 Bkmegaaf.exe -
Loads dropped DLL 64 IoCs
pid Process 1268 b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe 1268 b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe 2144 Ehilgikj.exe 2144 Ehilgikj.exe 2528 Fabppo32.exe 2528 Fabppo32.exe 3032 Fdbibjok.exe 3032 Fdbibjok.exe 3016 Ffcbce32.exe 3016 Ffcbce32.exe 2936 Foacmg32.exe 2936 Foacmg32.exe 2744 Gemhpq32.exe 2744 Gemhpq32.exe 2132 Gohjnf32.exe 2132 Gohjnf32.exe 2616 Giakoc32.exe 2616 Giakoc32.exe 1680 Gnocdb32.exe 1680 Gnocdb32.exe 2472 Hifdjcif.exe 2472 Hifdjcif.exe 2488 Hcohbh32.exe 2488 Hcohbh32.exe 1244 Hoeigi32.exe 1244 Hoeigi32.exe 3040 Hlijan32.exe 3040 Hlijan32.exe 2280 Hafbid32.exe 2280 Hafbid32.exe 1508 Hojbbiae.exe 1508 Hojbbiae.exe 2420 Ikqcgj32.exe 2420 Ikqcgj32.exe 688 Imkbeqem.exe 688 Imkbeqem.exe 1712 Jibcja32.exe 1712 Jibcja32.exe 2124 Jchhhjjg.exe 2124 Jchhhjjg.exe 1980 Jbmdig32.exe 1980 Jbmdig32.exe 856 Jennjblp.exe 856 Jennjblp.exe 1880 Jccjln32.exe 1880 Jccjln32.exe 2360 Kaihjbno.exe 2360 Kaihjbno.exe 2068 Kffpcilf.exe 2068 Kffpcilf.exe 2392 Kcjqlm32.exe 2392 Kcjqlm32.exe 2948 Klgbfo32.exe 2948 Klgbfo32.exe 2808 Lpekln32.exe 2808 Lpekln32.exe 2980 Lllkaobc.exe 2980 Lllkaobc.exe 2864 Lomdcj32.exe 2864 Lomdcj32.exe 2852 Lkfbmj32.exe 2852 Lkfbmj32.exe 1168 Mlikkbga.exe 1168 Mlikkbga.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Paldmbmq.exe Phcpdm32.exe File opened for modification C:\Windows\SysWOW64\Iblcjohm.exe Iehcajjc.exe File created C:\Windows\SysWOW64\Lifqbjpk.exe Lcihicad.exe File opened for modification C:\Windows\SysWOW64\Haggkf32.exe Hilbfc32.exe File created C:\Windows\SysWOW64\Goidmibg.exe Giolpo32.exe File created C:\Windows\SysWOW64\Hfmfjh32.exe Hmeaaboe.exe File created C:\Windows\SysWOW64\Pbfehn32.exe Pmimpf32.exe File created C:\Windows\SysWOW64\Ldodne32.dll Bofebqlb.exe File created C:\Windows\SysWOW64\Hacoio32.exe Hgnjlfam.exe File created C:\Windows\SysWOW64\Coqaknog.exe Cehlbihg.exe File created C:\Windows\SysWOW64\Qaeeli32.dll Oleinmgd.exe File created C:\Windows\SysWOW64\Oafmnb32.dll Dhhkiq32.exe File opened for modification C:\Windows\SysWOW64\Hjdhpg32.exe Hbmpoj32.exe File created C:\Windows\SysWOW64\Gjhlii32.dll Pdjcaf32.exe File opened for modification C:\Windows\SysWOW64\Ikiedq32.exe Iobdopna.exe File created C:\Windows\SysWOW64\Hnoane32.exe Gdflepqo.exe File created C:\Windows\SysWOW64\Foacmg32.exe Ffcbce32.exe File opened for modification C:\Windows\SysWOW64\Abpjgekf.exe Akfbjkdj.exe File opened for modification C:\Windows\SysWOW64\Mpnhhh32.exe Mnllppfh.exe File created C:\Windows\SysWOW64\Cgfcabeh.exe Cnnohmog.exe File opened for modification C:\Windows\SysWOW64\Lbbodk32.exe Kcmbco32.exe File created C:\Windows\SysWOW64\Cnedilio.exe Cdlppf32.exe File created C:\Windows\SysWOW64\Odcepe32.dll Ajkokgia.exe File opened for modification C:\Windows\SysWOW64\Ebccal32.exe Dhknigfq.exe File created C:\Windows\SysWOW64\Adpmnd32.dll Mbiokdam.exe File opened for modification C:\Windows\SysWOW64\Anigaeoh.exe Agoodkgk.exe File created C:\Windows\SysWOW64\Hmafge32.dll Edahca32.exe File created C:\Windows\SysWOW64\Bgfhllep.dll Njeikpij.exe File opened for modification C:\Windows\SysWOW64\Kcjqlm32.exe Kffpcilf.exe File created C:\Windows\SysWOW64\Leqhhg32.dll Olclimif.exe File opened for modification C:\Windows\SysWOW64\Dhhkiq32.exe Dnbfkh32.exe File opened for modification C:\Windows\SysWOW64\Lceond32.exe Lgnnicpe.exe File created C:\Windows\SysWOW64\Gjhbic32.exe Gfjicd32.exe File opened for modification C:\Windows\SysWOW64\Bmaaha32.exe Bchmolkm.exe File created C:\Windows\SysWOW64\Mpnhhh32.exe Mnllppfh.exe File created C:\Windows\SysWOW64\Fcnphm32.dll Qcgmnh32.exe File opened for modification C:\Windows\SysWOW64\Jckiolgm.exe Jhedachg.exe File created C:\Windows\SysWOW64\Ljdjildq.exe Lnnidk32.exe File opened for modification C:\Windows\SysWOW64\Doclijgd.exe Dkafofde.exe File created C:\Windows\SysWOW64\Mampci32.dll Ffcbce32.exe File created C:\Windows\SysWOW64\Dejqenmh.exe Dhfpljnn.exe File created C:\Windows\SysWOW64\Jccjln32.exe Jennjblp.exe File created C:\Windows\SysWOW64\Gplgmodq.exe Gjpodhfi.exe File opened for modification C:\Windows\SysWOW64\Iognjojl.exe Ikiedq32.exe File opened for modification C:\Windows\SysWOW64\Elgmbnfn.exe Doclijgd.exe File created C:\Windows\SysWOW64\Dhlelc32.dll Kcmbco32.exe File opened for modification C:\Windows\SysWOW64\Jomnpdjb.exe Jjpehn32.exe File created