Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 00:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe
-
Size
370KB
-
MD5
dd05ce7406403a0836f4a63a4855ad70
-
SHA1
faf18effc8512b8689c9cf896fae89d5aa4041ab
-
SHA256
a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbca
-
SHA512
2557f31664ce20453cc53fa832b397d5017256d8e39892dc6709e5d38d0c6790de3c9faba1893db9d4916a838f8a7643a73b5649e8d1a1f13e62238ff838e776
-
SSDEEP
6144:3tc6QvBHtMYpNyGpNDU9fwRE5H2dpNonHd/twMLc2Ao2pEYTBFqZNjE1rhJg3htT:3+6uBHoqUfCyHJWx67fLx67E
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcnqanhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdocl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogqaehak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Depbfhpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkdihhag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjnnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnghel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhgim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liklhmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okojkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poeipifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcacc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oonldcih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcpkpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbgikia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhmcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciohqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjmpbopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blchcpko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbbjpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcaimgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhhaaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cedpbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccpoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhmcmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfdhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkbcbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljodo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmdnbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joihjfnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclhdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnqmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hldjnhce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khcomhbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popeif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbnbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooabmbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgaaah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omioekbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egokonjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgphcqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hloiib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenpajfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljghjpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nameek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfddp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilkpogmm.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2736 Bmclhi32.exe 2916 Bdmddc32.exe 2308 Bobhal32.exe 2656 Cinfhigl.exe 264 Cphndc32.exe 1588 Cpkkjc32.exe 2204 Cgdcgm32.exe 2344 Dcnqanhd.exe 1512 Dkiefp32.exe 2412 Dnjngk32.exe 2956 Dgbcpq32.exe 1184 Dlahng32.exe 2464 Eckpkamb.exe 1496 Eqamje32.exe 1064 Elhnof32.exe 1480 Ekpheb32.exe 1740 Fbjpblip.exe 1776 Fnqqgm32.exe 2380 Fncmmmma.exe 2104 Fmhjni32.exe 2000 Ffqofohj.exe 2100 Fiokbjgn.exe 1736 Ffcllo32.exe 2560 Gehhmkko.exe 2488 Gmoqnhla.exe 2752 Gldmoepi.exe 2184 Gnbjlpom.exe 2596 Gnefapmj.exe 2176 Geoonjeg.exe 2492 Hfbhkb32.exe 2232 Hnjplo32.exe 2480 Hpkldg32.exe 2932 Hmomml32.exe 2860 Hldjnhce.exe 1644 Hdkape32.exe 1940 Hpbbdfik.exe 1624 Hflkaq32.exe 1660 Ihmgiiff.exe 3008 Ieagbm32.exe 1964 Ilkpogmm.exe 1784 Ibehla32.exe 1128 Ikpmpc32.exe 1976 Iajemnia.exe 1688 Iefamlak.exe 1632 Ihdmihpn.exe 2040 Ikbifcpb.exe 560 Inafbooe.exe 2404 Idknoi32.exe 376 Ikefkcmo.exe 2908 Ipbocjlg.exe 1568 Jcpkpe32.exe 2920 Jjjclobg.exe 3064 Jdpgjhbm.exe 1728 Jgncfcaa.exe 2272 Jjmpbopd.exe 2512 Jlklnjoh.exe 2880 Joihjfnl.exe 2924 Jfcqgpfi.exe 1076 Jhamckel.exe 1340 Jhdihkcj.exe 2196 Jonbee32.exe 468 Jblnaq32.exe 3020 Jdkjnl32.exe 2168 Jlbboiip.exe -
Loads dropped DLL 64 IoCs
