Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 23:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe
-
Size
860KB
-
MD5
cebf2e52f60019ac13d4aad49fe352c3
-
SHA1
49c88122007e36c184c8dc0e7388945ab10df4e6
-
SHA256
7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029
-
SHA512
357d2dca68ab19152b94aea4ad54d339e320f449dfcf2a4a8d31f3e80f582822c47bd26fbe02b5767ae5510e549552fc3b82fd3db331c082c6eca621fbeef32f
-
SSDEEP
24576:aN5hPuh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YS:aMbazR0vD
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkghgpfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqjkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajehnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkpglbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcepqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcmamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncfcgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqehjecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbfhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkjkflb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achjibcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibipmiek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgiaefgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafdjmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpopddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegeonpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofkha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcginj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlofgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imaapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fliook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnphdceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjihmmbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbegbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkbmbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmpolof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbclgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpbmkan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpqlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeojcmfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebckmaec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fadndbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmlddeio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkicbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmlhbbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmdin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aficjnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbdci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnpnkgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcgbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfnangf.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1964 Ngealejo.exe 2260 Nplimbka.exe 2680 Nlefhcnc.exe 2704 Nmfbpk32.exe 2820 Opglafab.exe 2596 Ohncbdbd.exe 2624 Offmipej.exe 2016 Oeindm32.exe 1932 Plgolf32.exe 1140 Pofkha32.exe 2892 Pafdjmkq.exe 1612 Phcilf32.exe 2056 Pdjjag32.exe 620 Pifbjn32.exe 2532 Alihaioe.exe 1624 Aohdmdoh.exe 2032 Aebmjo32.exe 1152 Allefimb.exe 1508 Achjibcl.exe 316 Aakjdo32.exe 1296 Afffenbp.exe 1052 Alqnah32.exe 1968 Anbkipok.exe 2504 Aficjnpm.exe 2064 Andgop32.exe 1020 Adnpkjde.exe 2432 Bhjlli32.exe 3016 Bkhhhd32.exe 2980 Bjkhdacm.exe 2652 Bqeqqk32.exe 2580 Bgoime32.exe 2536 Bjmeiq32.exe 2320 Bdcifi32.exe 1456 Bceibfgj.exe 836 Bnknoogp.exe 764 Bmnnkl32.exe 2852 Boljgg32.exe 832 Bmpkqklh.exe 2404 Bcjcme32.exe 1556 Bfioia32.exe 544 Ccmpce32.exe 2868 Cfkloq32.exe 1676 Cenljmgq.exe 2476 Cnfqccna.exe 1584 Cfmhdpnc.exe 2024 Cileqlmg.exe 2336 Ckjamgmk.exe 2396 Cnimiblo.exe 2828 Cagienkb.exe 2548 Cinafkkd.exe 2552 Cnkjnb32.exe 2776 Cgcnghpl.exe 1420 Cjakccop.exe 2796 Cnmfdb32.exe 2956 Cmpgpond.exe 1628 Cegoqlof.exe 3020 Ccjoli32.exe 2860 Cgfkmgnj.exe 1684 Dnpciaef.exe 1600 Danpemej.exe 1408 Dcllbhdn.exe 1704 Djfdob32.exe 1620 Daplkmbg.exe 1536 Dpcmgi32.exe -
Loads dropped DLL 64 IoCs
