Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02-12-2024 17:20
Behavioral task
behavioral1
Sample
9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
120 seconds
General
-
Target
9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2.exe
-
Size
93KB
-
MD5
d8c01b4d8a685d3ccfbbdf1d6957bc4a
-
SHA1
4a50da5a864a943b6534ad813d6482b3aa71d106
-
SHA256
9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2
-
SHA512
fb1fef57f82bb3983ec78c4a9c3fe1852ece5425f9acae8d8d0f1b368011bb1d7f0e9ddaf4e630f44804323192561e72867480655cb1ffe7814ce7363d389512
-
SSDEEP
1536:EKJ1Nw4tCjAft7r1TdTii3661DaYfMZRWuLsV+1Z:Ea3wH8ft/1hTiJ6gYfc0DV+1Z
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahhaobfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnbpqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpcjeaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlecinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idmlniea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdpohodn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdaojbjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aicmadmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbafalph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfjbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gagmbkik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdecoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llkbcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appbcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padjmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phledp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efffpjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffdilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnjeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppopja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkmjlca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iickckcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbbklnpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnkglj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdfiofhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehebbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgqmpkfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oepjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnifaajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjggap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phledp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcageqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigkbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfbkded.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Docopbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hagianlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpdankjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflfad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjngbihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flabdecn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afeaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqgjdbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmnngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijlaloaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afeaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnfhqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aanibhoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckhdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iickckcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npfjbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccqhdmbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnpjkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpbhjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laodmoep.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2784 Nbmdhfog.exe 2800 Nqpdcc32.exe 2600 Nigldq32.exe 2592 Nbpqmfmd.exe 3020 Ojkeah32.exe 2324 Oepjoa32.exe 1340 Oqgjdbpi.exe 1236 Ocefpnom.exe 284 Ofdclinq.exe 1976 Oaigib32.exe 1636 Ojblbgdg.exe 1416 Opodknco.exe 1004 Oekmceaf.exe 2236 Oleepo32.exe 2320 Pbomli32.exe 2088 Phledp32.exe 1808 Pnfnajed.exe 1012 Padjmfdg.exe 2084 Phobjp32.exe 2544 Pjmnfk32.exe 1964 Paggce32.exe 2488 Pdecoa32.exe 1812 Pjoklkie.exe 2680 Pnkglj32.exe 2788 Pdhpdq32.exe 2664 Pfflql32.exe 2744 Ppopja32.exe 2748 Phehko32.exe 3052 Qanmcdlm.exe 1700 Qboikm32.exe 2548 Qfkelkkd.exe 2368 Qmenhe32.exe 620 Qpcjeaad.exe 2408 Qbafalph.exe 2872 Amgjnepn.exe 1644 Aohgfm32.exe 1768 Aphcppmo.exe 2268 Aokckm32.exe 1144 Aedlhg32.exe 2300 Alodeacc.exe 2000 Aaklmhak.exe 1648 Ahedjb32.exe 1752 Aoomflpd.exe 1292 Aanibhoh.exe 2440 Ahhaobfe.exe 2344 Aoaill32.exe 964 Bhjneadb.exe 2736 Bkhjamcf.exe 2692 Bngfmhbj.exe 2712 Bdaojbjf.exe 808 Bgokfnij.exe 2388 Bjngbihn.exe 2552 Bnicbh32.exe 1140 Bdckobhd.exe 2864 Bcflko32.exe 1640 Blnpddeo.exe 1228 Bpjldc32.exe 784 Bchhqo32.exe 2356 Blqmid32.exe 2092 Booiep32.exe 2464 Bfiabjjm.exe 304 Chgnneiq.exe 1436 Clciod32.exe 2492 Coafko32.exe -
Loads dropped DLL 64 IoCs
