Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 21:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe
-
Size
115KB
-
MD5
b83ba30e545b29de09ddc6e982da773c
-
SHA1
e2211c8f34409aa3d38e8d9d435cc3de22f82603
-
SHA256
3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4
-
SHA512
669c94ccf4b2bdd1cc3d46788bef1eecd7bc42362c3d7708d7a28ea9a61097148968363ec9e18334368633ed60bda814362d00ca2b5ac13d26a2f3271e9f5ade
-
SSDEEP
3072:MHkXkZxhek5MLg4ldbrIR/SoQUP5u30KqTKr4:MAwGPvlhrIooQUPoDqTKE
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hieiqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goiehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apedah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbiocd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edoefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdgpnqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfnecgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfibhjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnlgbnbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edoefl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqjdgmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbjcqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqglggcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnimiblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehhdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdppqbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbfggdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkffng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijphofem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhmofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohcdhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnqmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibhicbao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghfnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbchn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifelgmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcahoqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aciqcifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcjeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eopphehb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbogqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjojh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdecha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnecigcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibkkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqdiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qemldifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijnkifgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klehgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgdnnl32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2188 Mlpneh32.exe 2928 Mamgmofp.exe 2796 Mmfdhojb.exe 2728 Mbcmpfhi.exe 2624 Mfaefd32.exe 2592 Nlnnnk32.exe 2164 Nhdocl32.exe 1584 Nbjcqe32.exe 2836 Nkegeg32.exe 1388 Ndnlnm32.exe 1940 Naalga32.exe 1780 Noemqe32.exe 476 Opifnm32.exe 576 Opkccm32.exe 680 Onocmadb.exe 1740 Olbchn32.exe 1616 Ocohkh32.exe 1804 Oihqgbhd.exe 1760 Olgmcmgh.exe 340 Pcaepg32.exe 2296 Pdbahpec.exe 2264 Pohfehdi.exe 2508 Pkofjijm.exe 292 Phbgcnig.exe 2056 Pdihiook.exe 1932 Pnalad32.exe 2776 Qgjqjjll.exe 1356 Qjhmfekp.exe 2952 Qmifhq32.exe 2604 Qogbdl32.exe 2856 Akncimmh.exe 2668 Acekjjmk.exe 2132 Aeggbbci.exe 668 Aollokco.exe 1920 Abkhkgbb.exe 1936 Anahqh32.exe 2896 Bmibgd32.exe 2656 Bccjdnbi.exe 1352 Bfagpiam.exe 2892 Bcgdom32.exe 1492 Bffpki32.exe 2392 Bbmapj32.exe 844 Ciifbchf.exe 1508 Cbajkiof.exe 2140 Cljodo32.exe 1768 Cohkpj32.exe 836 Cdecha32.exe 1732 Ckolek32.exe 2524 Cdgpnqpo.exe 1680 Cffljlpc.exe 2536 Cakqgeoi.exe 2940 Cfhiplmp.exe 2620 Cifelgmd.exe 2648 Dpqnhadq.exe 2080 Dkfbfjdf.exe 2040 Dmdnbecj.exe 2832 Ddnfop32.exe 2424 Dgmbkk32.exe 540 Dmgkgeah.exe 1300 Dpegcq32.exe 2328 Debplg32.exe 1380 Dpgcip32.exe 1520 Daipqhdg.exe 752 Dedlag32.exe -
Loads dropped DLL 64 IoCs
pid Process 2532 3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe 2532 3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe 2188 Mlpneh32.exe 2188 Mlpneh32.exe 2928 Mamgmofp.exe 2928 Mamgmofp.exe 2796 Mmfdhojb.exe 2796 Mmfdhojb.exe 2728 Mbcmpfhi.exe 2728 Mbcmpfhi.exe 2624 Mfaefd32.exe 2624 Mfaefd32.exe 2592 Nlnnnk32.exe 2592 Nlnnnk32.exe 2164 Nhdocl32.exe 2164 Nhdocl32.exe 1584 Nbjcqe32.exe 1584 Nbjcqe32.exe 2836 Nkegeg32.exe 2836 Nkegeg32.exe 1388 Ndnlnm32.exe 1388 Ndnlnm32.exe 1940 Naalga32.exe 1940 Naalga32.exe 1780 Noemqe32.exe 1780 Noemqe32.exe 476 Opifnm32.exe 476 Opifnm32.exe 576 Opkccm32.exe 576 Opkccm32.exe 680 Onocmadb.exe 680 Onocmadb.exe 1740 Olbchn32.exe 1740 Olbchn32.exe 1616 Ocohkh32.exe 1616 Ocohkh32.exe 1804 Oihqgbhd.exe 1804 Oihqgbhd.exe 1760 Olgmcmgh.exe 1760 Olgmcmgh.exe 340 Pcaepg32.exe 340 Pcaepg32.exe 2296 Pdbahpec.exe 2296 Pdbahpec.exe 2264 Pohfehdi.exe 2264 Pohfehdi.exe 2508 Pkofjijm.exe 2508 