Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 22:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe
-
Size
2.9MB
-
MD5
fb3b40c287311c389c66d743716941fb
-
SHA1
162db11690bd600b6deeeef6b0ea448194d3f0be
-
SHA256
50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308
-
SHA512
0da43980f737945765a2d82e46d62b7023a75bdffb3f910e56ea37ec647ac07bc7523a51de2dec98fe7747ea6f9892097c66219302d0dcd48a9a1204462a0eac
-
SSDEEP
49152:0jkj/nUkjkj/npfjkj/nUkjkj/nqkjkj/nUkjkj/npfjkj/nUkjkj/nKjkj/nB:0jkjfUkjkjfpfjkjfUkjkjfqkjkjfUks
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnjklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhndnpnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaekl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phgannal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aldfcpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpapgnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elejqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjlgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpapgnpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffkgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfknhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhglop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojfcdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdqhambg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmemoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lolofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njchfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpgckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqplqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmoceol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmhbgpia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkibjgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedpdpdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opmhqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejdfqogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jecnnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leegbnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gajlac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npiiafpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpkchm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjaqhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbdcepcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qijdqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfogneop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paggce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhglop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejiadgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoajgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfjbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflmpebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkbmil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afecna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcakbjpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmnmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nladco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcpmijqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmqieh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflmpebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befnbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbikig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dleelp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmamfddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifpelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnifaajh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpfbegei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfcjiodd.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2404 Kenhopmf.exe 2804 Kkjpggkn.exe 2768 Loaokjjg.exe 852 Lifcib32.exe 2704 Mkofaj32.exe 2088 Mdgkjopd.exe 2064 Ncfjajma.exe 2860 Ndggib32.exe 2832 Nnokahip.exe 1500 Padjmfdg.exe 2380 Paggce32.exe 484 Phaoppja.exe 1324 Pjoklkie.exe 2168 Paiche32.exe 2384 Booiep32.exe 2244 Chgnneiq.exe 2340 Cfknhi32.exe 1856 Diqmcgca.exe 3052 Eegmhhie.exe 840 Egfjdchi.exe 756 Ejdfqogm.exe 1052 Eejjnhgc.exe 2336 Ejfbfo32.exe 876 Ehkcpc32.exe 1180 Ejioln32.exe 2896 Geloanjg.exe 2936 Gpacogjm.exe 3012 Gcppkbia.exe 2420 Hhmhcigh.exe 1272 Hecebm32.exe 2856 Icbipe32.exe 2900 Ifpelq32.exe 3048 Imjmhkpj.exe 2764 Ikagogco.exe 2836 Iblola32.exe 2772 Jkdcdf32.exe 2228 Jbnlaqhi.exe 2964 Jnemfa32.exe 1628 Jacibm32.exe 1340 Jgmaog32.exe 2568 Jkimpfmg.exe 1252 Jeaahk32.exe 1936 Jkkjeeke.exe 596 Jnifaajh.exe 2280 Jecnnk32.exe 1716 Kgdgpfnf.exe 1612 Kfggkc32.exe 1332 Kamlhl32.exe 2728 Kijmbnpo.exe 2632 Kfnnlboi.exe 1384 Kpfbegei.exe 2864 Khagijcd.exe 1944 Lolofd32.exe 1764 Leegbnan.exe 2980 Ldkdckff.exe 3028 Lfippfej.exe 1288 Lmeebpkd.exe 1672 Ldpnoj32.exe 1972 Lmhbgpia.exe 2188 Lpfnckhe.exe 636 Mecglbfl.exe 1956 Miocmq32.exe 2920 Mlmoilni.exe 2776 Mokkegmm.exe -
Loads dropped DLL 64 IoCs