C:\Windows\SysWOW64\Ahjcqcdm.exe Anbohn32.exe File created C:\Windows\SysWOW64\Cdlppf32.exe Clehoiam.exe File created C:\Windows\SysWOW64\Nfcmbjlm.dll Nhmdoq32.exe File created C:\Windows\SysWOW64\Enecegpg.dll Cadfbi32.exe File created C:\Windows\SysWOW64\Nodikecl.exe Nlfmoidh.exe File created C:\Windows\SysWOW64\Mieimpkc.dll Mmigdend.exe File created C:\Windows\SysWOW64\Engnno32.exe Djiegp32.exe File created C:\Windows\SysWOW64\Edkode32.dll Lkjadh32.exe File created C:\Windows\SysWOW64\Cdflhppk.exe Coidpiac.exe File opened for modification C:\Windows\SysWOW64\Bpahad32.exe Belcck32.exe File created C:\Windows\SysWOW64\Ifngiqlg.exe Iodolf32.exe File opened for modification C:\Windows\SysWOW64\Bhglpqeo.exe Bjclfmfe.exe File created C:\Windows\SysWOW64\Qdeohmhi.dll Eqpfchka.exe File opened for modification C:\Windows\SysWOW64\Amjmpk32.exe Abqlpn32.exe File opened for modification C:\Windows\SysWOW64\Dbgknc32.exe Diofenki.exe File created C:\Windows\SysWOW64\Jbgdcapi.exe Ihopjl32.exe File created C:\Windows\SysWOW64\Ffndghdj.exe Fodljn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1468 3588 WerFault.exe 653 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klgbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Benpik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnlba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefdhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecggmfde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjkdcii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafbid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqcgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmonoli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbllfmfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjhbic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojbbiae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkbdib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oamaan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikkgnnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimbbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cekihh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefkkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpcgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepjmbka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bichbckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnedilio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabbehjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnocdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbnmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnpgqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcebpqcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meolcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhegckpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchkjhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdflhppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmegbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcanahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieglfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cahbem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfqomom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogldfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iognjojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdhpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbodk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmcpfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adenqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdlpklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qohkdkdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpjmoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifngiqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbnlqld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfgoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbjjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgnnicpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liaggk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onacgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiqffhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobcekld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idffib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iehcajjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fabppo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paqoef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiebej32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fabppo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amdkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehechn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeppnfb.dll" Hnllcoed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enmbeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acogalan.dll" Lphjkfbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfoiil32.dll" Fodljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ommfibdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijcbcie.dll" Adhbkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bimbbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dljdcqek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmcpfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpfblh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdoknb32.dll" Eqklhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmcnmapk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecibjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gplamind.dll" Haqbcoce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mihkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjgha32.dll" Ggicdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfninhkj.dll" Ehpjmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obngnphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cahbem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpoinb32.dll" Dpfblh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnipcbbg.dll" Gemhpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onacgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpmnd32.dll" Mbiokdam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcqoec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfbcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehmamnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cffmoh32.dll" Feeldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbbdemnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eghkhikg.dll" Hifdjcif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmjbmidh.dll" Lkfbmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikfbai32.dll" Afojgiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaokhdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqghdh32.dll" Egegnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mboacdjn.dll" Kjngjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bokfaflj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnhnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ognifi32.dll" Lhiodnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhcanahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgihopao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmimpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indiip32.dll" Kicednho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loapkfmc.dll" Mlogojjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adjoqjfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goidmibg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbfehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgkjji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padbmn32.dll" Dnbfkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikiedq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiopce32.dll" Ieglfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omnpgqdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nifmqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnldmlgc.dll" Acjjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfmgdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adenqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnllcoed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhodgebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlmjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idadacnh.dll" Pgdcjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bichbckg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaicpepa.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2144 1268 b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe 29 PID 1268 wrote to memory of 2144 1268 b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe 29 PID 1268 wrote to memory of 2144 1268 b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe 29 PID 1268 wrote to memory of 2144 1268 b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe 29 PID 2144 wrote to memory of 2528 2144 Ehilgikj.exe 30 PID 2144 wrote to memory of 2528 2144 Ehilgikj.exe 30 PID 2144 wrote to memory of 2528 2144 Ehilgikj.exe 30 PID 2144 wrote to memory of 2528 2144 Ehilgikj.exe 30 PID 2528 wrote to memory of 3032 2528 Fabppo32.exe 31 PID 2528 wrote to memory of 3032 2528 Fabppo32.exe 31 PID 2528 wrote to memory of 3032 2528 Fabppo32.exe 31 PID 2528 wrote to memory of 3032 2528 Fabppo32.exe 31 PID 3032 wrote to memory of 3016 3032 Fdbibjok.exe 32 PID 3032 wrote to memory of 3016 3032 Fdbibjok.exe 32 PID 3032 wrote to memory of 3016 3032 Fdbibjok.exe 32 PID 3032 wrote to memory of 3016 3032 Fdbibjok.exe 32 PID 3016 wrote to memory of 2936 3016 Ffcbce32.exe 33 PID 3016 wrote to memory of 2936 3016 Ffcbce32.exe 33 PID 3016 wrote to memory of 2936 3016 Ffcbce32.exe 33 PID 3016 wrote to memory of 2936 3016 Ffcbce32.exe 33 PID 2936 wrote to memory of 2744 2936 Foacmg32.exe 34 PID 2936 wrote to memory of 2744 2936 Foacmg32.exe 34 PID 2936 wrote to memory of 2744 2936 Foacmg32.exe 34 PID 2936 wrote to memory of 2744 2936 Foacmg32.exe 34 PID 2744 wrote to memory of 2132 2744 Gemhpq32.exe 35 PID 2744 wrote to memory of 2132 2744 Gemhpq32.exe 35 PID 2744 wrote to memory of 2132 2744 Gemhpq32.exe 35 PID 2744 wrote to memory of 2132 2744 Gemhpq32.exe 35 PID 2132 wrote to memory of 2616 2132 Gohjnf32.exe 36 PID 2132 wrote to memory of 2616 2132 Gohjnf32.exe 36 PID 2132 wrote to memory of 2616 2132 Gohjnf32.exe 36 PID 2132 wrote to memory of 2616 2132 Gohjnf32.exe 36 PID 2616 wrote to memory of 1680 2616 Giakoc32.exe 37 PID 2616 wrote to memory of 1680 2616 Giakoc32.exe 37 PID 2616 wrote to memory of 1680 2616 Giakoc32.exe 37 PID 2616 wrote to memory of 1680 2616 Giakoc32.exe 37 PID 1680 wrote to memory of 2472 1680 Gnocdb32.exe 38 PID 1680 wrote to memory of 2472 1680 Gnocdb32.exe 38 PID 1680 wrote to memory of 2472 1680 Gnocdb32.exe 38 PID 1680 wrote to memory of 2472 1680 Gnocdb32.exe 38 PID 2472 wrote to memory of 2488 2472 Hifdjcif.exe 39 PID 2472 wrote to memory of 2488 2472 Hifdjcif.exe 39 PID 2472 wrote to memory of 2488 2472 Hifdjcif.exe 39 PID 2472 wrote to memory of 2488 2472 Hifdjcif.exe 39 PID 2488 wrote to memory of 1244 2488 Hcohbh32.exe 40 PID 2488 wrote to memory of 1244 2488 Hcohbh32.exe 40 PID 2488 wrote to memory of 1244 2488 Hcohbh32.exe 40 PID 2488 wrote to memory of 1244 2488 Hcohbh32.exe 40 PID 1244 wrote to memory of 3040 1244 Hoeigi32.exe 41 PID 1244 wrote to memory of 3040 1244 Hoeigi32.exe 41 PID 1244 wrote to memory of 3040 1244 Hoeigi32.exe 41 PID 1244 wrote to memory of 3040 1244 Hoeigi32.exe 41 PID 3040 wrote to memory of 2280 3040 Hlijan32.exe 42 PID 3040 wrote to memory of 2280 3040 Hlijan32.exe 42 PID 3040 wrote to memory of 2280 3040 Hlijan32.exe 42 PID 3040 wrote to memory of 2280 3040 Hlijan32.exe 42 PID 2280 wrote to memory of 1508 2280 Hafbid32.exe 43 PID 2280 wrote to memory of 1508 2280 Hafbid32.exe 43 PID 2280 wrote to memory of 1508 2280 Hafbid32.exe 43 PID 2280 wrote to memory of 1508 2280 Hafbid32.exe 43 PID 1508 wrote to memory of 2420 1508 Hojbbiae.exe 44 PID 1508 wrote to memory of 2420 1508 Hojbbiae.exe 44 PID 1508 wrote to memory of 2420 1508 Hojbbiae.exe 44 PID 1508 wrote to memory of 2420 1508 Hojbbiae.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe"C:\Users\Admin\AppData\Local\Temp\b4a557b1cec3573a828a643ee73e2f16a4e79ec120fcc84cb32c5a2f656b582eN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Ehilgikj.exeC:\Windows\system32\Ehilgikj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Fabppo32.exeC:\Windows\system32\Fabppo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Fdbibjok.exeC:\Windows\system32\Fdbibjok.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Ffcbce32.exeC:\Windows\system32\Ffcbce32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Foacmg32.exeC:\Windows\system32\Foacmg32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Gemhpq32.exeC:\Windows\system32\Gemhpq32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Gohjnf32.exeC:\Windows\system32\Gohjnf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Giakoc32.exeC:\Windows\system32\Giakoc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Gnocdb32.exeC:\Windows\system32\Gnocdb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Hifdjcif.exeC:\Windows\system32\Hifdjcif.