pid Process 2716 9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2.exe 2716 9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2.exe 2784 Nbmdhfog.exe 2784 Nbmdhfog.exe 2800 Nqpdcc32.exe 2800 Nqpdcc32.exe 2600 Nigldq32.exe 2600 Nigldq32.exe 2592 Nbpqmfmd.exe 2592 Nbpqmfmd.exe 3020 Ojkeah32.exe 3020 Ojkeah32.exe 2324 Oepjoa32.exe 2324 Oepjoa32.exe 1340 Oqgjdbpi.exe 1340 Oqgjdbpi.exe 1236 Ocefpnom.exe 1236 Ocefpnom.exe 284 Ofdclinq.exe 284 Ofdclinq.exe 1976 Oaigib32.exe 1976 Oaigib32.exe 1636 Ojblbgdg.exe 1636 Ojblbgdg.exe 1416 Opodknco.exe 1416 Opodknco.exe 1004 Oekmceaf.exe 1004 Oekmceaf.exe 2236 Oleepo32.exe 2236 Oleepo32.exe 2320 Pbomli32.exe 2320 Pbomli32.exe 2088 Phledp32.exe 2088 Phledp32.exe 1808 Pnfnajed.exe 1808 Pnfnajed.exe 1012 Padjmfdg.exe 1012 Padjmfdg.exe 2084 Phobjp32.exe 2084 Phobjp32.exe 2544 Pjmnfk32.exe 2544 Pjmnfk32.exe 1964 Paggce32.exe 1964 Paggce32.exe 2488 Pdecoa32.exe 2488 Pdecoa32.exe 1812 Pjoklkie.exe 1812 Pjoklkie.exe 2680 Pnkglj32.exe 2680 Pnkglj32.exe 2788 Pdhpdq32.exe 2788 Pdhpdq32.exe 2664 Pfflql32.exe 2664 Pfflql32.exe 2744 Ppopja32.exe 2744 Ppopja32.exe 2748 Phehko32.exe 2748 Phehko32.exe 3052 Qanmcdlm.exe 3052 Qanmcdlm.exe 1700 Qboikm32.exe 1700 Qboikm32.exe 2548 Qfkelkkd.exe 2548 Qfkelkkd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Meecaa32.exe Mokkegmm.exe File created C:\Windows\SysWOW64\Ppjedf32.dll Iifghk32.exe File created C:\Windows\SysWOW64\Anjaagnc.dll Emgkhj32.exe File created C:\Windows\SysWOW64\Mhgacc32.dll Gdfiofhn.exe File created C:\Windows\SysWOW64\Bgppdkib.dll Ifgklp32.exe File created C:\Windows\SysWOW64\Lkgifd32.exe Ldmaijdc.exe File created C:\Windows\SysWOW64\Mdmmhn32.exe Maoalb32.exe File created C:\Windows\SysWOW64\Blqmid32.exe Bchhqo32.exe File created C:\Windows\SysWOW64\Djicmk32.exe Dbbklnpj.exe File created C:\Windows\SysWOW64\Dcageqgm.exe Dkjpdcfj.exe File opened for modification C:\Windows\SysWOW64\Genlgnhd.exe Ggklka32.exe File created C:\Windows\SysWOW64\Kaemmggl.dll Llkbcl32.exe File created C:\Windows\SysWOW64\Pjjkfe32.exe Pfnoegaf.exe File opened for modification C:\Windows\SysWOW64\Ddkgbc32.exe Dcjjkkji.exe File created C:\Windows\SysWOW64\Cqlile32.dll Bfiabjjm.exe File created C:\Windows\SysWOW64\Fplkghjl.dll Hhaanh32.exe File created C:\Windows\SysWOW64\Laodmoep.exe Lmcilp32.exe File opened for modification C:\Windows\SysWOW64\Faijggao.exe Fnjnkkbk.exe File created C:\Windows\SysWOW64\Oqgjdbpi.exe Oepjoa32.exe File opened for modification C:\Windows\SysWOW64\Bjngbihn.exe Bgokfnij.exe File created C:\Windows\SysWOW64\Qgnonqai.dll Dbbklnpj.exe File created C:\Windows\SysWOW64\Flfkoeoh.exe Figocipe.exe File created C:\Windows\SysWOW64\Lgpfpe32.exe Ldbjdj32.exe File opened for modification C:\Windows\SysWOW64\Aahimb32.exe Aiaqle32.exe File created C:\Windows\SysWOW64\Oleepo32.exe Oekmceaf.exe File created C:\Windows\SysWOW64\Meecaa32.exe Mokkegmm.exe File opened for modification C:\Windows\SysWOW64\Ockinl32.exe Oehicoom.exe File opened for modification C:\Windows\SysWOW64\Eikimeff.exe Eepmlf32.exe File created C:\Windows\SysWOW64\Glmbma32.dll Lgpfpe32.exe File created C:\Windows\SysWOW64\Iqapnjli.exe Hjggap32.exe File created C:\Windows\SysWOW64\Akfagoln.dll Lolofd32.exe File created C:\Windows\SysWOW64\Qdpohodn.exe Qaablcej.exe File created C:\Windows\SysWOW64\Bqhmfl32.dll Einlmkhp.exe File created C:\Windows\SysWOW64\Dpidibpf.dll Kpdeoh32.exe File created C:\Windows\SysWOW64\Fogiamne.dll Lhfpdi32.exe File opened for modification C:\Windows\SysWOW64\Bemkle32.exe Abnopj32.exe File created C:\Windows\SysWOW64\Fedfgejh.exe Faijggao.exe File created C:\Windows\SysWOW64\Doabjbci.exe Dnpebj32.exe File created C:\Windows\SysWOW64\Pagmgi32.dll Hlhddh32.exe File created C:\Windows\SysWOW64\Naegmabc.exe Nnjklb32.exe File opened for modification C:\Windows\SysWOW64\Dnckki32.exe Dkeoongd.exe File created C:\Windows\SysWOW64\Enneln32.exe Eloipb32.exe File created C:\Windows\SysWOW64\Kbbakc32.exe Kpdeoh32.exe File opened for modification C:\Windows\SysWOW64\Nnodgbed.exe Nfglfdeb.exe File created C:\Windows\SysWOW64\Pgibdjln.exe Pcnfdl32.exe File opened for modification C:\Windows\SysWOW64\Cdedde32.exe Cbghhj32.exe File created C:\Windows\SysWOW64\Qddcbgfn.dll Maoalb32.exe File created C:\Windows\SysWOW64\Iidbakdl.dll Cdngip32.exe File created C:\Windows\SysWOW64\Nhnginii.dll Ggklka32.exe File opened for modification C:\Windows\SysWOW64\Dkeoongd.exe Dhgccbhp.exe File created C:\Windows\SysWOW64\Odlkfk32.dll Fllaopcg.exe File created C:\Windows\SysWOW64\Jeoeclek.exe Jbphgpfg.exe File opened for modification C:\Windows\SysWOW64\Ghoijebj.exe Gdcmig32.exe File opened for modification C:\Windows\SysWOW64\Hofqpc32.exe Hlhddh32.exe File created C:\Windows\SysWOW64\Iqfiii32.exe Imjmhkpj.exe File opened for modification C:\Windows\SysWOW64\Kjepaa32.exe Kfidqb32.exe File opened for modification C:\Windows\SysWOW64\Efhcej32.exe Ecjgio32.exe File opened for modification C:\Windows\SysWOW64\Ebockkal.exe Epqgopbi.exe File opened for modification C:\Windows\SysWOW64\Cchdpbog.exe Cdedde32.exe File created C:\Windows\SysWOW64\Pnkglj32.exe Pjoklkie.exe File created C:\Windows\SysWOW64\Qanmcdlm.exe Phehko32.exe File opened