pid Process 2952 50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe 2952 50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe 2404 Kenhopmf.exe 2404 Kenhopmf.exe 2804 Kkjpggkn.exe 2804 Kkjpggkn.exe 2768 Loaokjjg.exe 2768 Loaokjjg.exe 852 Lifcib32.exe 852 Lifcib32.exe 2704 Mkofaj32.exe 2704 Mkofaj32.exe 2088 Mdgkjopd.exe 2088 Mdgkjopd.exe 2064 Ncfjajma.exe 2064 Ncfjajma.exe 2860 Ndggib32.exe 2860 Ndggib32.exe 2832 Nnokahip.exe 2832 Nnokahip.exe 1500 Padjmfdg.exe 1500 Padjmfdg.exe 2380 Paggce32.exe 2380 Paggce32.exe 484 Phaoppja.exe 484 Phaoppja.exe 1324 Pjoklkie.exe 1324 Pjoklkie.exe 2168 Paiche32.exe 2168 Paiche32.exe 2384 Booiep32.exe 2384 Booiep32.exe 2244 Chgnneiq.exe 2244 Chgnneiq.exe 2340 Cfknhi32.exe 2340 Cfknhi32.exe 1856 Diqmcgca.exe 1856 Diqmcgca.exe 3052 Eegmhhie.exe 3052 Eegmhhie.exe 840 Egfjdchi.exe 840 Egfjdchi.exe 756 Ejdfqogm.exe 756 Ejdfqogm.exe 1052 Eejjnhgc.exe 1052 Eejjnhgc.exe 2336 Ejfbfo32.exe 2336 Ejfbfo32.exe 876 Ehkcpc32.exe 876 Ehkcpc32.exe 1180 Ejioln32.exe 1180 Ejioln32.exe 2896 Geloanjg.exe 2896 Geloanjg.exe 2936 Gpacogjm.exe 2936 Gpacogjm.exe 3012 Gcppkbia.exe 3012 Gcppkbia.exe 2420 Hhmhcigh.exe 2420 Hhmhcigh.exe 1272 Hecebm32.exe 1272 Hecebm32.exe 2856 Icbipe32.exe 2856 Icbipe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bplnpkga.dll Eejjnhgc.exe File created C:\Windows\SysWOW64\Edmhlpjl.dll Gpacogjm.exe File opened for modification C:\Windows\SysWOW64\Hecebm32.exe Hhmhcigh.exe File created C:\Windows\SysWOW64\Idcoaaei.dll Bklpjlmc.exe File created C:\Windows\SysWOW64\Pdnbmp32.dll Gimaah32.exe File opened for modification C:\Windows\SysWOW64\Eqamla32.exe Ehclbpic.exe File created C:\Windows\SysWOW64\Mjmnmk32.exe Lpapgnpb.exe File created C:\Windows\SysWOW64\Cqoebm32.dll Padjmfdg.exe File created C:\Windows\SysWOW64\Lfdlgb32.dll Paggce32.exe File created C:\Windows\SysWOW64\Jcgalk32.dll Lmeebpkd.exe File created C:\Windows\SysWOW64\Bidjckae.dll Qjgjpi32.exe File created C:\Windows\SysWOW64\Klndom32.dll Hchoop32.exe File created C:\Windows\SysWOW64\Ohdglfoj.exe Odiklh32.exe File created C:\Windows\SysWOW64\Kgdcgk32.dll Cfknhi32.exe File created C:\Windows\SysWOW64\Gabofn32.exe Fmgcepio.exe File opened for modification C:\Windows\SysWOW64\Lighjd32.exe Lbmpnjai.exe File created C:\Windows\SysWOW64\Pokkfdac.dll Ninhamne.exe File created C:\Windows\SysWOW64\Iphhgb32.exe Iilceh32.exe File created C:\Windows\SysWOW64\Gchhdfem.dll Qbobaf32.exe File created C:\Windows\SysWOW64\Gmlckehe.exe Fiedfb32.exe File created C:\Windows\SysWOW64\Npiiafpa.exe Mhkhgd32.exe File created C:\Windows\SysWOW64\Gpacogjm.exe Geloanjg.exe File created C:\Windows\SysWOW64\Jfagemej.exe Jcckibfg.exe File opened for modification C:\Windows\SysWOW64\Fiedfb32.exe Ffghjg32.exe File opened for modification C:\Windows\SysWOW64\Hbghdj32.exe Hoipnl32.exe File created C:\Windows\SysWOW64\Cdnjaibm.exe Cpbnaj32.exe File created C:\Windows\SysWOW64\Ogepbg32.dll Jfhmehji.exe File created C:\Windows\SysWOW64\Jgmaog32.exe Jacibm32.exe File opened for modification C:\Windows\SysWOW64\Kamlhl32.exe Kfggkc32.exe File opened for modification C:\Windows\SysWOW64\Anhpkg32.exe Afqhjj32.exe File created C:\Windows\SysWOW64\Opdnpmio.dll Ojbnkp32.exe File created C:\Windows\SysWOW64\Efeoedjo.exe Ehaolpke.exe File created C:\Windows\SysWOW64\Hogcil32.exe Hpdbmooo.exe File opened for modification C:\Windows\SysWOW64\Edofbpja.exe Ejiadgkl.exe File created C:\Windows\SysWOW64\Ffghjg32.exe Ffeldglk.exe File opened for modification C:\Windows\SysWOW64\Iencdc32.exe Iboghh32.exe File created C:\Windows\SysWOW64\Kfnnlboi.exe Kijmbnpo.exe File created C:\Windows\SysWOW64\Gfdeopaj.dll Leegbnan.exe File opened for modification C:\Windows\SysWOW64\Befnbd32.exe Blniinac.exe File created C:\Windows\SysWOW64\Hkbmil32.exe Hbghdj32.exe File opened for modification C:\Windows\SysWOW64\Oogiha32.exe Olimlf32.exe File created C:\Windows\SysWOW64\Joapmk32.dll Jdlclo32.exe File created C:\Windows\SysWOW64\Befnbd32.exe Blniinac.exe File opened for modification C:\Windows\SysWOW64\Ilhlan32.exe Iencdc32.exe File created C:\Windows\SysWOW64\Fkldcapk.dll Egfjdchi.exe File created C:\Windows\SysWOW64\Jkimpfmg.exe Jgmaog32.exe File opened for modification C:\Windows\SysWOW64\Lmhbgpia.exe Ldpnoj32.exe File created C:\Windows\SysWOW64\Aikjmm32.dll Amplklmj.exe File opened for modification C:\Windows\SysWOW64\Kfgcieii.exe Komjmk32.exe File created C:\Windows\SysWOW64\Djgaeaao.dll Ikagogco.exe File created C:\Windows\SysWOW64\Lmeebpkd.exe Lfippfej.exe File created C:\Windows\SysWOW64\Ghibjjfb.dll Ngbpehpj.exe File created C:\Windows\SysWOW64\Gekkpqnp.exe Gbmoceol.exe File created C:\Windows\SysWOW64\Ppfafphp.dll Kamlhl32.exe File opened for modification C:\Windows\SysWOW64\Nhhominh.exe Nanfqo32.exe File created C:\Windows\SysWOW64\Pcbiqgln.dll Iokhcodo.exe File created C:\Windows\SysWOW64\Ajbnaedb.dll Mchokq32.exe File created C:\Windows\SysWOW64\Mlahdkjc.exe Mhflcm32.exe File created C:\Windows\SysWOW64\Mpefbfgo.dll Efeoedjo.exe File created C:\Windows\SysWOW64\Ngbpehpj.exe Nphghn32.exe File created C:\Windows\SysWOW64\Amplklmj.exe Ajapoqmf.exe File created C:\Windows\SysWOW64\Iiobie32.dll Jgmaog32.exe File created C:\Windows\SysWOW64\Miaaki32.exe Mddibb32.exe File created C:\Windows\SysWOW64\Qgiplffm.exe Qifpqi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1764 2864 WerFault.exe 354 