Analysis
-
max time kernel
91s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-12-2024 12:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80N.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
10 signatures
120 seconds
General
-
Target
ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80N.exe
-
Size
890KB
-
MD5
9b8a65bf2d34c0d25f9f94521f53ca80
-
SHA1
46d64c1d27a8ba42a1d1043d1c6ad44174879beb
-
SHA256
ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80
-
SHA512
33ca3c2ae853ef4c16cc1e9619d5a2cede5b0b0af3f7547febbb3ab6b2b7db4117ccbc1eb19ec95581076d76b7c885b9e4fe49679af07c55f15ca8c382c01f90
-
SSDEEP
6144:1/6btox7PQ///NR5fKr2n0MO3LPlkUCmVs5bPQ///NR5frdQt383PQ///NR5fKrd:1/hs/Ng1/Nmr/Ng1/Nblt01PBNkEi
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fblpjecl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkfhcdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjkjcb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqpfmiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgoplp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdamjmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchnamig.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmanaccd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nemcmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbkeoki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgndbq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcqcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flinnjeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgjimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcijhnld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqadmagh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niabbpio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhlilld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmbhpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkliqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgjimh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgplnmib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdqdagb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggicfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhcmlej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aompdgbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgealbdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njgjbllq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgmbnnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beklnn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcnljkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhmcgdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olhkjdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phjkkchc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbpbjlj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjlfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqfodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkdhmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllkcice.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgebfge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inilfhpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmanaccd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmddma32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bncqgd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfehhohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhcmmphl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olhkjdll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkboaimf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pccbhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afddqk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnmmepm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdfjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpbljoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pagiohjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahaef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgbij32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgkgepqj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3348 Ldeohh32.exe 3536 Lfckdcoe.exe 3396 Llbpbjlj.exe 972 Llemgj32.exe 4944 Mpcenhpn.exe 892 Mcabjcoa.exe 3544 Mgokpbeh.exe 4828 Mgageace.exe 4716 Megdfnhm.exe 4444 Mplhdghc.exe 4676 Ngfqqa32.exe 4884 Nidmml32.exe 1284 Nlciih32.exe 876 Npoeif32.exe 4200 Ncmaeb32.exe 4972 Nghmfqmm.exe 3316 Njgjbllq.exe 2800 Nnbebk32.exe 2136 Npabof32.exe 2612 Ndlnoelf.exe 4888 Ngkjlpkj.exe 3116 Nenjgm32.exe 2320 Njifhljn.exe 4892 Nlhbdgia.exe 4608 Npcodf32.exe 3640 Ncakqaqo.exe 1168 Ngmgap32.exe 4124 Njlcmk32.exe 4680 Nngonjqd.exe 1920 Npekjeph.exe 1772 Ndagjd32.exe 2240 Ngpcgp32.exe 472 Nfbdblnp.exe 1456 Njnpck32.exe 1156 Nlllof32.exe 2076 Odcdpd32.exe 3200 Ogbploeb.exe 4836 Ojplhkdf.exe 4472 Oloidfcj.exe 4316 Odfqecdl.exe 1484 Ogdmaocp.exe 1616 Ojbinjbc.exe 3364 Olaejfag.exe 976 Opmakd32.exe 2540 Ockngp32.exe 2364 Ofijckhg.exe 4484 Onqbdihj.exe 