pid Process 2844 a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe 2844 a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe 2736 Bmclhi32.exe 2736 Bmclhi32.exe 2916 Bdmddc32.exe 2916 Bdmddc32.exe 2308 Bobhal32.exe 2308 Bobhal32.exe 2656 Cinfhigl.exe 2656 Cinfhigl.exe 264 Cphndc32.exe 264 Cphndc32.exe 1588 Cpkkjc32.exe 1588 Cpkkjc32.exe 2204 Cgdcgm32.exe 2204 Cgdcgm32.exe 2344 Dcnqanhd.exe 2344 Dcnqanhd.exe 1512 Dkiefp32.exe 1512 Dkiefp32.exe 2412 Dnjngk32.exe 2412 Dnjngk32.exe 2956 Dgbcpq32.exe 2956 Dgbcpq32.exe 1184 Dlahng32.exe 1184 Dlahng32.exe 2464 Eckpkamb.exe 2464 Eckpkamb.exe 1496 Eqamje32.exe 1496 Eqamje32.exe 1064 Elhnof32.exe 1064 Elhnof32.exe 1480 Ekpheb32.exe 1480 Ekpheb32.exe 1740 Fbjpblip.exe 1740 Fbjpblip.exe 1776 Fnqqgm32.exe 1776 Fnqqgm32.exe 2380 Fncmmmma.exe 2380 Fncmmmma.exe 2104 Fmhjni32.exe 2104 Fmhjni32.exe 2000 Ffqofohj.exe 2000 Ffqofohj.exe 2100 Fiokbjgn.exe 2100 Fiokbjgn.exe 1736 Ffcllo32.exe 1736 Ffcllo32.exe 2560 Gehhmkko.exe 2560 Gehhmkko.exe 2488 Gmoqnhla.exe 2488 Gmoqnhla.exe 2752 Gldmoepi.exe 2752 Gldmoepi.exe 2184 Gnbjlpom.exe 2184 Gnbjlpom.exe 2596 Gnefapmj.exe 2596 Gnefapmj.exe 2176 Geoonjeg.exe 2176 Geoonjeg.exe 2492 Hfbhkb32.exe 2492 Hfbhkb32.exe 2232 Hnjplo32.exe 2232 Hnjplo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Afhgaocl.dll Fjhcegll.exe File created C:\Windows\SysWOW64\Fcbecl32.exe Fqdiga32.exe File opened for modification C:\Windows\SysWOW64\Bmbgfkje.exe Bbmcibjp.exe File opened for modification C:\Windows\SysWOW64\Ijklknbn.exe Ihmpobck.exe File opened for modification C:\Windows\SysWOW64\Nmejllia.exe Nijnln32.exe File created C:\Windows\SysWOW64\Pgegok32.exe Pdgkco32.exe File created C:\Windows\SysWOW64\Pknedeoi.dll Dhiomn32.exe File created C:\Windows\SysWOW64\Lflhon32.dll Omklkkpl.exe File created C:\Windows\SysWOW64\Efeckm32.dll Cchbgi32.exe File created C:\Windows\SysWOW64\Nqnpei32.dll Iplnnd32.exe File created C:\Windows\SysWOW64\Npjlhcmd.exe Nmkplgnq.exe File created C:\Windows\SysWOW64\Oiljam32.exe Nbbbdcgi.exe File created C:\Windows\SysWOW64\Jclnhnji.dll Bjbeofpp.exe File opened for modification C:\Windows\SysWOW64\Gcjbna32.exe Gqlebf32.exe File created C:\Windows\SysWOW64\Hnkion32.exe Hmjlhfof.exe File created C:\Windows\SysWOW64\Lpdonf32.dll Khkbbc32.exe File created C:\Windows\SysWOW64\Lklgbadb.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Dekolhln.dll Eckpkamb.exe File opened for modification C:\Windows\SysWOW64\Inafbooe.exe Ikbifcpb.exe File created C:\Windows\SysWOW64\Ioiepeog.dll Mlhnifmq.exe File opened for modification C:\Windows\SysWOW64\Meicnm32.exe Mmakmp32.exe File created C:\Windows\SysWOW64\Ianinp32.dll Pdihiook.exe File created C:\Windows\SysWOW64\Iihiphln.exe Ihglhp32.exe File created C:\Windows\SysWOW64\Jfkgbapp.dll Onfoin32.exe File created C:\Windows\SysWOW64\Adlcfjgh.exe Anbkipok.exe File created C:\Windows\SysWOW64\Gbnbjo32.dll Bjbndpmd.exe File opened for modification C:\Windows\SysWOW64\Pomhcg32.exe Ppkhhjei.exe File opened for modification C:\Windows\SysWOW64\Ggicgopd.exe Gfhgpg32.exe File opened for modification C:\Windows\SysWOW64\Mlhnifmq.exe Mijamjnm.exe File opened for modification C:\Windows\SysWOW64\Njbdea32.exe Nfghdcfj.exe File created C:\Windows\SysWOW64\Pphkbj32.exe Pincfpoo.exe File opened for modification C:\Windows\SysWOW64\Popeif32.exe Pkdihhag.exe File opened for modification C:\Windows\SysWOW64\Anjlebjc.exe Agpcihcf.exe File created C:\Windows\SysWOW64\Hjlioj32.exe Gcbabpcf.exe File created C:\Windows\SysWOW64\Gnbjlpom.exe Gldmoepi.exe File created C:\Windows\SysWOW64\Ddlfji32.dll Jdcmbgkj.exe File opened for modification C:\Windows\SysWOW64\Nbhhdnlh.exe Npjlhcmd.exe File opened for modification C:\Windows\SysWOW64\Oemegc32.exe Ocohkh32.exe File created C:\Windows\SysWOW64\Eeiead32.dll Lngnfnji.exe File opened for modification C:\Windows\SysWOW64\Qhmcmk32.exe Qackpado.exe File opened for modification C:\Windows\SysWOW64\Bjebdfnn.exe Bkbaii32.exe File created C:\Windows\SysWOW64\Pqgono32.dll Dogpdg32.exe File opened for modification C:\Windows\SysWOW64\Lmdkcl32.exe Ljfogake.exe File created C:\Windows\SysWOW64\Mlkail32.exe Mmhamoho.exe File created C:\Windows\SysWOW64\Pbjdnlob.dll Iihiphln.exe File created C:\Windows\SysWOW64\Knkgpi32.exe Kjokokha.exe File opened for modification C:\Windows\SysWOW64\Dkiefp32.exe Dcnqanhd.exe File created C:\Windows\SysWOW64\Accpqnab.dll Necogkbo.exe File created C:\Windows\SysWOW64\Daipqhdg.exe Dpgcip32.exe File opened for modification C:\Windows\SysWOW64\Bbjmpcab.exe Bjbeofpp.exe File opened for modification C:\Windows\SysWOW64\Cgdcgm32.exe Cpkkjc32.exe File created C:\Windows\SysWOW64\Nemnfnhd.dll Jjmpbopd.exe File created C:\Windows\SysWOW64\Goknhdma.dll Cfeepelg.exe File opened for modification C:\Windows\SysWOW64\Qndigd32.exe Qfmafg32.exe File created C:\Windows\SysWOW64\Olmcchlg.exe Oagoep32.exe File created C:\Windows\SysWOW64\Acqnnndl.exe Aennba32.exe File opened for modification C:\Windows\SysWOW64\Kaompi32.exe Koaqcn32.exe File opened for modification C:\Windows\SysWOW64\Khkbbc32.exe Knfndjdp.exe File created C:\Windows\SysWOW64\Femijbfb.dll Mcjhmcok.exe File opened for modification C:\Windows\SysWOW64\Bbgqjdce.exe Bnldjekl.exe File created C:\Windows\SysWOW64\Cbgmigeq.exe Ccdmnj32.