pid Process 2444 7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe 2444 7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe 1964 Ngealejo.exe 1964 Ngealejo.exe 2260 Nplimbka.exe 2260 Nplimbka.exe 2680 Nlefhcnc.exe 2680 Nlefhcnc.exe 2704 Nmfbpk32.exe 2704 Nmfbpk32.exe 2820 Opglafab.exe 2820 Opglafab.exe 2596 Ohncbdbd.exe 2596 Ohncbdbd.exe 2624 Offmipej.exe 2624 Offmipej.exe 2016 Oeindm32.exe 2016 Oeindm32.exe 1932 Plgolf32.exe 1932 Plgolf32.exe 1140 Pofkha32.exe 1140 Pofkha32.exe 2892 Pafdjmkq.exe 2892 Pafdjmkq.exe 1612 Phcilf32.exe 1612 Phcilf32.exe 2056 Pdjjag32.exe 2056 Pdjjag32.exe 620 Pifbjn32.exe 620 Pifbjn32.exe 2532 Alihaioe.exe 2532 Alihaioe.exe 1624 Aohdmdoh.exe 1624 Aohdmdoh.exe 2032 Aebmjo32.exe 2032 Aebmjo32.exe 1152 Allefimb.exe 1152 Allefimb.exe 1508 Achjibcl.exe 1508 Achjibcl.exe 316 Aakjdo32.exe 316 Aakjdo32.exe 1296 Afffenbp.exe 1296 Afffenbp.exe 1052 Alqnah32.exe 1052 Alqnah32.exe 1968 Anbkipok.exe 1968 Anbkipok.exe 2504 Aficjnpm.exe 2504 Aficjnpm.exe 2064 Andgop32.exe 2064 Andgop32.exe 1020 Adnpkjde.exe 1020 Adnpkjde.exe 2432 Bhjlli32.exe 2432 Bhjlli32.exe 3016 Bkhhhd32.exe 3016 Bkhhhd32.exe 2980 Bjkhdacm.exe 2980 Bjkhdacm.exe 2652 Bqeqqk32.exe 2652 Bqeqqk32.exe 2580 Bgoime32.exe 2580 Bgoime32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dbhbaq32.dll Acnlgajg.exe File created C:\Windows\SysWOW64\Fkgfqf32.dll Elkofg32.exe File created C:\Windows\SysWOW64\Pgodelnq.dll Kdeaelok.exe File created C:\Windows\SysWOW64\Achjibcl.exe Allefimb.exe File created C:\Windows\SysWOW64\Ofnpnkgf.exe Obbdml32.exe File created C:\Windows\SysWOW64\Omgfflgg.dll Lgngbmjp.exe File created C:\Windows\SysWOW64\Dkpnde32.dll Kkmmlgik.exe File opened for modification C:\Windows\SysWOW64\Gqlhkofn.exe Gnnlocgk.exe File opened for modification C:\Windows\SysWOW64\Icdcllpc.exe Iaegpaao.exe File created C:\Windows\SysWOW64\Ageompfe.exe Acicla32.exe File created C:\Windows\SysWOW64\Alageg32.exe Anogijnb.exe File created C:\Windows\SysWOW64\Dcdkef32.exe Deakjjbk.exe File created C:\Windows\SysWOW64\Ghdiokbq.exe Gefmcp32.exe File created C:\Windows\SysWOW64\Dpcmgi32.exe Daplkmbg.exe File created C:\Windows\SysWOW64\Oejncika.dll Fofbhgde.exe File opened for modification C:\Windows\SysWOW64\Qmhahkdj.exe Qhkipdeb.exe File opened for modification C:\Windows\SysWOW64\Aeoijidl.exe Qmhahkdj.exe File opened for modification C:\Windows\SysWOW64\Gpidki32.exe Glnhjjml.exe File opened for modification C:\Windows\SysWOW64\Jdhifooi.exe Jpmmfp32.exe File opened for modification C:\Windows\SysWOW64\Kcdlhj32.exe Koipglep.exe File opened for modification C:\Windows\SysWOW64\Cfmhdpnc.exe Cnfqccna.exe File created C:\Windows\SysWOW64\Lonibk32.exe Lkbmbl32.exe File created C:\Windows\SysWOW64\Kidjdpie.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Klcgpkhh.exe Khgkpl32.exe File created C:\Windows\SysWOW64\Pifbjn32.exe Pdjjag32.exe File created C:\Windows\SysWOW64\Khpjqgjc.dll Aohdmdoh.exe File created C:\Windows\SysWOW64\Hpfnbh32.dll Fodebh32.exe File opened for modification C:\Windows\SysWOW64\Gcmamj32.exe Glchpp32.exe File created C:\Windows\SysWOW64\Njbfnjeg.exe Nfgjml32.exe File opened for modification C:\Windows\SysWOW64\Nnnbni32.exe Njbfnjeg.exe File created C:\Windows\SysWOW64\Qjqkek32.dll Acicla32.exe File created C:\Windows\SysWOW64\Dfcgbb32.exe Dcdkef32.exe File created C:\Windows\SysWOW64\Oghnkh32.dll Ccmpce32.exe File opened for modification C:\Windows\SysWOW64\Felajbpg.exe Fpohakbp.exe File created C:\Windows\SysWOW64\Kcadppco.dll Kocpbfei.exe File created C:\Windows\SysWOW64\Lndglp32.dll Obbdml32.exe File opened for modification C:\Windows\SysWOW64\Qkghgpfi.exe Qldhkc32.exe File opened for modification C:\Windows\SysWOW64\Ebckmaec.exe Eogolc32.exe File created C:\Windows\SysWOW64\Lmpcca32.exe Lidgcclp.exe File opened for modification C:\Windows\SysWOW64\Kindeddf.exe Kechdf32.exe File created C:\Windows\SysWOW64\Fogalkad.dll Nknimnap.exe File created C:\Windows\SysWOW64\Kgkonj32.exe Kbpbmkan.exe File created C:\Windows\SysWOW64\Opialpld.exe Olmela32.exe File created C:\Windows\SysWOW64\Ongcaafk.dll Djocbqpb.exe File created C:\Windows\SysWOW64\Fdkmeiei.exe Fahhnn32.exe File created C:\Windows\SysWOW64\Ckjamgmk.exe Cileqlmg.exe File opened for modification C:\Windows\SysWOW64\Flclam32.exe Fiepea32.exe File created C:\Windows\SysWOW64\Qhkipdeb.exe Qemldifo.exe File created C:\Windows\SysWOW64\Jcdaaanl.dll Cbjlhpkb.exe File opened for modification C:\Windows\SysWOW64\Eknpadcn.exe Elkofg32.exe File opened for modification C:\Windows\SysWOW64\Jcciqi32.exe Jimdcqom.exe File created C:\Windows\SysWOW64\Akkggpci.dll Bdcifi32.exe File created C:\Windows\SysWOW64\Ppmncnbh.dll Jhahanie.exe File opened for modification C:\Windows\SysWOW64\Ngpqfp32.exe Mimpkcdn.exe File created C:\Windows\SysWOW64\Ffadkgnl.dll Glnhjjml.exe File opened for modification C:\Windows\SysWOW64\Iegeonpc.exe Iakino32.exe File created C:\Windows\SysWOW64\Hbcfdk32.dll Cnimiblo.exe File created C:\Windows\SysWOW64\Ffpfeq32.dll Gqcnln32.exe File created C:\Windows\SysWOW64\Anjnnk32.exe Aeoijidl.exe File created C:\Windows\SysWOW64\Bolcma32.exe Bkpglbaj.exe File opened for modification C:\Windows\SysWOW64\Eojlbb32.exe Eknpadcn.exe File created C:\Windows\SysWOW64\Hcgmfgfd.exe Hddmjk32.exe File created C:\Windows\SysWOW64\Hjcaha32.exe Hfhfhbce.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Klecfkff.