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmaog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqnhmgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amplklmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifcib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnemfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aplkah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmemoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geloanjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdqfgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmoib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgkphj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baclaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnifaajh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miocmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhmehji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifpqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Booiep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laackgka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnofng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjpggkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlahdkjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclhjpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlckehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olimlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lighjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgqcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcfdmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gimaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeahf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkcpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nladco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcdqpqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majcoepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiche32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdcepcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiedfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdeall32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paggce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokhcodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egeecf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibpghbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejioln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklopg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebpakbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojfcdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egfjdchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnjaibm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbaljhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljjqbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfjajma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpjnmlel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keappgmg.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlahdkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nladco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpicbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmddhe32.dll" Dnqhkcdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdqhambg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkqjo32.dll" Gcppkbia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nladco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjckae.dll" Qjgjpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lenffl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qieiiaad.dll" Nhpabdqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmcdkbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfggkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkfghh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nphghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpjnmlel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejiadgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmocoj32.dll" Odiklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfhpbo32.dll" Gabofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcjgd32.dll" Ifpelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeaahk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifpfl32.dll" Njeelc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efeoedjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpoibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiimfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlbaljhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gabofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgkphj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egfjdchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgdgpfnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklopg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojbnkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iciaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfddnb32.dll" Kdlpkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmden32.dll" Ejiadgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmmjl32.dll" Ngkaaolf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njeelc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmpeljkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoipnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpeafo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkeeihpg.dll" Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knqcng32.dll" Ehkcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afqhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkciic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjdcghg.dll" Nhhominh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mamipckp.dll" Geloanjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icbipe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcbiqgln.dll" Iokhcodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnpoagb.dll" Mbdcepcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcpmijqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkaaolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogpjmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpfnckhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnoe32.dll" Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqddq32.dll" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhglop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjbjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mojkpqcn.dll" Cedpdpdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogpjmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Booiep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlqogi32.dll" Jkdcdf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2952 wrote to memory of 2404 2952 50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe 342 PID 2952 wrote to memory of 2404 2952 50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe 342 PID 2952 wrote to memory of 2404 2952 50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe 342 PID 2952 wrote to memory of 2404 2952 50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe 342 PID 2404 wrote to memory of 2804 2404 Kenhopmf.exe 31 PID 2404 wrote to memory of 2804 2404 Kenhopmf.exe 31 PID 2404 wrote to memory of 2804 2404 Kenhopmf.exe 31 PID 2404 wrote to memory of 2804 2404 Kenhopmf.exe 31 PID 2804 wrote to memory of 2768 2804 Kkjpggkn.exe 32 PID 2804 wrote to memory of 2768 2804 Kkjpggkn.exe 32 PID 2804 wrote to memory of 2768 2804 Kkjpggkn.exe 32 PID 2804 wrote to memory of 2768 2804 Kkjpggkn.exe 32 PID 2768 wrote to memory of 852 2768 Loaokjjg.exe 33 PID 2768 wrote to memory of 852 2768 Loaokjjg.exe 33 PID 2768 wrote to memory of 852 2768 Loaokjjg.exe 33 PID 2768 wrote to memory of 852 2768 Loaokjjg.exe 33 PID 852 wrote to memory of 2704 852 Lifcib32.exe 34 PID 852 wrote to memory of 2704 852 Lifcib32.exe 34 PID 852 wrote to memory of 2704 852 Lifcib32.exe 34 PID 852 wrote to memory of 2704 852 Lifcib32.exe 34 PID 2704 wrote to memory of 2088 2704 Mkofaj32.exe 35 PID 2704 wrote to memory of 2088 2704 Mkofaj32.exe 35 PID 2704 wrote to memory of 2088 2704 Mkofaj32.exe 35 PID 2704 wrote to memory of 2088 2704 Mkofaj32.exe 35 PID 2088 wrote to memory of 2064 2088 Mdgkjopd.exe 36 PID 2088 wrote to memory of 2064 2088 Mdgkjopd.exe 36 PID 2088 wrote to memory of 2064 2088 Mdgkjopd.exe 36 PID 2088 wrote to memory of 2064 2088 Mdgkjopd.exe 36 PID 2064 wrote to memory of 2860 2064 Ncfjajma.exe 297 PID 2064 wrote to memory of 2860 2064 Ncfjajma.exe 297 PID 2064 wrote to memory of 2860 2064 Ncfjajma.exe 297 PID 2064 wrote to memory of 2860 2064 Ncfjajma.exe 297 PID 2860 wrote to memory of 2832 2860 Ndggib32.exe 38 PID 2860 wrote to memory of 2832 2860 Ndggib32.exe 38 PID 2860 wrote to memory of 2832 2860 Ndggib32.exe 38 PID 2860 wrote to memory of 2832 2860 Ndggib32.exe 38 PID 2832 wrote to memory of 1500 2832 Nnokahip.exe 39 PID 2832 wrote to memory of 1500 2832 Nnokahip.exe 39 PID 2832 wrote to memory of 1500 2832 Nnokahip.exe 39 PID 2832 wrote to memory of 1500 2832 Nnokahip.exe 39 PID 1500 wrote to memory of 2380 1500 Padjmfdg.exe 40 PID 1500 wrote to memory of 2380 1500 Padjmfdg.exe 40 PID 1500 wrote to memory of 2380 1500 Padjmfdg.exe 40 PID 1500 wrote to memory of 2380 1500 Padjmfdg.exe 40 PID 2380 wrote to memory of 484 2380 Paggce32.exe 41 PID 2380 wrote to memory of 484 2380 Paggce32.exe 41 PID 2380 wrote to memory of 484 2380 Paggce32.exe 41 PID 2380 wrote to memory of 484 2380 Paggce32.exe 41 PID 484 wrote to memory of 1324 484 Phaoppja.exe 42 PID 484 wrote to memory of 1324 484 Phaoppja.exe 42 PID 484 wrote to memory of 1324 484 Phaoppja.exe 42 PID 484 wrote to memory of 1324 484 Phaoppja.exe 42 PID 1324 wrote to memory of 2168 1324 Pjoklkie.exe 43 PID 1324 wrote to memory of 2168 1324 Pjoklkie.exe 43 PID 1324 wrote to memory of 2168 1324 Pjoklkie.exe 43 PID 1324 wrote to memory of 2168 1324 Pjoklkie.exe 43 PID 2168 wrote to memory of 2384 2168 Paiche32.exe 44 PID 2168 wrote to memory of 2384 2168 Paiche32.exe 44 PID 2168 wrote to memory of 2384 2168 Paiche32.exe 44 PID 2168 wrote to memory of 2384 2168 Paiche32.exe 44 PID 2384 wrote to memory of 2244 2384 Booiep32.exe 349 PID 2384 wrote to memory of 2244 2384 Booiep32.exe 349 PID 2384 wrote to memory of 2244 2384 Booiep32.exe 349 PID 2384 wrote to memory of 2244 2384 Booiep32.exe 349
Processes
-