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Hcohbh32.exeC:\Windows\system32\Hcohbh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Hoeigi32.exeC:\Windows\system32\Hoeigi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Hlijan32.exeC:\Windows\system32\Hlijan32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Hafbid32.exeC:\Windows\system32\Hafbid32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Ikqcgj32.exeC:\Windows\system32\Ikqcgj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Imkbeqem.exeC:\Windows\system32\Imkbeqem.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Jibcja32.exeC:\Windows\system32\Jibcja32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Jchhhjjg.exeC:\Windows\system32\Jchhhjjg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Jennjblp.exeC:\Windows\system32\Jennjblp.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Jccjln32.exeC:\Windows\system32\Jccjln32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1880 -
C:\Windows\SysWOW64\Kaihjbno.exeC:\Windows\system32\Kaihjbno.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Kffpcilf.exeC:\Windows\system32\Kffpcilf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Klgbfo32.exeC:\Windows\system32\Klgbfo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Lpekln32.exeC:\Windows\system32\Lpekln32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Lllkaobc.exeC:\Windows\system32\Lllkaobc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Lkfbmj32.exeC:\Windows\system32\Lkfbmj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Mlikkbga.exeC:\Windows\system32\Mlikkbga.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1168 -
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe34⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Nnnmoh32.exeC:\Windows\system32\Nnnmoh32.exe35⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe36⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Oqnfqcjk.exeC:\Windows\system32\Oqnfqcjk.exe37⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Ohikeegf.exeC:\Windows\system32\Ohikeegf.exe38⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Obbonk32.exeC:\Windows\system32\Obbonk32.exe39⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Onipbl32.exeC:\Windows\system32\Onipbl32.exe40⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe41⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe43⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Pghklq32.exeC:\Windows\system32\Pghklq32.exe44⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe46⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Paclje32.exeC:\Windows\system32\Paclje32.exe47⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Pbfehn32.exeC:\Windows\system32\Pbfehn32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe50⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Qlaffbqk.exeC:\Windows\system32\Qlaffbqk.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Anbohn32.exeC:\Windows\system32\Anbohn32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:668 -
C:\Windows\SysWOW64\Ahjcqcdm.exeC:\Windows\system32\Ahjcqcdm.exe53⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Aofhcmig.exeC:\Windows\system32\Aofhcmig.exe54⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe55⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Adenqd32.exeC:\Windows\system32\Adenqd32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Aibfik32.exeC:\Windows\system32\Aibfik32.exe57⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Bbkkbpjc.exeC:\Windows\system32\Bbkkbpjc.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Bmpooiji.exeC:\Windows\system32\Bmpooiji.exe59⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1116 -
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe61⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Benpik32.exeC:\Windows\system32\Benpik32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Bofebqlb.exeC:\Windows\system32\Bofebqlb.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Bepmokco.exeC:\Windows\system32\Bepmokco.exe64⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bkmegaaf.exeC:\Windows\system32\Bkmegaaf.exe65⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Bebjdjal.exeC:\Windows\system32\Bebjdjal.exe66⤵PID:2304
