Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 20:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe
-
Size
92KB
-
MD5
ae79d102850a6e45d0d0f70137fc46f6
-
SHA1
a354a38fb6e445a2dae7e94e2210ab15d2533e86
-
SHA256
24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1
-
SHA512
d2788d90faf96f805edce1731ffc899c238ae5344390a8024f10a008674c89f3f2f63e5f9901934528594c49dae3a00977d5e3d08cccf6da8a1e89dfc6dad5a4
-
SSDEEP
1536:oHUnR2F0sO7WdKaaJ+p4Zr5l1s+4FFjXq+66DFUABABOVLefE3:gUnkRiiKazcl1f4FFj6+JB8M3
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliebpfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkeecogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqolji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfcabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpamoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmijmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imodkadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhahkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bedhgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlohmonb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onamle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkibhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgpij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojeobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnefhpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfkjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bflbigdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnaiol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjlhcmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joggci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobdgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgeelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkilka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlheehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobpfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folhgbid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfkelkkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adleoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebknblho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apilcoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjdameg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfbkded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkilka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkelpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikjmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bomlppdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnbpqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkgjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeldkonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgngbmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mphiqbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojglhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieponofk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2476 Baojapfj.exe 2440 Bflbigdb.exe 2128 Cfnoogbo.exe 2884 Cpfdhl32.exe 2772 Cjlheehe.exe 2968 Cbgmigeq.exe 2212 Ciaefa32.exe 2000 Cpkmcldj.exe 3048 Cehfkb32.exe 1324 Chfbgn32.exe 1248 Dejbqb32.exe 2516 Dhiomn32.exe 316 Dobgihgp.exe 1404 Dhkkbmnp.exe 2896 Dacpkc32.exe 2932 Dhmhhmlm.exe 2920 Dafmqb32.exe 780 Dgbeiiqe.exe 2812 Dpkibo32.exe 1624 Dgeaoinb.exe 1720 Epmfgo32.exe 828 Eldglp32.exe 1784 Egikjh32.exe 352 Ecploipa.exe 2064 Eaeipfei.exe 2376 Eknmhk32.exe 1908 Eecafd32.exe 2344 Fajbke32.exe 2668 Fhdjgoha.exe 2776 Fpoolael.exe 2860 Fgigil32.exe 2584 Fcphnm32.exe 2560 Fjjpjgjj.exe 2392 Fgnadkic.exe 3052 Gceailog.exe 1824 Gmmfaa32.exe 2460 Golbnm32.exe 1676 Gfejjgli.exe 296 Gfhgpg32.exe 2620 Goplilpf.exe 3044 Gjjmijme.exe 1588 Gepafc32.exe 1852 Hebnlb32.exe 320 Hfcjdkpg.exe 872 Hmmbqegc.exe 584 Hpkompgg.exe 880 Hfegij32.exe 2036 Hidcef32.exe 1584 Hpnkbpdd.exe 1808 Hblgnkdh.exe 1516 Hifpke32.exe 2760 Hfjpdjjo.exe 2876 Hihlqeib.exe 2564 Hlgimqhf.exe 2588 Hbaaik32.exe 2592 Iikifegp.exe 1048 Iliebpfc.exe 1840 Iafnjg32.exe 1232 Illbhp32.exe 1792 Ibejdjln.exe 2908 Idgglb32.exe 916 Inlkik32.exe 2184 Iefcfe32.exe 848 Ifgpnmom.exe -
Loads dropped DLL 64 IoCs