4708 Oqonpdgn.exe 3020 Ocmjlpfa.exe 1468 Ogifmn32.exe 4104 Ojgbij32.exe 3312 Olfoee32.exe 2720 Ocpgbodo.exe 3240 Ofncnkcb.exe 1472 Onekoh32.exe 1872 Pqcgkc32.exe 3548 Pdoclbla.exe 4904 Pgnphnke.exe 2300 Pjlldiji.exe 5056 Pmjhpdil.exe 4572 Pqfdac32.exe 2212 Pgplnmib.exe 2384 Pfcmij32.exe 3456 Pnjejgpo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fcbhnmag.dll Hdehaddb.exe File created C:\Windows\SysWOW64\Klncdeal.dll Olanpbda.exe File created C:\Windows\SysWOW64\Kggfknab.dll Afcfph32.exe File opened for modification C:\Windows\SysWOW64\Cjcmhmdp.exe Cgealbdl.exe File created C:\Windows\SysWOW64\Jbganbap.dll Cjbfng32.exe File opened for modification C:\Windows\SysWOW64\Epgnmjjq.exe Emhaaokm.exe File opened for modification C:\Windows\SysWOW64\Gbhpfcio.exe Glngii32.exe File created C:\Windows\SysWOW64\Hlhica32.dll Inilfhpe.exe File created C:\Windows\SysWOW64\Ehjjhefp.exe Daqblk32.exe File created C:\Windows\SysWOW64\Apfnef32.dll Ghklfq32.exe File opened for modification C:\Windows\SysWOW64\Dafhkf32.exe Dfadnmcl.exe File created C:\Windows\SysWOW64\Gplgjn32.exe Gibomcdg.exe File created C:\Windows\SysWOW64\Adplbp32.exe Aqdqbaee.exe File opened for modification C:\Windows\SysWOW64\Afcfph32.exe Agpedkjp.exe File created C:\Windows\SysWOW64\Nchaaf32.dll Bklfjj32.exe File created C:\Windows\SysWOW64\Honfne32.dll Ngmpgjel.exe File created C:\Windows\SysWOW64\Aqmnjegf.dll Cicqnjmm.exe File opened for modification C:\Windows\SysWOW64\Fdpfogfj.exe Flinnjeg.exe File opened for modification C:\Windows\SysWOW64\Nnbebk32.exe Njgjbllq.exe File created C:\Windows\SysWOW64\Igbhidja.exe Iddlmh32.exe File created C:\Windows\SysWOW64\Hlnqpgcp.exe Hcflga32.exe File created C:\Windows\SysWOW64\Bbpoqk32.exe Bkffdabb.exe File opened for modification C:\Windows\SysWOW64\Bocojp32.exe Bhjgmeal.exe File opened for modification C:\Windows\SysWOW64\Hckebqij.exe Hmnmjjjb.exe File created C:\Windows\SysWOW64\Qjahhilp.dll Pckfnn32.exe File opened for modification C:\Windows\SysWOW64\Jnfclm32.exe Jglkob32.exe File opened for modification C:\Windows\SysWOW64\Ahinfh32.exe Qekbjl32.exe File opened for modification C:\Windows\SysWOW64\Bhgjhfco.exe Boofopmn.exe File opened for modification C:\Windows\SysWOW64\Cnahgdaj.exe Chepomcc.exe File opened for modification C:\Windows\SysWOW64\Emlllk32.exe Egbdoaie.exe File created C:\Windows\SysWOW64\Nophpg32.exe Nicohp32.exe File opened for modification C:\Windows\SysWOW64\Flbhmk32.exe Fidlaoml.exe File created C:\Windows\SysWOW64\Peahjg32.exe Pmjphjdg.exe File opened for modification C:\Windows\SysWOW64\Mniaohkk.exe Miliga32.exe File created C:\Windows\SysWOW64\Bmnpan32.dll Nejpmamp.exe File opened for modification C:\Windows\SysWOW64\Aakfcp32.exe Anmjfe32.exe File created C:\Windows\SysWOW64\Mphemijf.dll Ieebgooi.exe File opened for modification C:\Windows\SysWOW64\Pplcglgb.exe Pfgojchl.exe File created C:\Windows\SysWOW64\Ghigop32.dll Kigged32.exe File created C:\Windows\SysWOW64\Gfmpjejf.exe Gnfhihjd.exe File created C:\Windows\SysWOW64\Iajphd32.dll Pqcgkc32.exe File created C:\Windows\SysWOW64\Eijikq32.exe Eflmoeec.exe File created C:\Windows\SysWOW64\Akgchm32.exe Aldcmpdl.exe File created C:\Windows\SysWOW64\Ldeohh32.exe ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80N.exe File opened for modification C:\Windows\SysWOW64\Opgaeojj.exe Oimihe32.exe File created C:\Windows\SysWOW64\Eagabceo.exe Eipiqfdm.exe File created C:\Windows\SysWOW64\Cchodb32.dll Kkaifpbe.exe File opened for modification C:\Windows\SysWOW64\Ihmkhgfi.exe Iacbkm32.exe File opened for modification C:\Windows\SysWOW64\Eijikq32.exe Eflmoeec.exe File created C:\Windows\SysWOW64\Bemqlclj.exe Bochpi32.exe File created C:\Windows\SysWOW64\Cegooa32.dll Aebihpkl.exe File opened for modification C:\Windows\SysWOW64\Eogokokj.exe Egpgiakg.exe File created C:\Windows\SysWOW64\Lehhen32.dll Eeaggi32.exe File created C:\Windows\SysWOW64\Dabegd32.dll Acdbifok.exe File created C:\Windows\SysWOW64\Lcipiaka.dll Npabof32.exe File opened for modification C:\Windows\SysWOW64\Fdogodpd.exe Fgkgepqj.exe File opened for modification C:\Windows\SysWOW64\Adadfbod.exe Aachjfpq.exe File opened for modification C:\Windows\SysWOW64\Nenjgm32.exe Ngkjlpkj.exe File created C:\Windows\SysWOW64\Ejhpjjah.exe Edngmp32.exe File opened for modification C:\Windows\SysWOW64\Gkdhmf32.exe Gdjpplak.exe File created C:\Windows\SysWOW64\Ggoiechn.dll Mclpgjna.exe File created C:\Windows\SysWOW64\Bebbom32.exe Bmkjnp32.exe File created C:\Windows\SysWOW64\Ngmgap32.exe Ncakqaqo.exe File opened for modification C:\Windows\SysWOW64\Cfmamdkm.exe Cdoeaili.