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6152 5396 WerFault.exe 585 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khgkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigndekn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfebnmcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjohmbpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingkdeak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclbpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjolf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefhcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimmjffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbpqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnklmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgoime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofbhgde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeiheo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnofgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmome32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijkje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnhpglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfpmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlfma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfbfhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehhdkjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkkmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeojcmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdjjag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mblbnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbklabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjkeoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokhbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlfma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlljaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlhkofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieofkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmhahkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnoejch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcllbhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfgjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcpkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcginj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmqapci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpqlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiafee32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmnnkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mloiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmkng32.dll" Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gacdld32.dll" Fcqjfeja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbgklp32.dll" Eblelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnebcm32.dll" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpohakbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlifadkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekabb32.dll" Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpklelgo.dll" Hofngkga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll" Jcnoejch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggagmjbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaqbpk32.dll" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fleifl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgkonj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdhaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnchhllf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddaemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kidjdpie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcmamj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibipmiek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jagpdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcjmmdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfcllk32.dll" Hfjbmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmkid32.dll" Jcqlkjae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbggodl.dll" Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldgnklmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeaqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdmepgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfnbh32.dll" Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll" Iamfdo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcaibd32.dll" Cnmfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdppqbkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdgipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kalhln32.dll" Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acnlgajg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qemldifo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbnok32.dll" Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kigeamik.dll" Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnodo32.dll" Kdkelolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjgpkif.dll" Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpopbabj.dll" Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeoijidl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdbampij.dll" Eeojcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljpfmo32.dll" Imaapa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2444 