Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 09:40
Behavioral task
behavioral1
Sample
fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe
-
Size
93KB
-
MD5
9bde7d661faca3dcfb626d2df39f65be
-
SHA1
af5327ea36709b32b880ecd839bc77f50c6b92b7
-
SHA256
fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d
-
SHA512
d7be5a3e9d9f66ea73212ee4772bd33a211ab6405dc2b09fbec3c77827d42f8b20761a8910a435eb3550e0abbeded865ad2a181a6f60d55573adc238527073f3
-
SSDEEP
1536:Sw0W3g8GYWPiACm+Ee/AjIZN1DaYfMZRWuLsV+1B:oh8GYUiP6jILgYfc0DV+1B
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pblcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnmeen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcigco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iliebpfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjpbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgadda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkqmoma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmpce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfafgbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmaeho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnmcfeia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oanefo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apppkekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eafkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooicid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaajei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhejkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcepqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cadjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccpoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmfaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddaemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjfek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foccjood.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfnomde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljodo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkejcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaelomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpelnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahnac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdhif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fleifl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjicjbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjhabndo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlhkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdogedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhmqhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gojhafnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghajacmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhhke32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1988 Mbeiefff.exe 1796 Mioabp32.exe 2192 Nefbga32.exe 2832 Namclbil.exe 2716 Nlbgikia.exe 2324 Nblpfepo.exe 2612 Nkhdkgnj.exe 2648 Naalga32.exe 2916 Ngneph32.exe 2300 Nadimacd.exe 2960 Oklnff32.exe 1916 Odebolpe.exe 2696 Oiakgcnl.exe 2512 Odgodl32.exe 2036 Ogekpg32.exe 1672 Onocmadb.exe 1092 Oldpnn32.exe 340 Oaaifdhb.exe 1336 Oihqgbhd.exe 852 Poeipifl.exe 1544 Padeldeo.exe 3044 Phnnho32.exe 988 Pohfehdi.exe 2356 Peanbblf.exe 2680 Pkofjijm.exe 1688 Pnmcfeia.exe 316 Pkacpihj.exe 1556 Pqnlhpfb.exe 2180 Pclhdl32.exe 3016 Pggdejno.exe 2124 Qgjqjjll.exe 2928 Qndigd32.exe 2600 Qcqaok32.exe 492 Qjkjle32.exe 2900 Ajmfad32.exe 1508 Akncimmh.exe 2880 Aojojl32.exe 1912 Aeggbbci.exe 1952 Amnocpdk.exe 480 Anolkh32.exe 2384 Abkhkgbb.exe 2584 Aidphq32.exe 692 Aboaff32.exe 1324 Acqnnndl.exe 2228 Akhfoldn.exe 2344 Bmibgd32.exe 2464 Bgnfdm32.exe 1932 Bnhoag32.exe 796 Bmkomchi.exe 1644 Bpjkiogm.exe 2392 Bcegin32.exe 2340 Bfccei32.exe 2240 Bibpad32.exe 2800 Bmnlbcfg.exe 2824 Bplhnoej.exe 2604 Bcgdom32.exe 2216 Bffpki32.exe 1212 Bidlgdlk.exe 2976 Blchcpko.exe 2308 Bcjqdmla.exe 784 Bfhmqhkd.exe 1808 Bigimdjh.exe 1748 Bmbemb32.exe 1600 Bncaekhp.exe -
Loads dropped DLL 64 IoCs