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5312 13432 WerFault.exe 785 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmanaccd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kppigdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbchemic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niaimf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nonkjggf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffepedmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbcdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqfdac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chepomcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibomcdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcbdjmdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqmkdqmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncling32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbinjbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkcflp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmakd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakfcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnicbnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahlafnag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmgemc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchnamig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloidfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofijckhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkgjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llemgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmpebfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpippeho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlacb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkgahpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlikhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emniakno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmaeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlldiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idpilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobbioeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjnnibjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magnkcjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkghj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngfqqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdehaddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgamappo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcgmbnnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppkdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqffmkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnnfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coakknli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpqjjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgchm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlciih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjlqgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkfhcdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlcdlmmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkejjamb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qajedhhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjcbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odabiglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aachjfpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecqfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkffdabb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boofopmn.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 7548 Acping32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djicbb32.dll" Pmjhpdil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhjcj32.dll" Goqkhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnnfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehimfo32.dll" Jdpkigap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlbofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meibcm32.dll" Flbhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnbbmcia.dll" Icmbhpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmfaeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kppigdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fangbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaaffnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccfakmkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Falobd32.dll" Mgokpbeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aakfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnmgojn.dll" Hjchda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akopcbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gibhbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdjfioh.dll" Odfqecdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onekoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcijhnld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqklbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdfahbfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nidmml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcgfebgh.dll" Ncakqaqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfggi32.dll" Alnmmepm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idcebb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