wrote to memory of 1964 2444 7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe 31 PID 2444 wrote to memory of 1964 2444 7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe 31 PID 2444 wrote to memory of 1964 2444 7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe 31 PID 2444 wrote to memory of 1964 2444 7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe 31 PID 1964 wrote to memory of 2260 1964 Ngealejo.exe 32 PID 1964 wrote to memory of 2260 1964 Ngealejo.exe 32 PID 1964 wrote to memory of 2260 1964 Ngealejo.exe 32 PID 1964 wrote to memory of 2260 1964 Ngealejo.exe 32 PID 2260 wrote to memory of 2680 2260 Nplimbka.exe 33 PID 2260 wrote to memory of 2680 2260 Nplimbka.exe 33 PID 2260 wrote to memory of 2680 2260 Nplimbka.exe 33 PID 2260 wrote to memory of 2680 2260 Nplimbka.exe 33 PID 2680 wrote to memory of 2704 2680 Nlefhcnc.exe 34 PID 2680 wrote to memory of 2704 2680 Nlefhcnc.exe 34 PID 2680 wrote to memory of 2704 2680 Nlefhcnc.exe 34 PID 2680 wrote to memory of 2704 2680 Nlefhcnc.exe 34 PID 2704 wrote to memory of 2820 2704 Nmfbpk32.exe 35 PID 2704 wrote to memory of 2820 2704 Nmfbpk32.exe 35 PID 2704 wrote to memory of 2820 2704 Nmfbpk32.exe 35 PID 2704 wrote to memory of 2820 2704 Nmfbpk32.exe 35 PID 2820 wrote to memory of 2596 2820 Opglafab.exe 36 PID 2820 wrote to memory of 2596 2820 Opglafab.exe 36 PID 2820 wrote to memory of 2596 2820 Opglafab.exe 36 PID 2820 wrote to memory of 2596 2820 Opglafab.exe 36 PID 2596 wrote to memory of 2624 2596 Ohncbdbd.exe 37 PID 2596 wrote to memory of 2624 2596 Ohncbdbd.exe 37 PID 2596 wrote to memory of 2624 2596 Ohncbdbd.exe 37 PID 2596 wrote to memory of 2624 2596 Ohncbdbd.exe 37 PID 2624 wrote to memory of 2016 2624 Offmipej.exe 38 PID 2624 wrote to memory of 2016 2624 Offmipej.exe 38 PID 2624 wrote to memory of 2016 2624 Offmipej.exe 38 PID 2624 wrote to memory of 2016 2624 Offmipej.exe 38 PID 2016 wrote to memory of 1932 2016 Oeindm32.exe 39 PID 2016 wrote to memory of 1932 2016 Oeindm32.exe 39 PID 2016 wrote to memory of 1932 2016 Oeindm32.exe 39 PID 2016 wrote to memory of 1932 2016 Oeindm32.exe 39 PID 1932 wrote to memory of 1140 1932 Plgolf32.exe 40 PID 1932 wrote to memory of 1140 1932 Plgolf32.exe 40 PID 1932 wrote to memory of 1140 1932 Plgolf32.exe 40 PID 1932 wrote to memory of 1140 1932 Plgolf32.exe 40 PID 1140 wrote to memory of 2892 1140 Pofkha32.exe 41 PID 1140 wrote to memory of 2892 1140 Pofkha32.exe 41 PID 1140 wrote to memory of 2892 1140 Pofkha32.exe 41 PID 1140 wrote to memory of 2892 1140 Pofkha32.exe 41 PID 2892 wrote to memory of 1612 2892 Pafdjmkq.exe 42 PID 2892 wrote to memory of 1612 2892 Pafdjmkq.exe 42 PID 2892 wrote to memory of 1612 2892 Pafdjmkq.exe 42 PID 2892 wrote to memory of 1612 2892 Pafdjmkq.exe 42 PID 1612 wrote to memory of 2056 1612 Phcilf32.exe 43 PID 1612 wrote to memory of 2056 1612 Phcilf32.exe 43 PID 1612 wrote to memory of 2056 1612 Phcilf32.exe 43 PID 1612 wrote to memory of 2056 1612 Phcilf32.exe 43 PID 2056 wrote to memory of 620 2056 Pdjjag32.exe 44 PID 2056 wrote to memory of 620 2056 Pdjjag32.exe 44 PID 2056 wrote to memory of 620 2056 Pdjjag32.exe 44 PID 2056 wrote to memory of 620 2056 Pdjjag32.exe 44 PID 620 wrote to memory of 2532 620 Pifbjn32.exe 45 PID 620 wrote to memory of 2532 620 Pifbjn32.exe 45 PID 620 wrote to memory of 2532 620 Pifbjn32.exe 45 PID 620 wrote to memory of 2532 620 Pifbjn32.exe 45 PID 2532 wrote to memory of 1624 2532 Alihaioe.exe 46 PID 2532 wrote to memory of 1624 2532 Alihaioe.exe 46 PID 2532 wrote to memory of 1624 2532 Alihaioe.exe 46 PID 2532 wrote to memory of 1624 2532 Alihaioe.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe"C:\Users\Admin\AppData\Local\Temp\7675e7bfb81de84ca4a841bcb4e44cb9fb7b90191f39c1311338e91ac4893029.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Aakjdo32.exeC:\Windows\system32\Aakjdo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1020 -
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe33⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe35⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Bnknoogp.exeC:\Windows\system32\Bnknoogp.exe36⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe38⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe39⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe40⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe41⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:544 -