pid Process 2108 fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe 2108 fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe 1988 Mbeiefff.exe 1988 Mbeiefff.exe 1796 Mioabp32.exe 1796 Mioabp32.exe 2192 Nefbga32.exe 2192 Nefbga32.exe 2832 Namclbil.exe 2832 Namclbil.exe 2716 Nlbgikia.exe 2716 Nlbgikia.exe 2324 Nblpfepo.exe 2324 Nblpfepo.exe 2612 Nkhdkgnj.exe 2612 Nkhdkgnj.exe 2648 Naalga32.exe 2648 Naalga32.exe 2916 Ngneph32.exe 2916 Ngneph32.exe 2300 Nadimacd.exe 2300 Nadimacd.exe 2960 Oklnff32.exe 2960 Oklnff32.exe 1916 Odebolpe.exe 1916 Odebolpe.exe 2696 Oiakgcnl.exe 2696 Oiakgcnl.exe 2512 Odgodl32.exe 2512 Odgodl32.exe 2036 Ogekpg32.exe 2036 Ogekpg32.exe 1672 Onocmadb.exe 1672 Onocmadb.exe 1092 Oldpnn32.exe 1092 Oldpnn32.exe 340 Oaaifdhb.exe 340 Oaaifdhb.exe 1336 Oihqgbhd.exe 1336 Oihqgbhd.exe 852 Poeipifl.exe 852 Poeipifl.exe 1544 Padeldeo.exe 1544 Padeldeo.exe 3044 Phnnho32.exe 3044 Phnnho32.exe 988 Pohfehdi.exe 988 Pohfehdi.exe 2356 Peanbblf.exe 2356 Peanbblf.exe 2680 Pkofjijm.exe 2680 Pkofjijm.exe 1688 Pnmcfeia.exe 1688 Pnmcfeia.exe 316 Pkacpihj.exe 316 Pkacpihj.exe 1556 Pqnlhpfb.exe 1556 Pqnlhpfb.exe 2180 Pclhdl32.exe 2180 Pclhdl32.exe 3016 Pggdejno.exe 3016 Pggdejno.exe 2124 Qgjqjjll.exe 2124 Qgjqjjll.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nqjaeeog.exe Nnleiipc.exe File created C:\Windows\SysWOW64\Opfegp32.exe Omhhke32.exe File opened for modification C:\Windows\SysWOW64\Onocmadb.exe Ogekpg32.exe File opened for modification C:\Windows\SysWOW64\Ehgbhbgn.exe Eeielfhk.exe File created C:\Windows\SysWOW64\Ndmecgba.exe Nlfmbibo.exe File opened for modification C:\Windows\SysWOW64\Cpdgbm32.exe Caaggpdh.exe File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Efeckm32.dll Cchbgi32.exe File created C:\Windows\SysWOW64\Jmkmjoec.exe Process not Found File created C:\Windows\SysWOW64\Dnefhpma.exe Dlgjldnm.exe File created C:\Windows\SysWOW64\Gcedad32.exe Gojhafnb.exe File created C:\Windows\SysWOW64\Ieajkfmd.exe Inhanl32.exe File created C:\Windows\SysWOW64\Lgdqap32.dll Egajnfoe.exe File created C:\Windows\SysWOW64\Fpjofl32.exe Eipgjaoi.exe File created C:\Windows\SysWOW64\Lfpeln32.dll Eipgjaoi.exe File created C:\Windows\SysWOW64\Lncfcgeb.exe Lkdjglfo.exe File created C:\Windows\SysWOW64\Aejlnmkm.exe Adipfd32.exe File opened for modification C:\Windows\SysWOW64\Eicpcm32.exe Ejaphpnp.exe File created C:\Windows\SysWOW64\Epeoaffo.exe Ehnfpifm.exe File created C:\Windows\SysWOW64\Kdcgnide.dll Gegabegc.exe File created C:\Windows\SysWOW64\Kjahej32.exe Kcgphp32.exe File created C:\Windows\SysWOW64\Mqklqhpg.exe Mnmpdlac.exe File created C:\Windows\SysWOW64\Aebmjo32.exe Accqnc32.exe File created C:\Windows\SysWOW64\Ldokfakl.exe Laqojfli.exe File opened for modification C:\Windows\SysWOW64\Omckoi32.exe Olbogqoe.exe File opened for modification C:\Windows\SysWOW64\Bddbjhlp.exe Baefnmml.exe File created C:\Windows\SysWOW64\Dmmpolof.exe Dnjoco32.exe File opened for modification C:\Windows\SysWOW64\Jniefm32.exe Jlhhndno.exe File created C:\Windows\SysWOW64\Kpcqnf32.exe Khlili32.exe File created C:\Windows\SysWOW64\Mnbpjb32.exe Mmadbjkk.exe File created C:\Windows\SysWOW64\Ihnijmcj.dll Klpdaf32.exe File created C:\Windows\SysWOW64\Qndkpmkm.exe Qkfocaki.exe File created C:\Windows\SysWOW64\Faiboc32.dll Pjihmmbk.exe File created C:\Windows\SysWOW64\Pilfpqaa.exe Pgnjde32.exe File created C:\Windows\SysWOW64\Ljddjj32.exe Lgehno32.exe File created C:\Windows\SysWOW64\Fadndbci.exe Fofbhgde.exe File opened for modification C:\Windows\SysWOW64\Poeipifl.exe Oihqgbhd.exe File created C:\Windows\SysWOW64\Anolkh32.exe Amnocpdk.exe File opened for modification C:\Windows\SysWOW64\Enbnkigh.exe Elqaca32.exe File opened for modification C:\Windows\SysWOW64\Hhcmhdke.exe Heealhla.exe File created C:\Windows\SysWOW64\Aodkci32.exe Akiobk32.exe File created C:\Windows\SysWOW64\Oeindm32.exe Objaha32.exe File created C:\Windows\SysWOW64\Jaidoiaj.dll Mbeiefff.exe File opened for modification C:\Windows\SysWOW64\Pdonhj32.exe Oaqbln32.exe File created C:\Windows\SysWOW64\Bfncpcoc.exe Aodkci32.exe File created C:\Windows\SysWOW64\Miidam32.dll Cpfdhl32.exe File created C:\Windows\SysWOW64\Foolgh32.exe Fmnopp32.exe File opened for modification C:\Windows\SysWOW64\Fadndbci.exe Fofbhgde.exe File created C:\Windows\SysWOW64\Ahgofi32.exe Aficjnpm.exe File opened for modification C:\Windows\SysWOW64\Hnpdcf32.exe Hkahgk32.exe File opened for modification C:\Windows\SysWOW64\Ifgicg32.exe Ichmgl32.exe File created C:\Windows\SysWOW64\Hffibceh.exe Hmmdin32.exe File opened for modification C:\Windows\SysWOW64\Fhgppnan.exe Feiddbbj.exe File created C:\Windows\SysWOW64\Ajgbkbjp.exe Abpjjeim.exe File opened for modification C:\Windows\SysWOW64\Bfncpcoc.exe Aodkci32.exe File created C:\Windows\SysWOW64\Dbifnj32.exe Dpkibo32.exe File opened for modification C:\Windows\SysWOW64\Gmmfaa32.exe Ghajacmo.exe File opened for modification C:\Windows\SysWOW64\Ijclol32.exe Ihdpbq32.exe File created C:\Windows\SysWOW64\Dngjbb32.dll Einjdb32.exe File created C:\Windows\SysWOW64\Aojojl32.exe Akncimmh.exe File created C:\Windows\SysWOW64\Fhgnge32.exe Ffibkj32.exe File opened for modification C:\Windows\SysWOW64\Ekdchf32.exe Eibgpnjk.exe File created C:\Windows\SysWOW64\Nllchm32.dll Fabaocfl.exe File created C:\Windows\SysWOW64\Hkdemk32.exe Hieiqo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1692 3168 Process not Found 1116 