Pkofjijm.exe 292 Phbgcnig.exe 292 Phbgcnig.exe 2056 Pdihiook.exe 2056 Pdihiook.exe 1932 Pnalad32.exe 1932 Pnalad32.exe 2776 Qgjqjjll.exe 2776 Qgjqjjll.exe 1356 Qjhmfekp.exe 1356 Qjhmfekp.exe 2952 Qmifhq32.exe 2952 Qmifhq32.exe 2604 Qogbdl32.exe 2604 Qogbdl32.exe 2856 Akncimmh.exe 2856 Akncimmh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gbpfqb32.dll Nijnln32.exe File created C:\Windows\SysWOW64\Jhdegn32.exe Jajmjcoe.exe File opened for modification C:\Windows\SysWOW64\Boemlbpk.exe Blfapfpg.exe File opened for modification C:\Windows\SysWOW64\Ebqngb32.exe Epbbkf32.exe File created C:\Windows\SysWOW64\Cillnojb.dll Fennoa32.exe File created C:\Windows\SysWOW64\Bqolji32.exe Bkbdabog.exe File created C:\Windows\SysWOW64\Ojgfoglc.dll Cmhjdiap.exe File opened for modification C:\Windows\SysWOW64\Aodkci32.exe Ajgbkbjp.exe File opened for modification C:\Windows\SysWOW64\Egonhf32.exe Epeekmjk.exe File created C:\Windows\SysWOW64\Jigbebhb.exe Jbnjhh32.exe File created C:\Windows\SysWOW64\Onqkclni.exe Olbogqoe.exe File created C:\Windows\SysWOW64\Edlfhc32.exe Elqaca32.exe File opened for modification C:\Windows\SysWOW64\Iphecepe.exe Imiigiab.exe File created C:\Windows\SysWOW64\Figfejbj.dll Kdnild32.exe File created C:\Windows\SysWOW64\Ajpepm32.exe Aojabdlf.exe File created C:\Windows\SysWOW64\Ccqhkcib.dll Ggagmjbq.exe File created C:\Windows\SysWOW64\Ofglaipf.dll Mobomnoq.exe File created C:\Windows\SysWOW64\Hhkbcb32.dll Njpihk32.exe File created C:\Windows\SysWOW64\Olbogqoe.exe Oalkih32.exe File created C:\Windows\SysWOW64\Fkefbcmf.exe Fhgifgnb.exe File opened for modification C:\Windows\SysWOW64\Hifbdnbi.exe Hgeelf32.exe File opened for modification C:\Windows\SysWOW64\Ogiaif32.exe Odjdmjgo.exe File created C:\Windows\SysWOW64\Bimoloog.exe Bbbgod32.exe File created C:\Windows\SysWOW64\Mifnodlj.dll Emgioakg.exe File opened for modification C:\Windows\SysWOW64\Gjifodii.exe Gfnjne32.exe File opened for modification C:\Windows\SysWOW64\Kilgoe32.exe Keqkofno.exe File created C:\Windows\SysWOW64\Ojbkibad.dll Fcjeon32.exe File created C:\Windows\SysWOW64\Lcmfeo32.dll Bbgqjdce.exe File opened for modification C:\Windows\SysWOW64\Opihgfop.exe Omklkkpl.exe File created C:\Windows\SysWOW64\Kfibhjlj.exe Kalipcmb.exe File opened for modification C:\Windows\SysWOW64\Gnkmqkbi.exe Fdbhge32.exe File created C:\Windows\SysWOW64\Qimagi32.dll Ieigfk32.exe File created C:\Windows\SysWOW64\Inhdgdmk.exe Imggplgm.exe File created C:\Windows\SysWOW64\Fjdnlhco.exe Fcjeon32.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Ijehdl32.exe File opened for modification C:\Windows\SysWOW64\Ciifbchf.exe Bbmapj32.exe File created C:\Windows\SysWOW64\Idadnd32.exe Hjipenda.exe File created C:\Windows\SysWOW64\Bnqned32.exe Bgffhkoj.exe File opened for modification C:\Windows\SysWOW64\Folfoj32.exe Fgdnnl32.exe File created C:\Windows\SysWOW64\Ogjknh32.dll Hjlioj32.exe File opened for modification C:\Windows\SysWOW64\Hfhcoj32.exe Hakkgc32.exe File created C:\Windows\SysWOW64\Hoqjqhjf.exe Hifbdnbi.exe File created C:\Windows\SysWOW64\Gmbmdane.dll Aeggbbci.exe File opened for modification C:\Windows\SysWOW64\Neqnqofm.exe Nmejllia.exe File created C:\Windows\SysWOW64\Ohagbj32.exe Ooicid32.exe File created C:\Windows\SysWOW64\Kaaded32.dll Phcilf32.exe File created C:\Windows\SysWOW64\Mdadjd32.exe Mbchni32.exe File opened for modification C:\Windows\SysWOW64\Kambcbhb.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Kdbbgdjj.exe Kjmnjkjd.exe File created C:\Windows\SysWOW64\Pcqejkep.dll Hieiqo32.exe File opened for modification C:\Windows\SysWOW64\Ahmefdcp.exe Aeoijidl.exe File created C:\Windows\SysWOW64\Nhmglf32.dll Mihdgkpp.exe File opened for modification C:\Windows\SysWOW64\Emgioakg.exe Ekhmcelc.exe File opened for modification C:\Windows\SysWOW64\Igoomk32.exe Iaegpaao.exe File created C:\Windows\SysWOW64\Cacclpae.exe Cfnoogbo.exe File opened for modification C:\Windows\SysWOW64\Fcbecl32.exe Fqdiga32.exe File opened for modification C:\Windows\SysWOW64\Jaoqqflp.exe Ijehdl32.exe File created C:\Windows\SysWOW64\Eipgjaoi.exe Egajnfoe.exe File created C:\Windows\SysWOW64\Keqkofno.exe Kbbobkol.exe File created C:\Windows\SysWOW64\Hccadd32.dll Ciokijfd.exe File created C:\Windows\SysWOW64\Ekhnnojb.dll Jjfkmdlg.exe File created C:\Windows\SysWOW64\Afmjbf32.dll Jlckbh32.exe File created C:\Windows\SysWOW64\Jjjkclbf.dll Oanefo32.exe File created C:\Windows\SysWOW64\Hboddk32.exe Hpphhp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 604 2868 WerFault.exe 866 