pid Process 2092 24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe 2092 24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe 2476 Baojapfj.exe 2476 Baojapfj.exe 2440 Bflbigdb.exe 2440 Bflbigdb.exe 2128 Cfnoogbo.exe 2128 Cfnoogbo.exe 2884 Cpfdhl32.exe 2884 Cpfdhl32.exe 2772 Cjlheehe.exe 2772 Cjlheehe.exe 2968 Cbgmigeq.exe 2968 Cbgmigeq.exe 2212 Ciaefa32.exe 2212 Ciaefa32.exe 2000 Cpkmcldj.exe 2000 Cpkmcldj.exe 3048 Cehfkb32.exe 3048 Cehfkb32.exe 1324 Chfbgn32.exe 1324 Chfbgn32.exe 1248 Dejbqb32.exe 1248 Dejbqb32.exe 2516 Dhiomn32.exe 2516 Dhiomn32.exe 316 Dobgihgp.exe 316 Dobgihgp.exe 1404 Dhkkbmnp.exe 1404 Dhkkbmnp.exe 2896 Dacpkc32.exe 2896 Dacpkc32.exe 2932 Dhmhhmlm.exe 2932 Dhmhhmlm.exe 2920 Dafmqb32.exe 2920 Dafmqb32.exe 780 Dgbeiiqe.exe 780 Dgbeiiqe.exe 2812 Dpkibo32.exe 2812 Dpkibo32.exe 1624 Dgeaoinb.exe 1624 Dgeaoinb.exe 1720 Epmfgo32.exe 1720 Epmfgo32.exe 828 Eldglp32.exe 828 Eldglp32.exe 1784 Egikjh32.exe 1784 Egikjh32.exe 352 Ecploipa.exe 352 Ecploipa.exe 2064 Eaeipfei.exe 2064 Eaeipfei.exe 2376 Eknmhk32.exe 2376 Eknmhk32.exe 1908 Eecafd32.exe 1908 Eecafd32.exe 2344 Fajbke32.exe 2344 Fajbke32.exe 2668 Fhdjgoha.exe 2668 Fhdjgoha.exe 2776 Fpoolael.exe 2776 Fpoolael.exe 2860 Fgigil32.exe 2860 Fgigil32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nhpfdaml.exe Nbfnggeo.exe File opened for modification C:\Windows\SysWOW64\Cfnoogbo.exe Bflbigdb.exe File created C:\Windows\SysWOW64\Nfjmnpei.dll Imodkadq.exe File opened for modification C:\Windows\SysWOW64\Iaimipjl.exe Iogpag32.exe File created C:\Windows\SysWOW64\Hjgehgnh.exe Hkdemk32.exe File opened for modification C:\Windows\SysWOW64\Igmepdbc.exe Idohdhbo.exe File opened for modification C:\Windows\SysWOW64\Qgmpibam.exe Qpbglhjq.exe File created C:\Windows\SysWOW64\Ldgnklmi.exe Llpfjomf.exe File opened for modification C:\Windows\SysWOW64\Pdhpdq32.exe Pmnghfhi.exe File created C:\Windows\SysWOW64\Ckfkpqnm.dll Mmjomogn.exe File opened for modification C:\Windows\SysWOW64\Baojapfj.exe 24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe File opened for modification C:\Windows\SysWOW64\Plgolf32.exe Obokcqhk.exe File created C:\Windows\SysWOW64\Jgmaog32.exe Jfjhbo32.exe File created C:\Windows\SysWOW64\Lmpcca32.exe Lgfjggll.exe File opened for modification C:\Windows\SysWOW64\Jjnjqb32.exe Jeaahk32.exe File opened for modification C:\Windows\SysWOW64\Lbgkfbbj.exe Klmbjh32.exe File created C:\Windows\SysWOW64\Hlmdnf32.dll Dobgihgp.exe File created C:\Windows\SysWOW64\Oqlecd32.dll Plgolf32.exe File created C:\Windows\SysWOW64\Jlhkgm32.exe Jenbjc32.exe File created C:\Windows\SysWOW64\Ophppo32.dll Boeoek32.exe File created C:\Windows\SysWOW64\Dhmhhmlm.exe Dacpkc32.exe File opened for modification C:\Windows\SysWOW64\Ncmglp32.exe Nmcopebh.exe File created C:\Windows\SysWOW64\Finlmjmi.dll Cidddj32.exe File created C:\Windows\SysWOW64\Mbqkiind.exe Mobomnoq.exe File opened for modification C:\Windows\SysWOW64\Hmmdin32.exe Hklhae32.exe File created C:\Windows\SysWOW64\Adleoc32.exe Aoomflpd.exe File created C:\Windows\SysWOW64\Ndmomfda.dll Ejioln32.exe File opened for modification C:\Windows\SysWOW64\Goddjc32.exe Gncgbkki.exe File created C:\Windows\SysWOW64\Aoqbnfda.dll Dkgldm32.exe File created C:\Windows\SysWOW64\Hlgimqhf.exe Hihlqeib.exe File opened for modification C:\Windows\SysWOW64\Napbjjom.exe Nlcibc32.exe File created C:\Windows\SysWOW64\Eihjolae.exe Edlafebn.exe File opened for modification C:\Windows\SysWOW64\Ombddbah.exe Oekmceaf.exe File created C:\Windows\SysWOW64\Nclgkc32.dll Penihe32.exe File created C:\Windows\SysWOW64\Dmcnpjhd.dll Gdhfdffl.exe File created C:\Windows\SysWOW64\Dhlmpmai.dll Kbpefc32.exe File created C:\Windows\SysWOW64\Kbpbmkan.exe Kpafapbk.exe File created C:\Windows\SysWOW64\Obkglbmf.dll Mlafkb32.exe File created C:\Windows\SysWOW64\Iinhdmma.exe Inhdgdmk.exe File created C:\Windows\SysWOW64\Palpneop.exe Pmpdmfff.exe File created C:\Windows\SysWOW64\Djafaf32.exe Cffjagko.exe File opened for modification C:\Windows\SysWOW64\Efjpkj32.exe Eclcon32.exe File created C:\Windows\SysWOW64\Inlkik32.exe Idgglb32.exe File opened for modification C:\Windows\SysWOW64\Kbpbmkan.exe Kpafapbk.exe File opened for modification C:\Windows\SysWOW64\Efedga32.exe Dcghkf32.exe File created C:\Windows\SysWOW64\Dfcgbb32.exe Deakjjbk.exe File created C:\Windows\SysWOW64\Kndkfpje.dll Iinhdmma.exe File opened for modification C:\Windows\SysWOW64\Kfaalh32.exe Kpgionie.exe File created C:\Windows\SysWOW64\Pdecoa32.exe Pbdfgilj.exe File opened for modification C:\Windows\SysWOW64\Gibbgmfe.exe Gpjmnh32.exe File opened for modification C:\Windows\SysWOW64\Nknimnap.exe Ndcapd32.exe File created C:\Windows\SysWOW64\Nklcci32.dll Bnlgbnbp.exe File opened for modification C:\Windows\SysWOW64\Cidddj32.exe Cbjlhpkb.exe File created C:\Windows\SysWOW64\Iecbnqcj.dll Eknpadcn.exe File opened for modification C:\Windows\SysWOW64\Hqnjek32.exe Hifbdnbi.exe File created C:\Windows\SysWOW64\Dllmckbg.dll Hifbdnbi.exe File opened for modification C:\Windows\SysWOW64\Lghgmg32.exe Loaokjjg.exe File opened for modification C:\Windows\SysWOW64\Hjlemlnk.exe Hcblqb32.exe File created C:\Windows\SysWOW64\Oaoplfhc.dll Bniajoic.exe File opened for modification C:\Windows\SysWOW64\Ijphofem.exe Ibipmiek.exe File created C:\Windows\SysWOW64\Ppfafcpb.exe Piliii32.exe File opened for modification C:\Windows\SysWOW64\Meljbqna.exe Mkgeehnl.exe File opened for modification C:\Windows\SysWOW64\Efhcej32.exe Epnkip32.exe File opened for modification C:\Windows\SysWOW64\Kpafapbk.exe Kigndekn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2796 3036 WerFault.exe 861 