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqnkafa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlhkgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeojcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinklffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imahkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjpjgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idicbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqkofno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeieced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adifpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cogfqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdkpiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedpbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkffng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdhad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcllbhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iieepbje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkomjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfacfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjahej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coicfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapgkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daplkmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgppnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcopdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qackpado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmojnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dipjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmdin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgbhbgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpbglhjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcegin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbonei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkadjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnjde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpcihcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcekfad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pggdejno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcigco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgicg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceogcfj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljldnhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhhgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceogcfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ioloda32.dll" Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll" Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghdiokbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdjmcpnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alhjjh32.dll" Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qopmpa32.dll" Aobpfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmdbnnlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaaifdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicoaj32.dll" Peanbblf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkaehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjoaognb.dll" Ggagmjbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggdcbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alageg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fclidamd.dll" Enbnkigh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhaflo32.dll" Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjcjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdeonhfo.dll" Cjjnhnbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpegcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcikef32.dll" Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckmla32.dll" Becpap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmfpeb32.dll" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkame32.dll" Bmnnkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpemjpcl.dll" Ljnnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eelkeeah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiclkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehnfpifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdiqpigl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqnlhpfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnaldfli.dll" Ehjona32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbqmnm32.dll" Ecfldoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgnbk32.dll" Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adipfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amohfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqaafn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mioabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcegin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdonhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcopgk32.dll" Aohdmdoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bidlgdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efhjijha.dll" Jckgicnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdegfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpbmkan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgjldnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdaaomdi.dll" Gdnfjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbpeoc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1988 