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Cchbgi32.exe File created C:\Windows\SysWOW64\Ddbdee32.dll Mlkail32.exe File created C:\Windows\SysWOW64\Mjkgjl32.exe Mfokinhf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8120 8044 WerFault.exe 810 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elhnof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdpldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noogpfjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aidphq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lneaqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hflkaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkpogmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepfgdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnqmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlebf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaompi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklikejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojhejbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daipqhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjeon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlhkbhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oippjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnipjni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmhbplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqahqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcbabpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdkjnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klehgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjpjgjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpphhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bccmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllhhaep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegjqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnoogbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loqmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgegok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfccei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgoopkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgcip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahogc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cafgle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmbmeifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddliip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifampo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihniaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meffhnal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgmeid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaheeecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlklnjoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmfdhojb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgkil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdihiook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepcelel.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmoogf32.dll" Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidobe32.dll" Pepcelel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcabof32.dll" Inafbooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acqnnndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biolanld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjclobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jodhdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljecmgch.dll" Aojojl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckolek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnidcen.dll" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdmddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdcpnn32.dll" Mjekfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdkjnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odgodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbafegj.dll" Aqmamm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbndia32.dll" Dnjngk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behilopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjmagfog.dll" Qaqnkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aijbfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfhhjklc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccjdnbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfmbibo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmmfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghajacmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpogbgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkofeknc.dll" Mejlalji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daehjl32.dll" Bplhnoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chfbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padeldeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqlebf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfocegkg.dll" Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcnejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcjbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddliip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cejmcm32.dll" Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpdidmdg.dll" Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohnaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kojpahgg.dll" Okdmjdol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofhhgce.dll" Lklgbadb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gldmoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmpn32.dll" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkoncdcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlkngc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cheido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqbbglbj.dll" Kcopdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflbhgjm.dll" Ceeieced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhkhd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2844 wrote to memory of 2736 2844 a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe 30 PID 2844 wrote to memory of 2736 2844 a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe 30 PID 2844 wrote to memory of 2736 2844 a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe 30 PID 2844 wrote to memory of 2736 2844 a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe 30 PID 2736 wrote to memory of 2916 2736 Bmclhi32.exe 31 PID 2736 wrote to memory of 2916 2736 Bmclhi32.exe 31 PID 2736 wrote to memory of 2916 2736 Bmclhi32.exe 31 PID 2736 wrote to memory of 2916 2736 Bmclhi32.exe 31 PID 2916 wrote to memory of 2308 2916 Bdmddc32.exe 32 PID 2916 wrote to memory of 2308 2916 Bdmddc32.exe 32 PID 2916 wrote to memory of 2308 2916 Bdmddc32.exe 32 PID 2916 wrote to memory of 2308 2916 Bdmddc32.exe 32 PID 2308 wrote to memory of 2656 2308 Bobhal32.exe 33 PID 2308 wrote to memory of 2656 2308 Bobhal32.exe 33 PID 2308 wrote to memory of 2656 2308 Bobhal32.exe 33 PID 2308 wrote to memory of 2656 2308 Bobhal32.exe 33 PID 2656 wrote to memory of 264 2656 Cinfhigl.exe 34 PID 2656 wrote to memory of 264 2656 Cinfhigl.exe 34 PID 2656 wrote to memory of 264 2656 Cinfhigl.exe 34 PID 2656 wrote to memory of 264 2656 Cinfhigl.exe 34 PID 264 wrote to memory of 1588 264 Cphndc32.exe 35 PID 264 wrote to memory of 1588 264 Cphndc32.exe 35 PID 264 wrote to memory of 1588 264 Cphndc32.exe 35 PID 264 wrote to memory of 1588 264 Cphndc32.exe 35 PID 1588 wrote to memory of 2204 1588 Cpkkjc32.exe 36 PID 1588 wrote to memory of 2204 1588 Cpkkjc32.exe 36 PID 1588 wrote to memory of 2204 1588 Cpkkjc32.exe 36 PID 1588 wrote to memory of 2204 1588 Cpkkjc32.exe 36 PID 2204 wrote to memory of 2344 2204 Cgdcgm32.exe 37 PID 2204 wrote to memory of 2344 2204 Cgdcgm32.exe 37 PID 2204 wrote to memory of 2344 2204 Cgdcgm32.exe 37 PID 2204 wrote to memory of 2344 2204 Cgdcgm32.exe 37 PID 2344 wrote to memory of 1512 2344 Dcnqanhd.exe 38 PID 2344 wrote to memory of 1512 2344 Dcnqanhd.exe 38 PID 2344 wrote to memory of 1512 2344 Dcnqanhd.exe 38 PID 2344 wrote to memory of 1512 2344 Dcnqanhd.exe 38 PID 1512 wrote to memory of 2412 1512 Dkiefp32.exe 39 PID 1512 wrote to memory of 2412 1512 Dkiefp32.exe 39 PID 1512 wrote to memory of 2412 1512 Dkiefp32.exe 39 PID 1512 wrote to memory of 2412 1512 Dkiefp32.exe 39 PID 2412 wrote to memory of 2956 2412 Dnjngk32.exe 40 PID 2412 wrote to memory of 2956 2412 Dnjngk32.exe 40 PID 2412 wrote to memory of 2956 2412 Dnjngk32.exe 40 PID 2412 wrote to memory of 2956 2412 Dnjngk32.exe 40 PID 2956 wrote to memory of 1184 2956 Dgbcpq32.exe 41 PID 2956 wrote to memory of 1184 2956 Dgbcpq32.exe 41 PID 2956 wrote to memory of 1184 2956 Dgbcpq32.exe 41 PID 2956 wrote to memory of 1184 2956 Dgbcpq32.exe 41 PID 1184 wrote to memory of 2464 1184 Dlahng32.exe 42 PID 1184 wrote to memory of 2464 1184 Dlahng32.exe 42 PID 1184 wrote to memory of 2464 1184 Dlahng32.exe 42 PID 1184 wrote to memory of 2464 1184 Dlahng32.exe 42 PID 2464 wrote to memory of 1496 2464 Eckpkamb.exe 43 PID 2464 wrote to memory of 1496 2464 Eckpkamb.exe 43 PID 2464 wrote to memory of 1496 2464 Eckpkamb.exe 43 PID 2464 wrote to memory of 1496 2464 Eckpkamb.exe 43 PID 1496 wrote to memory of 1064 1496 Eqamje32.exe 44 PID 1496 wrote to memory of 1064 1496 Eqamje32.exe 44 PID 1496 wrote to memory of 1064 1496 Eqamje32.exe 44 PID 1496 wrote to memory of 1064 1496 Eqamje32.exe 44 PID 1064 wrote to memory of 1480 1064 Elhnof32.exe 45 PID 1064 wrote to memory of 1480 1064 Elhnof32.exe 45 PID 1064 wrote to memory of 1480 1064 Elhnof32.exe 45 PID 1064 wrote to memory of 1480 1064 Elhnof32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe"C:\Users\Admin\AppData\Local\Temp\a8805b08d42c40a4c44b76064b168341c771d19bcf04c95a3be0ab361e01cbcaN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Cpkkjc32.exeC:\Windows\system32\Cpkkjc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Dlahng32.exeC:\Windows\system32\Dlahng32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Eqamje32.exeC:\Windows\system32\Eqamje32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Gmoqnhla.exeC:\Windows\system32\Gmoqnhla.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe33⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe34⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe36⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe37⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe39⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe40⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ilkpogmm.exeC:\Windows\system32\Ilkpogmm.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe42⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe43⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe44⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe45⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe46⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe49⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe50⤵