for modification C:\Windows\SysWOW64\Ifengpdh.exe Icfbkded.exe File created C:\Windows\SysWOW64\Ikagogco.exe Iickckcl.exe File created C:\Windows\SysWOW64\Dfkclf32.exe Dnckki32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5852 5828 WerFault.exe 472 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhpdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blqmid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padccpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjpgdik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phobjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coafko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjpdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpclofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmbdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcageqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keoabo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlahdkjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpgloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdojnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moenkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camnge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepjoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpcblfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmaijdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjoilfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaojbjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqglng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmidlmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnehado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgokfnij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbqgldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbmfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfidqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchdpbog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbepkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkeah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaablcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkelkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldjdlgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpboinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggjjlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjaeamd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbphgpfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehicoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phgannal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paggce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkmjlca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnfno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejjnhgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifengpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgccbhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amafgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaigib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhjamcf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imjmhkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpidibpf.dll" Kpdeoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obecld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eikimeff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doabjbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flcojeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbokl32.dll" Efhcej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll" Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhobagi.dll" Dfinam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ephdjeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djmiejji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfinam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lajkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhlopf.dll" Kmclmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaemmggl.dll" Llkbcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgqmpkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkkhpadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnbpqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icbipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifbaapfk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imacijjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnlbgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oleepo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgjnepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phahme32.dll" Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djqdbbek.dll" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhibidgh.dll" Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnenhj32.dll" Jajocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkjhmf32.dll" Mdmmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmldkj32.dll" Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgdinn32.dll" Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agflga