C:\Users\Admin\AppData\Local\Temp\50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe"C:\Users\Admin\AppData\Local\Temp\50520bc776530713f5b82d40d446ccd73c183f5716e330dde1fd6021b0347308.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Kenhopmf.exeC:\Windows\system32\Kenhopmf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Kkjpggkn.exeC:\Windows\system32\Kkjpggkn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Lifcib32.exeC:\Windows\system32\Lifcib32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Pjoklkie.exeC:\Windows\system32\Pjoklkie.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:756 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Hecebm32.exeC:\Windows\system32\Hecebm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Icbipe32.exeC:\Windows\system32\Icbipe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Imjmhkpj.exeC:\Windows\system32\Imjmhkpj.exe34⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2764 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe36⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1340 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe42⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe44⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:596 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1332 -
C:\Windows\SysWOW64\Kijmbnpo.exeC:\Windows\system32\Kijmbnpo.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe51⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Kpfbegei.exeC:\Windows\system32\Kpfbegei.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe53⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Leegbnan.exeC:\Windows\system32\Leegbnan.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe56⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Lfippfej.exeC:\Windows\system32\Lfippfej.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Lmeebpkd.exeC:\Windows\system32\Lmeebpkd.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Ldpnoj32.exeC:\Windows\system32\Ldpnoj32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Mecglbfl.exeC:\Windows\system32\Mecglbfl.exe62⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe64⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Mokkegmm.exeC:\Windows\system32\Mokkegmm.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Mgbcfdmo.exeC:\Windows\system32\Mgbcfdmo.exe66⤵
- System Location Discovery: System Language Discovery
PID:776 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe67⤵PID:2080
-
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe68⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe70⤵PID:2140
-
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Npfjbn32.exeC:\Windows\system32\Npfjbn32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1820 -
C:\Windows\SysWOW64\Nklopg32.exeC:\Windows\system32\Nklopg32.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Nnjklb32.exeC:\Windows\system32\Nnjklb32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Nphghn32.exeC:\Windows\system32\Nphghn32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe76⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Nknkeg32.exeC:\Windows\system32\Nknkeg32.exe77⤵PID:1680
-
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe78⤵PID:1476
-
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe79⤵PID:2972
-
C:\Windows\SysWOW64\Nfglfdeb.exeC:\Windows\system32\Nfglfdeb.exe80⤵PID:1640
-
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Nladco32.exeC:\Windows\system32\Nladco32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe84⤵PID:2128
-
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe85⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Oggeokoq.exeC:\Windows\system32\Oggeokoq.exe86⤵PID:3004
-
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe87⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Phgannal.exeC:\Windows\system32\Phgannal.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1864 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe89⤵PID:2800
-
C:\Windows\SysWOW64\Qjgjpi32.exeC:\Windows\system32\Qjgjpi32.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe91⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe92⤵PID:1336
-
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe93⤵PID:912
-
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Anhpkg32.exeC:\Windows\system32\Anhpkg32.exe95⤵PID:904
-
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe96⤵PID:2844
-
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2208 -
C:\Windows\SysWOW64\Bemkle32.exeC:\Windows\system32\Bemkle32.exe98⤵PID:2744
-
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe99⤵PID:1780
-
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe100⤵PID:2996
-
C:\Windows\SysWOW64\Baclaf32.exeC:\Windows\system32\Baclaf32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Bhndnpnp.exeC:\Windows\system32\Bhndnpnp.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2276 -
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe103⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe104⤵PID:1684
-
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Blniinac.exeC:\Windows\system32\Blniinac.exe106⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe108⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Bggjjlnb.exeC:\Windows\system32\Bggjjlnb.exe109⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe111⤵PID:2232
-
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe112⤵PID:1816
-
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe113⤵PID:1692
-
C:\Windows\SysWOW64\Flqkjo32.exeC:\Windows\system32\Flqkjo32.exe114⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1588 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe116⤵PID:1788
-
C:\Windows\SysWOW64\Gimaah32.exeC:\Windows\system32\Gimaah32.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe118⤵
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe120⤵PID:380
-
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe121⤵PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-