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe44⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe48⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Cnimiblo.exeC:\Windows\system32\Cnimiblo.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2396 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Cnkjnb32.exeC:\Windows\system32\Cnkjnb32.exe52⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe54⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe56⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe57⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ccjoli32.exeC:\Windows\system32\Ccjoli32.exe58⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe59⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe61⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1408 -
C:\Windows\SysWOW64\Djfdob32.exeC:\Windows\system32\Djfdob32.exe63⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe65⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe66⤵
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe67⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe68⤵PID:2676
-
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe69⤵PID:1048
-
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe70⤵PID:2140
-
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe71⤵
- System Location Discovery: System Language Discovery
PID:596 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe72⤵PID:1412
-
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe73⤵PID:2236
-
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2472 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe75⤵PID:2932
-
C:\Windows\SysWOW64\Eakooqih.exeC:\Windows\system32\Eakooqih.exe76⤵PID:1368
-
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe78⤵PID:3028
-
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe79⤵PID:2792
-
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe80⤵PID:3008
-
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe81⤵PID:2512
-
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe83⤵PID:2884
-
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe84⤵PID:640
-
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe85⤵PID:1728
-
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe86⤵PID:2832
-
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe87⤵
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe88⤵PID:2896
-
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe89⤵PID:2640
-
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe90⤵PID:2400
-
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe91⤵PID:2484
-
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe92⤵PID:2264
-
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:344 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe94⤵PID:2496
-
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe95⤵PID:2408
-
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe96⤵PID:2736
-
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe97⤵PID:2060
-
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe98⤵PID:2952
-
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe99⤵PID:2308
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe100⤵PID:2160
-
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe101⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe102⤵PID:904
-
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe104⤵PID:1944
-
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe105⤵PID:1372
-
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe106⤵
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe108⤵PID:2156
-
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe109⤵PID:336
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe110⤵PID:2196
-
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe111⤵PID:2544
-
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe112⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:708 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe114⤵PID:1888
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe115⤵
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe116⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1636 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe118⤵PID:1680
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe119⤵
- Drops file in System32 directory
PID:1188 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe120⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Ggfpgi32.exeC:\Windows\system32\Ggfpgi32.exe121⤵PID:1416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-