32.dll" Piohgbng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoqbnfda.dll" Dkgldm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Booiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiaapj32.dll" Figocipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chocodch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeoeclek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komlabbb.dll" Eloipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfkoeoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmqihg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpikik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njalacon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmekeg32.dll" Bpjldc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbghhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekqhpoi.dll" Emeobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npfjbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmlpf32.dll" Dfpcblfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbmip32.dll" Icfbkded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmqmpdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdkkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdkakc.dll" Clnehado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeobj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icfbkded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjjkfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpajjg32.dll" Aahimb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phlnho32.dll" Bngfmhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmckpko.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2784 2716 9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2.exe 30 PID 2716 wrote to memory of 2784 2716 9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2.exe 30 PID 2716 wrote to memory of 2784 2716 9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2.exe 30 PID 2716 wrote to memory of 2784 2716 9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2.exe 30 PID 2784 wrote to memory of 2800 2784 Nbmdhfog.exe 31 PID 2784 wrote to memory of 2800 2784 Nbmdhfog.exe 31 PID 2784 wrote to memory of 2800 2784 Nbmdhfog.exe 31 PID 2784 wrote to memory of 2800 2784 Nbmdhfog.exe 31 PID 2800 wrote to memory of 2600 2800 Nqpdcc32.exe 32 PID 2800 wrote to memory of 2600 2800 Nqpdcc32.exe 32 PID 2800 wrote to memory of 2600 2800 Nqpdcc32.exe 32 PID 2800 wrote to memory of 2600 2800 Nqpdcc32.exe 32 PID 2600 wrote to memory of 2592 2600 Nigldq32.exe 33 PID 2600 wrote to memory of 2592 2600 Nigldq32.exe 33 PID 2600 wrote to memory of 2592 2600 Nigldq32.exe 33 PID 2600 wrote to memory of 2592 2600 Nigldq32.exe 33 PID 2592 wrote to memory of 3020 2592 Nbpqmfmd.exe 34 PID 2592 wrote to memory of 3020 2592 Nbpqmfmd.exe 34 PID 2592 wrote to memory of 3020 2592 Nbpqmfmd.exe 34 PID 2592 wrote to memory of 3020 2592 Nbpqmfmd.exe 34 PID 3020 wrote to memory of 2324 3020 Ojkeah32.exe 35 PID 3020 wrote to memory of 2324 3020 Ojkeah32.exe 35 PID 3020 wrote to memory of 2324 3020 Ojkeah32.exe 35 PID 3020 wrote to memory of 2324 3020 Ojkeah32.exe 35 PID 2324 wrote to memory of 1340 2324 Oepjoa32.exe 36 PID 2324 wrote to memory of 1340 2324 Oepjoa32.exe 36 PID 2324 wrote to memory of 1340 2324 Oepjoa32.exe 36 PID 2324 wrote to memory of 1340 2324 Oepjoa32.exe 36 PID 1340 wrote to memory of 1236 1340 Oqgjdbpi.exe 37 PID 1340 wrote to memory of 1236 1340 Oqgjdbpi.exe 37 PID 1340 wrote to memory of 1236 1340 Oqgjdbpi.exe 37 PID 1340 wrote to memory of 1236 1340 Oqgjdbpi.exe 37 PID 1236 wrote to memory of 284 1236 Ocefpnom.exe 38 PID 1236 wrote to memory of 284 1236 Ocefpnom.exe 38 PID 1236 wrote to memory of 284 1236 Ocefpnom.exe 38 PID 1236 wrote to memory of 284 1236 Ocefpnom.exe 38 PID 284 wrote to memory of 1976 284 Ofdclinq.exe 39 PID 284 wrote to memory of 1976 284 Ofdclinq.exe 39 PID 284 wrote to memory of 1976 284 Ofdclinq.exe 39 PID 284 wrote to memory of 1976 284 Ofdclinq.exe 39 PID 1976 wrote to memory of 1636 1976 Oaigib32.exe 40 PID 1976 wrote to memory of 1636 1976 Oaigib32.exe 40 PID 1976 wrote to memory of 1636 1976 Oaigib32.exe 40 PID 1976 wrote to memory of 1636 1976 Oaigib32.exe 40 PID 1636 wrote to memory of 1416 1636 Ojblbgdg.exe 41 PID 1636 wrote to memory of 1416 1636 Ojblbgdg.exe 41 PID 1636 wrote to memory of 1416 1636 Ojblbgdg.exe 41 PID 1636 wrote to memory of 1416 1636 Ojblbgdg.exe 41 PID 1416 wrote to memory of 1004 1416 Opodknco.exe 42 PID 1416 wrote to memory of 1004 1416 Opodknco.exe 42 PID 1416 wrote to memory of 1004 1416 Opodknco.exe 42 PID 1416 wrote to memory of 1004 1416 Opodknco.exe 42 PID 1004 wrote to memory of 2236 1004 Oekmceaf.exe 43 PID 1004 wrote to memory of 2236 1004 Oekmceaf.exe 43 PID 1004 wrote to memory of 2236 1004 Oekmceaf.exe 43 PID 1004 wrote to memory of 2236 1004 Oekmceaf.exe 43 PID 2236 wrote to memory of 2320 2236 Oleepo32.exe 44 PID 2236 wrote to memory of 2320 2236 Oleepo32.exe 44 PID 2236 wrote to memory of 2320 2236 Oleepo32.exe 44 PID 2236 wrote to memory of 2320 2236 Oleepo32.exe 44 PID 2320 wrote to memory of 2088 2320 Pbomli32.exe 45 PID 2320 wrote to memory of 2088 2320 Pbomli32.exe 45 PID 2320 wrote to memory of 2088 2320 Pbomli32.exe 45 PID 2320 wrote to memory of 2088 2320 Pbomli32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2.exe"C:\Users\Admin\AppData\Local\Temp\9ea6fa4efd14a8c1d103076adb21ca9825a870449cff539756f203df2cef3db2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:284 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Pjoklkie.exeC:\Windows\system32\Pjoklkie.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe33⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe37⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe38⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe40⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe41⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe42⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe43⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe44⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe47⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe48⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe54⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe55⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe56⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe57⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1228 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:784 -
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe63⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe64⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe66⤵PID:2708
-
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe67⤵PID:2756
-
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe68⤵PID:2828
-
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe69⤵PID:2688
-
C:\Windows\SysWOW64\Cbbomjnn.exeC:\Windows\system32\Cbbomjnn.exe70⤵PID:580
-
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe71⤵PID:1532
-
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe72⤵PID:2372
-
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe73⤵
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe74⤵
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe75⤵PID:1884
-
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:540 -
C:\Windows\SysWOW64\Cdedde32.exeC:\Windows\system32\Cdedde32.exe77⤵
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe78⤵
- System Location Discovery: System Language Discovery
PID:2292 -
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe79⤵PID:1720
-
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe80⤵
- Modifies registry class
PID:976 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe81⤵
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe82⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe83⤵
- Drops file in System32 directory
PID:1544 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe84⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe85⤵PID:2648
-
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe86⤵PID:2040
-
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe87⤵PID:1796
-
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1424 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe90⤵PID:2392
-
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe91⤵PID:2132
-
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:296 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe95⤵PID:2152
-
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe96⤵PID:2400
-
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe97⤵PID:2740
-
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe98⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe99⤵PID:2060
-
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe101⤵PID:2136
-
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe102⤵PID:1124
-
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe103⤵PID:2220
-
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe104⤵PID:2352
-
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe105⤵PID:2704
-
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe106⤵
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Ehhfjcff.exeC:\Windows\system32\Ehhfjcff.exe107⤵PID:2772
-
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe109⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Eaqkcimg.exeC:\Windows\system32\Eaqkcimg.exe110⤵PID:2028
-
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe111⤵PID:2012
-
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe112⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe113⤵
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe114⤵PID:2336
-
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe115⤵PID:2976
-
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe116⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe117⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Ffbmfo32.exeC:\Windows\system32\Ffbmfo32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe119⤵PID:2364
-
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Fdfmpc32.exeC:\Windows\system32\Fdfmpc32.exe121⤵PID:2192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-