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danpemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaeba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngjlpmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcciqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbciaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqihg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gepafc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepcelel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakdcnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aompambg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcbhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdjaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlelda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeecogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjhmcok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apedah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opodknco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caokmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnklmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmepdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgigil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mimpkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenbjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnefhpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qblfkgqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpnmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbqmhnbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkdckff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dacpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecafd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbkipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoldlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmipdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oococb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibipmiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmqmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogjaamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihjolae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnpobefe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcodqkbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdkjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinbppna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnqdhga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnicbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmidlmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmiejji.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhljkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfoee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmhgba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjoilfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlljaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehpcehcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qboikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbffcca.dll" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mciabmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll" Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djaelqba.dll" Plhaeofp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbklnpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eciljg32.dll" Jjnjqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbhkj32.dll" Bknmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacil32.dll" Cjhckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipjdameg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojacgdmh.dll" Glnhjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afokkb32.dll" Aokckm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckhfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mffdnf32.dll" Jfjhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacjhob.dll" Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncgbkki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhmbdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flnlkgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfnin32.dll" Hpkompgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeikk32.dll" Mklcadfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahfalc32.dll" Qlfdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aobpfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afeaei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmogdkh.dll" Bdobdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdapcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll" Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcojam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibnop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llolnffe.dll" Bnicbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aifjgdkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilcfe32.dll" Dmepkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajmijmnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imogcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgnoe32.dll" Nhmbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphfihaj.dll" Illbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Makpje32.dll" Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcodqkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaaqjc32.dll" Obkcajde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bedamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofhhgce.dll" Lklgbadb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bplijcle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obffbh32.dll" Kfidqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oodjjign.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onamle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icfbkded.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hohkmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkpglbaj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2476 2092 24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe 30 PID 2092 wrote to memory of 2476 2092 24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe 30 PID 2092 wrote to memory of 2476 2092 24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe 30 PID 2092 wrote to memory of 2476 2092 24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe 30 PID 2476 wrote to memory of 2440 2476 Baojapfj.exe 31 PID 2476 wrote to memory of 2440 2476 Baojapfj.exe 31 PID 2476 wrote to memory of 2440 2476 Baojapfj.exe 31 PID 2476 wrote to memory of 2440 2476 Baojapfj.exe 31 PID 2440 wrote to memory of 2128 2440 Bflbigdb.exe 32 PID 2440 wrote to memory of 2128 2440 Bflbigdb.exe 32 PID 2440 wrote to memory of 2128 2440 Bflbigdb.exe 32 PID 2440 wrote to memory of 2128 2440 Bflbigdb.exe 32 PID 2128 wrote to memory of 2884 2128 Cfnoogbo.exe 33 PID 2128 wrote to memory of 2884 2128 Cfnoogbo.exe 33 PID 2128 wrote to memory of 2884 2128 Cfnoogbo.exe 33 PID 2128 wrote to memory of 2884 2128 Cfnoogbo.exe 33 PID 2884 wrote to memory of 2772 2884 Cpfdhl32.exe 34 PID 2884 wrote to memory of 2772 2884 Cpfdhl32.exe 34 PID 2884 wrote to memory of 2772 2884 Cpfdhl32.exe 34 PID 2884 wrote to memory of 2772 2884 Cpfdhl32.exe 34 PID 2772 wrote to memory of 2968 2772 Cjlheehe.exe 35 PID 2772 wrote to memory of 2968 2772 Cjlheehe.exe 35 PID 2772 wrote to memory of 2968 2772 Cjlheehe.exe 35 PID 2772 wrote to memory of 2968 2772 Cjlheehe.exe 35 PID 2968 wrote to memory of 2212 2968 Cbgmigeq.exe 36 PID 2968 wrote to memory of 2212 2968 Cbgmigeq.exe 36 PID 2968 wrote to memory of 2212 2968 Cbgmigeq.exe 36 PID 2968 wrote to memory of 2212 2968 Cbgmigeq.exe 36 PID 2212 wrote to memory of 2000 2212 Ciaefa32.exe 37 PID 2212 wrote to memory of 2000 2212 Ciaefa32.exe 37 PID 2212 wrote to memory of 2000 2212 Ciaefa32.exe 37 PID 2212 wrote to memory of 2000 2212 Ciaefa32.exe 37 PID 2000 wrote to memory of 3048 2000 Cpkmcldj.exe 38 PID 2000 wrote to memory of 3048 2000 Cpkmcldj.exe 38 PID 2000 wrote to memory of 3048 2000 Cpkmcldj.exe 38 PID 2000 wrote to memory of 3048 2000 Cpkmcldj.exe 38 PID 3048 wrote to memory of 1324 3048 Cehfkb32.exe 39 PID 3048 wrote to memory of 1324 3048 Cehfkb32.exe 39 PID 3048 wrote to memory of 1324 3048 Cehfkb32.exe 39 PID 3048 wrote to memory of 1324 3048 Cehfkb32.exe 39 PID 1324 wrote to memory of 1248 1324 Chfbgn32.exe 40 PID 1324 wrote to memory of 1248 1324 Chfbgn32.exe 40 PID 1324 wrote to memory of 1248 1324 Chfbgn32.exe 40 PID 1324 wrote to memory of 1248 1324 Chfbgn32.exe 40 PID 1248 wrote to memory of 2516 1248 Dejbqb32.exe 41 PID 1248 wrote to memory of 2516 1248 Dejbqb32.exe 41 PID 1248 wrote to memory of 2516 1248 Dejbqb32.exe 41 PID 1248 wrote to memory of 2516 1248 Dejbqb32.exe 41 PID 2516 wrote to memory of 316 2516 Dhiomn32.exe 42 PID 2516 wrote to memory of 316 2516 Dhiomn32.exe 42 PID 2516 wrote to memory of 316 2516 Dhiomn32.exe 42 PID 2516 wrote to memory of 316 2516 Dhiomn32.exe 42 PID 316 wrote to memory of 1404 316 Dobgihgp.exe 43 PID 316 wrote to memory of 1404 316 Dobgihgp.exe 43 PID 316 wrote to memory of 1404 316 Dobgihgp.exe 43 PID 316 wrote to memory of 1404 316 Dobgihgp.exe 43 PID 1404 wrote to memory of 2896 1404 Dhkkbmnp.exe 44 PID 1404 wrote to memory of 2896 1404 Dhkkbmnp.exe 44 PID 1404 wrote to memory of 2896 1404 Dhkkbmnp.exe 44 PID 1404 wrote to memory of 2896 1404 Dhkkbmnp.exe 44 PID 2896 wrote to memory of 2932 2896 Dacpkc32.exe 45 PID 2896 wrote to memory of 2932 2896 Dacpkc32.exe 45 PID 2896 wrote to memory of 2932 2896 Dacpkc32.exe 45 PID 2896 wrote to memory of 2932 2896 Dacpkc32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe"C:\Users\Admin\AppData\Local\Temp\24a37f9265b86782992cfbea93bbaf2bf1db75e87f728bbb11fd23548e6237e1.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Dgeaoinb.exeC:\Windows\system32\Dgeaoinb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:352 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe33⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe34⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe35⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe36⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe37⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe38⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe39⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe41⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe42⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe44⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe45⤵