- Executes dropped EXE
PID:376 -
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe51⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Jjjclobg.exeC:\Windows\system32\Jjjclobg.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe54⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe55⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe59⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe60⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe61⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe62⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe63⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe65⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe66⤵PID:2336
-
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe67⤵PID:1908
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe68⤵PID:2688
-
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe69⤵PID:1564
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe70⤵PID:2748
-
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe72⤵PID:3060
-
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe73⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe74⤵PID:2624
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe75⤵PID:1592
-
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe76⤵PID:1824
-
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe77⤵PID:2820
-
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe78⤵PID:2060
-
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe79⤵PID:2316
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe80⤵PID:1912
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe81⤵PID:2468
-
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe82⤵PID:1840
-
C:\Windows\SysWOW64\Ljfogake.exeC:\Windows\system32\Ljfogake.exe83⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe84⤵PID:1712
-
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe85⤵PID:2552
-
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe86⤵PID:2396
-
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2708 -
C:\Windows\SysWOW64\Lnhdqdnd.exeC:\Windows\system32\Lnhdqdnd.exe88⤵PID:2640
-
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe89⤵PID:2636
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe90⤵PID:592
-
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe91⤵PID:2132
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe92⤵PID:2960
-
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe93⤵PID:296
-
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe94⤵PID:1464
-
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe95⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe96⤵PID:1844
-
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe97⤵
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe98⤵PID:1292
-
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe99⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe100⤵PID:1988
-
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe101⤵PID:1620
-
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe102⤵
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe104⤵PID:3068
-
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe105⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe106⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe107⤵PID:2420
-
C:\Windows\SysWOW64\Medeaaej.exeC:\Windows\system32\Medeaaej.exe108⤵PID:2340
-
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe109⤵PID:2948
-
C:\Windows\SysWOW64\Noljjglk.exeC:\Windows\system32\Noljjglk.exe110⤵PID:2180
-
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe111⤵PID:2928
-
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:624 -
C:\Windows\SysWOW64\Noogpfjh.exeC:\Windows\system32\Noogpfjh.exe113⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe114⤵PID:268
-
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe115⤵
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Nblpfepo.exeC:\Windows\system32\Nblpfepo.exe117⤵PID:1744
-
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe118⤵PID:1560
-
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe119⤵PID:2812
-
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe120⤵PID:2136
-
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe121⤵PID:1852
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-