-
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1704 -
C:\Windows\SysWOW64\Cgfcabeh.exeC:\Windows\system32\Cgfcabeh.exe68⤵PID:2624
-
C:\Windows\SysWOW64\Calgoken.exeC:\Windows\system32\Calgoken.exe69⤵PID:1408
-
C:\Windows\SysWOW64\Cghpgbce.exeC:\Windows\system32\Cghpgbce.exe70⤵PID:1972
-
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe71⤵
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Cdlppf32.exeC:\Windows\system32\Cdlppf32.exe72⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Cnedilio.exeC:\Windows\system32\Cnedilio.exe73⤵
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Cgmiba32.exeC:\Windows\system32\Cgmiba32.exe74⤵PID:2828
-
C:\Windows\SysWOW64\Dohnfc32.exeC:\Windows\system32\Dohnfc32.exe75⤵PID:2944
-
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe76⤵PID:2940
-
C:\Windows\SysWOW64\Dkookd32.exeC:\Windows\system32\Dkookd32.exe77⤵PID:2700
-
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe78⤵PID:336
-
C:\Windows\SysWOW64\Dlokegib.exeC:\Windows\system32\Dlokegib.exe79⤵PID:2452
-
C:\Windows\SysWOW64\Dghlfe32.exeC:\Windows\system32\Dghlfe32.exe80⤵PID:980
-
C:\Windows\SysWOW64\Dqqqokla.exeC:\Windows\system32\Dqqqokla.exe81⤵PID:1684
-
C:\Windows\SysWOW64\Djiegp32.exeC:\Windows\system32\Djiegp32.exe82⤵
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Engnno32.exeC:\Windows\system32\Engnno32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:316 -
C:\Windows\SysWOW64\Ecdffe32.exeC:\Windows\system32\Ecdffe32.exe84⤵PID:1588
-
C:\Windows\SysWOW64\Emlkoknp.exeC:\Windows\system32\Emlkoknp.exe85⤵PID:2520
-
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe86⤵PID:2416
-
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe87⤵PID:1424
-
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe88⤵PID:1328
-
C:\Windows\SysWOW64\Ebnlba32.exeC:\Windows\system32\Ebnlba32.exe89⤵
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Elfakg32.exeC:\Windows\system32\Elfakg32.exe90⤵PID:1844
-
C:\Windows\SysWOW64\Fbpihafp.exeC:\Windows\system32\Fbpihafp.exe91⤵PID:1040
-
C:\Windows\SysWOW64\Flhnqf32.exeC:\Windows\system32\Flhnqf32.exe92⤵PID:2320
-
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe93⤵PID:828
-
C:\Windows\SysWOW64\Fecool32.exeC:\Windows\system32\Fecool32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:536 -
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe95⤵PID:2696
-
C:\Windows\SysWOW64\Feeldk32.exeC:\Windows\system32\Feeldk32.exe96⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe97⤵PID:2456
-
C:\Windows\SysWOW64\Gbglgcbc.exeC:\Windows\system32\Gbglgcbc.exe98⤵PID:2040
-
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe99⤵PID:976
-
C:\Windows\SysWOW64\Haqbcoce.exeC:\Windows\system32\Haqbcoce.exe100⤵
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Hgnjlfam.exeC:\Windows\system32\Hgnjlfam.exe101⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Hacoio32.exeC:\Windows\system32\Hacoio32.exe102⤵PID:2316
-
C:\Windows\SysWOW64\Hgpgae32.exeC:\Windows\system32\Hgpgae32.exe103⤵PID:1668
-
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe104⤵PID:2012
-
C:\Windows\SysWOW64\Hjqpcq32.exeC:\Windows\system32\Hjqpcq32.exe105⤵PID:2008
-
C:\Windows\SysWOW64\Hnllcoed.exeC:\Windows\system32\Hnllcoed.exe106⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Iegaha32.exeC:\Windows\system32\Iegaha32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Ickaaf32.exeC:\Windows\system32\Ickaaf32.exe108⤵PID:3020
-
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe109⤵PID:2780
-
C:\Windows\SysWOW64\Ifljcanj.exeC:\Windows\system32\Ifljcanj.exe110⤵PID:2300
-
C:\Windows\SysWOW64\Iodolf32.exeC:\Windows\system32\Iodolf32.exe111⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Injlmcib.exeC:\Windows\system32\Injlmcib.exe113⤵PID:2216
-
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe114⤵
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe115⤵PID:2500
-
C:\Windows\SysWOW64\Jdfqomom.exeC:\Windows\system32\Jdfqomom.exe116⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Jkpilg32.exeC:\Windows\system32\Jkpilg32.exe117⤵PID:1308
-
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe118⤵PID:1932
-
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe119⤵PID:1600
-
C:\Windows\SysWOW64\Jjgbbc32.exeC:\Windows\system32\Jjgbbc32.exe120⤵PID:2792
-
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-