- Executes dropped EXE
PID:320 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe46⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:584 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe48⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe49⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe50⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe51⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe52⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe53⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe55⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe56⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe57⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe59⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe61⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe63⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe64⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:848 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe66⤵PID:1696
-
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe67⤵PID:2240
-
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe68⤵PID:1728
-
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe71⤵PID:2684
-
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe72⤵PID:2368
-
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe74⤵PID:836
-
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe75⤵PID:1072
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe77⤵PID:1408
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe78⤵PID:2232
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe79⤵PID:2912
-
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe80⤵PID:1748
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe81⤵PID:532
-
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe82⤵PID:2972
-
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe83⤵
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe84⤵PID:3028
-
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe85⤵PID:2744
-
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe86⤵PID:2676
-
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe87⤵PID:3068
-
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe88⤵PID:2236
-
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe89⤵PID:2300
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe90⤵PID:764
-
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe91⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe92⤵PID:2112
-
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe93⤵PID:2148
-
C:\Windows\SysWOW64\Mbhlek32.exeC:\Windows\system32\Mbhlek32.exe94⤵PID:1548
-
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe95⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe96⤵PID:1712
-
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe97⤵PID:2008
-
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe99⤵PID:3020
-
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe100⤵PID:2596
-
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe101⤵PID:2632
-
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe102⤵PID:1972
-
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1760 -
C:\Windows\SysWOW64\Mklcadfn.exeC:\Windows\system32\Mklcadfn.exe104⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe105⤵PID:1484
-
C:\Windows\SysWOW64\Nipdkieg.exeC:\Windows\system32\Nipdkieg.exe106⤵PID:468
-
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe108⤵PID:2040
-
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe109⤵PID:2808
-
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe110⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe111⤵PID:2216
-
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe112⤵PID:1456
-
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe113⤵PID:1716
-
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe114⤵PID:2248
-
C:\Windows\SysWOW64\Omioekbo.exeC:\Windows\system32\Omioekbo.exe115⤵PID:1736
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe116⤵PID:1492
-
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe117⤵PID:1612
-
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe118⤵PID:2700
-
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe119⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe120⤵PID:1964
-
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe121⤵PID:1956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-