2108 fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe 30 PID 2108 wrote to memory of 1988 2108 fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe 30 PID 2108 wrote to memory of 1988 2108 fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe 30 PID 2108 wrote to memory of 1988 2108 fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe 30 PID 1988 wrote to memory of 1796 1988 Mbeiefff.exe 31 PID 1988 wrote to memory of 1796 1988 Mbeiefff.exe 31 PID 1988 wrote to memory of 1796 1988 Mbeiefff.exe 31 PID 1988 wrote to memory of 1796 1988 Mbeiefff.exe 31 PID 1796 wrote to memory of 2192 1796 Mioabp32.exe 32 PID 1796 wrote to memory of 2192 1796 Mioabp32.exe 32 PID 1796 wrote to memory of 2192 1796 Mioabp32.exe 32 PID 1796 wrote to memory of 2192 1796 Mioabp32.exe 32 PID 2192 wrote to memory of 2832 2192 Nefbga32.exe 33 PID 2192 wrote to memory of 2832 2192 Nefbga32.exe 33 PID 2192 wrote to memory of 2832 2192 Nefbga32.exe 33 PID 2192 wrote to memory of 2832 2192 Nefbga32.exe 33 PID 2832 wrote to memory of 2716 2832 Namclbil.exe 34 PID 2832 wrote to memory of 2716 2832 Namclbil.exe 34 PID 2832 wrote to memory of 2716 2832 Namclbil.exe 34 PID 2832 wrote to memory of 2716 2832 Namclbil.exe 34 PID 2716 wrote to memory of 2324 2716 Nlbgikia.exe 35 PID 2716 wrote to memory of 2324 2716 Nlbgikia.exe 35 PID 2716 wrote to memory of 2324 2716 Nlbgikia.exe 35 PID 2716 wrote to memory of 2324 2716 Nlbgikia.exe 35 PID 2324 wrote to memory of 2612 2324 Nblpfepo.exe 36 PID 2324 wrote to memory of 2612 2324 Nblpfepo.exe 36 PID 2324 wrote to memory of 2612 2324 Nblpfepo.exe 36 PID 2324 wrote to memory of 2612 2324 Nblpfepo.exe 36 PID 2612 wrote to memory of 2648 2612 Nkhdkgnj.exe 37 PID 2612 wrote to memory of 2648 2612 Nkhdkgnj.exe 37 PID 2612 wrote to memory of 2648 2612 Nkhdkgnj.exe 37 PID 2612 wrote to memory of 2648 2612 Nkhdkgnj.exe 37 PID 2648 wrote to memory of 2916 2648 Naalga32.exe 38 PID 2648 wrote to memory of 2916 2648 Naalga32.exe 38 PID 2648 wrote to memory of 2916 2648 Naalga32.exe 38 PID 2648 wrote to memory of 2916 2648 Naalga32.exe 38 PID 2916 wrote to memory of 2300 2916 Ngneph32.exe 39 PID 2916 wrote to memory of 2300 2916 Ngneph32.exe 39 PID 2916 wrote to memory of 2300 2916 Ngneph32.exe 39 PID 2916 wrote to memory of 2300 2916 Ngneph32.exe 39 PID 2300 wrote to memory of 2960 2300 Nadimacd.exe 40 PID 2300 wrote to memory of 2960 2300 Nadimacd.exe 40 PID 2300 wrote to memory of 2960 2300 Nadimacd.exe 40 PID 2300 wrote to memory of 2960 2300 Nadimacd.exe 40 PID 2960 wrote to memory of 1916 2960 Oklnff32.exe 41 PID 2960 wrote to memory of 1916 2960 Oklnff32.exe 41 PID 2960 wrote to memory of 1916 2960 Oklnff32.exe 41 PID 2960 wrote to memory of 1916 2960 Oklnff32.exe 41 PID 1916 wrote to memory of 2696 1916 Odebolpe.exe 42 PID 1916 wrote to memory of 2696 1916 Odebolpe.exe 42 PID 1916 wrote to memory of 2696 1916 Odebolpe.exe 42 PID 1916 wrote to memory of 2696 1916 Odebolpe.exe 42 PID 2696 wrote to memory of 2512 2696 Oiakgcnl.exe 43 PID 2696 wrote to memory of 2512 2696 Oiakgcnl.exe 43 PID 2696 wrote to memory of 2512 2696 Oiakgcnl.exe 43 PID 2696 wrote to memory of 2512 2696 Oiakgcnl.exe 43 PID 2512 wrote to memory of 2036 2512 Odgodl32.exe 44 PID 2512 wrote to memory of 2036 2512 Odgodl32.exe 44 PID 2512 wrote to memory of 2036 2512 Odgodl32.exe 44 PID 2512 wrote to memory of 2036 2512 Odgodl32.exe 44 PID 2036 wrote to memory of 1672 2036 Ogekpg32.exe 45 PID 2036 wrote to memory of 1672 2036 Ogekpg32.exe 45 PID 2036 wrote to memory of 1672 2036 Ogekpg32.exe 45 PID 2036 wrote to memory of 1672 2036 Ogekpg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe"C:\Users\Admin\AppData\Local\Temp\fc4333abd2a93f125e3cf7d02291c52170518bd74f42e52854f5ab1ebd72d14d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Namclbil.exeC:\Windows\system32\Namclbil.