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgcip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blinefnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhleh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcqnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiehm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfejjgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnecigcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbahpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpkflne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkbbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkoncdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boogmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckdgjeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajmjcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfebambf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijclol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjefamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplnnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaohol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libjncnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfaefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feachqgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidgcclp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khoebi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaqcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfpaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objjnkie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idadnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjqamme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidddj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acekjjmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljodo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdhif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeqga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepjea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iladfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacihmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnalad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jagnlkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjmbaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffpki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpjjeim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnqmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeemeif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhmcinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aciqcifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcepqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpcckck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjfgl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqjdgmgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fennoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieofkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olbogqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcihk32.dll" Heealhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbgogp32.dll" Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqolji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjghm32.dll" Ifampo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjlqgcoc.dll" Geeemeif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjicfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbkmo32.dll" Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddklgpc.dll" Bbeded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkojbh32.dll" Opkccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gigqol32.dll" Loqmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofcqcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dahapj32.dll" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbndpmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcojam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijkocg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" Jbclgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkhgip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngndfk32.dll" Aqonbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjdepgcg.dll" Hmlkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhimbk32.dll" Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnofgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljecmgch.dll" Acekjjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll" Pidfdofi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lopfhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoobkci.dll" Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eojlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdgll32.dll" Edlfhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnokbe32.dll" Djlfma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnmeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njpgpbpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieocod32.dll" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgklc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efdhpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhadqf32.dll" Ajgbkbjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbdjfk32.dll" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfheikj.dll" Keqkofno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobgmfjh.dll" Iamfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koaclfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neqnqofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkicbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfkee32.dll" Ajhddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gckdgjeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klehgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mifnodlj.dll" Emgioakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iglhhc32.dll" Kalipcmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfglml32.dll" Bqolji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellcac32.dll" Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pegqpacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njpihk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2532 wrote to memory of 2188 2532 3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe 30 PID 2532 wrote to memory of 2188 2532 3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe 30 PID 2532 wrote to memory of 2188 2532 3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe 30 PID 2532 wrote to memory of 2188 2532 3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe 30 PID 2188 wrote to memory of 2928 2188 Mlpneh32.exe 31 PID 2188 wrote to memory of 2928 2188 Mlpneh32.exe 31 PID 2188 wrote to memory of 2928 2188 Mlpneh32.exe 31 PID 2188 wrote to memory of 2928 2188 Mlpneh32.exe 31 PID 2928 wrote to memory of 2796 2928 Mamgmofp.exe 32 PID 2928 wrote to memory of 2796 2928 Mamgmofp.exe 32 PID 2928 wrote to memory of 2796 2928 Mamgmofp.exe 32 PID 2928 wrote to memory of 2796 2928 Mamgmofp.exe 32 PID 2796 wrote to memory of 2728 2796 Mmfdhojb.exe 33 PID 2796 wrote to memory of 2728 2796 Mmfdhojb.exe 33 PID 2796 wrote to memory of 2728 2796 Mmfdhojb.exe 33 PID 2796 wrote to memory of 2728 2796 Mmfdhojb.exe 33 PID 2728 wrote to memory of 2624 2728 Mbcmpfhi.exe 34 PID 2728 wrote to memory of 2624 2728 Mbcmpfhi.exe 34 PID 2728 wrote to memory of 2624 2728 Mbcmpfhi.exe 34 PID 2728 wrote to memory of 2624 2728 Mbcmpfhi.exe 34 PID 2624 wrote to memory of 2592 2624 Mfaefd32.exe 35 PID 2624 wrote to memory of 2592 2624 Mfaefd32.exe 35 PID 2624 wrote to memory of 2592 2624 Mfaefd32.exe 35 PID 2624 wrote to memory of 2592 2624 Mfaefd32.exe 35 PID 2592 wrote to memory of 2164 2592 Nlnnnk32.exe 36 PID 2592 wrote to memory of 2164 2592 Nlnnnk32.exe 36 PID 2592 wrote to memory of 2164 2592 Nlnnnk32.exe 36 PID 2592 wrote to memory of 2164 2592 Nlnnnk32.exe 36 PID 2164 wrote to memory of 1584 2164 Nhdocl32.exe 37 PID 2164 wrote to memory of 1584 2164 Nhdocl32.exe 37 PID 2164 wrote to memory of 1584 2164 Nhdocl32.exe 37 PID 2164 wrote to memory of 1584 2164 Nhdocl32.exe 37 PID 1584 wrote to memory of 2836 1584 Nbjcqe32.exe 38 PID 1584 wrote to memory of 2836 1584 Nbjcqe32.exe 38 PID 1584 wrote to memory of 2836 1584 Nbjcqe32.exe 38 PID 1584 wrote to memory of 2836 1584 Nbjcqe32.exe 38 PID 2836 wrote to memory of 1388 2836 Nkegeg32.exe 39 PID 2836 wrote to memory of 1388 2836 Nkegeg32.exe 39 PID 2836 wrote to memory of 1388 2836 Nkegeg32.exe 39 PID 2836 wrote to memory of 1388 2836 Nkegeg32.exe 39 PID 1388 wrote to memory of 1940 1388 Ndnlnm32.exe 40 PID 1388 wrote to memory of 1940 1388 Ndnlnm32.exe 40 PID 1388 wrote to memory of 1940 1388 Ndnlnm32.exe 40 PID 1388 wrote to memory of 1940 1388 Ndnlnm32.exe 40 PID 1940 wrote to memory of 1780 1940 Naalga32.exe 41 PID 1940 wrote to memory of 1780 1940 Naalga32.exe 41 PID 1940 wrote to memory of 1780 1940 Naalga32.exe 41 PID 1940 wrote to memory of 1780 1940 Naalga32.exe 41 PID 1780 wrote to memory of 476 1780 Noemqe32.exe 42 PID 1780 wrote to memory of 476 1780 Noemqe32.exe 42 PID 1780 wrote to memory of 476 1780 Noemqe32.exe 42 PID 1780 wrote to memory of 476 1780 Noemqe32.exe 42 PID 476 wrote to memory of 576 476 Opifnm32.exe 43 PID 476 wrote to memory of 576 476 Opifnm32.exe 43 PID 476 wrote to memory of 576 476 Opifnm32.exe 43 PID 476 wrote to memory of 576 476 Opifnm32.exe 43 PID 576 wrote to memory of 680 576 Opkccm32.exe 44 PID 576 wrote to memory of 680 576 Opkccm32.exe 44 PID 576 wrote to memory of 680 576 Opkccm32.exe 44 PID 576 wrote to memory of 680 576 Opkccm32.exe 44 PID 680 wrote to memory of 1740 680 Onocmadb.exe 45 PID 680 wrote to memory of 1740 680 Onocmadb.exe 45 PID 680 wrote to memory of 1740 680 Onocmadb.exe 45 PID 680 wrote to memory of 1740 680 Onocmadb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe"C:\Users\Admin\AppData\Local\Temp\3e9b09880ef6ab60763b4aeebaad14922663de81ab5f2b6fe1a625999b78bda4.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Nkegeg32.exeC:\Windows\system32\Nkegeg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ndnlnm32.exeC:\Windows\system32\Ndnlnm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Noemqe32.exeC:\Windows\system32\Noemqe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Pohfehdi.exeC:\Windows\system32\Pohfehdi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe35⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe36⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe37⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe38⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Bccjdnbi.exeC:\Windows\system32\Bccjdnbi.exe39⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe40⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe41⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2392 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe44⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe45⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe47⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Cdecha32.exeC:\Windows\system32\Cdecha32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe49⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe51⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe52⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe53⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe55⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe56⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe57⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe58⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe59⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe60⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe61⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe62⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe64⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe65⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe66⤵PID:2528
-
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe67⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe68⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe69⤵PID:1568
-
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe70⤵PID:2224
-
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe71⤵PID:2944
-
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe72⤵PID:2880
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe73⤵PID:2596
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe74⤵PID:1688
-
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe75⤵PID:1468
-
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe76⤵
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2012 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe78⤵PID:1432
-
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe79⤵PID:1608
-
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe81⤵PID:1736
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe82⤵PID:756
-
C:\Windows\SysWOW64\Foafdoag.exeC:\Windows\system32\Foafdoag.exe83⤵PID:1104
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe84⤵PID:1524
-
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe85⤵
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe86⤵PID:1968
-
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe87⤵PID:2452
-
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe89⤵
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe90⤵PID:1412
-
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe91⤵PID:2364
-
C:\Windows\SysWOW64\Geeemeif.exeC:\Windows\system32\Geeemeif.exe92⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe93⤵PID:1512
-
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe94⤵PID:2316
-
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe95⤵PID:448
-
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe96⤵PID:1808
-
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe98⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe99⤵PID:2676
-
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe100⤵PID:2136
-
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe101⤵PID:2808
-
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe102⤵PID:2736
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe103⤵PID:3028
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe104⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe106⤵PID:1964
-
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe107⤵PID:2276
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe108⤵PID:1136
-
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe109⤵
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe110⤵PID:940
-
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe111⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe112⤵PID:2500
-
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe113⤵PID:2720
-
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe114⤵PID:2752
-
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe115⤵PID:2760
-
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe116⤵PID:1852
-
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe117⤵PID:548
-
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe118⤵PID:1792
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe119⤵PID:1540
-
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe120⤵
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1292
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-