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Ngneph32.exeC:\Windows\system32\Ngneph32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Oklnff32.exeC:\Windows\system32\Oklnff32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe33⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe34⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe35⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe36⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe38⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe39⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe41⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe42⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe43⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe44⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe45⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe46⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe47⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe48⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe49⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe50⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe51⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe53⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe54⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe55⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe56⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe57⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe58⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:1212 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe60⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe61⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe63⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe64⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe65⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1776 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe67⤵PID:2284
-
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2312 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe70⤵PID:884
-
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2524 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe72⤵PID:2080
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe73⤵PID:2376
-
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe74⤵PID:2608
-
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe75⤵PID:1812
-
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe76⤵PID:2672
-
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe78⤵PID:2700
-
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe79⤵PID:2020
-
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe80⤵
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe81⤵PID:600
-
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe82⤵PID:1936
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1344 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe85⤵PID:2052
-
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe86⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe87⤵PID:892
-
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe88⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe89⤵PID:1580
-
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe90⤵PID:2708
-
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe91⤵PID:2756
-
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe93⤵PID:1576
-
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe94⤵PID:2296
-
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe95⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe96⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe97⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Ehgbhbgn.exeC:\Windows\system32\Ehgbhbgn.exe98⤵
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe99⤵PID:936
-
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe100⤵PID:2156
-
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe101⤵PID:2176
-
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe102⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe103⤵
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe104⤵PID:2636
-
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2764 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe106⤵PID:1228
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe107⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe108⤵PID:1396
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe109⤵PID:1864
-
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe110⤵PID:2780
-
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe111⤵PID:304
-
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe112⤵PID:2428
-
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe113⤵PID:1872
-
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe114⤵
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe115⤵PID:1656
-
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe117⤵
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe118⤵PID:1628
-
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe119⤵PID:2904
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:816 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe121⤵PID:1572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-