agbllk32.dll" Pdalpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmjphjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apkbpbca.dll" Amkagb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmnoki32.dll" Jdnncg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llbpbjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfcmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhmohdj.dll" Knmimlck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbindhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pccbhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qajedhhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eipiqfdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmddma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjjhefp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqngbi32.dll" Hffbpcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhignj32.dll" Achejo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcahpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Codhamjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpklee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efffpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cafngdpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfgdno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdaadpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndagjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpaqemgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdpkigap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hglomd32.dll" Gffhlaoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meipkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojgbij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mniaohkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdfekcia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmfnfooo.dll" Cabfjmkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccnnfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpfefm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aifmdmap.dll" Njlcmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphdlf32.dll" Bcnljkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmkpbinn.dll" Cdoeaili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdehgf32.dll" Mimpagqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnpan32.dll" Nejpmamp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3884 wrote to memory of 3348 3884 ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80N.exe 81 PID 3884 wrote to memory of 3348 3884 ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80N.exe 81 PID 3884 wrote to memory of 3348 3884 ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80N.exe 81 PID 3348 wrote to memory of 3536 3348 Ldeohh32.exe 82 PID 3348 wrote to memory of 3536 3348 Ldeohh32.exe 82 PID 3348 wrote to memory of 3536 3348 Ldeohh32.exe 82 PID 3536 wrote to memory of 3396 3536 Lfckdcoe.exe 83 PID 3536 wrote to memory of 3396 3536 Lfckdcoe.exe 83 PID 3536 wrote to memory of 3396 3536 Lfckdcoe.exe 83 PID 3396 wrote to memory of 972 3396 Llbpbjlj.exe 84 PID 3396 wrote to memory of 972 3396 Llbpbjlj.exe 84 PID 3396 wrote to memory of 972 3396 Llbpbjlj.exe 84 PID 972 wrote to memory of 4944 972 Llemgj32.exe 85 PID 972 wrote to memory of 4944 972 Llemgj32.exe 85 PID 972 wrote to memory of 4944 972 Llemgj32.exe 85 PID 4944 wrote to memory of 892 4944 Mpcenhpn.exe 86 PID 4944 wrote to memory of 892 4944 Mpcenhpn.exe 86 PID 4944 wrote to memory of 892 4944 Mpcenhpn.exe 86 PID 892 wrote to memory of 3544 892 Mcabjcoa.exe 87 PID 892 wrote to memory of 3544 892 Mcabjcoa.exe 87 PID 892 wrote to memory of 3544 892 Mcabjcoa.exe 87 PID 3544 wrote to memory of 4828 3544 Mgokpbeh.exe 88 PID 3544 wrote to memory of 4828 3544 Mgokpbeh.exe 88 PID 3544 wrote to memory of 4828 3544 Mgokpbeh.exe 88 PID 4828 wrote to memory of 4716 4828 Mgageace.exe 89 PID 4828 wrote to memory of 4716 4828 Mgageace.exe 89 PID 4828 wrote to memory of 4716 4828 Mgageace.exe 89 PID 4716 wrote to memory of 4444 4716 Megdfnhm.exe 90 PID 4716 wrote to memory of 4444 4716 Megdfnhm.exe 90 PID 4716 wrote to memory of 4444 4716 Megdfnhm.exe 90 PID 4444 wrote to memory of 4676 4444 Mplhdghc.exe 91 PID 4444 wrote to memory of 4676 4444 Mplhdghc.exe 91 PID 4444 wrote to memory of 4676 4444 Mplhdghc.exe 91 PID 4676 wrote to memory of 4884 4676 Ngfqqa32.exe 92 PID 4676 wrote to memory of 4884 4676 Ngfqqa32.exe 92 PID 4676 wrote to memory of 4884 4676 Ngfqqa32.exe 92 PID 4884 wrote to memory of 1284 4884 Nidmml32.exe 93 PID 4884 wrote to memory of 1284 4884 Nidmml32.exe 93 PID 4884 wrote to memory of 1284 4884 Nidmml32.exe 93 PID 1284 wrote to memory of 876 1284 Nlciih32.exe 94 PID 1284 wrote to memory of 876 1284 Nlciih32.exe 94 PID 1284 wrote to memory of 876 1284 Nlciih32.exe 94 PID 876 wrote to memory of 4200 876 Npoeif32.exe 95 PID 876 wrote to memory of 4200 876 Npoeif32.exe 95 PID 876 wrote to memory of 4200 876 Npoeif32.exe 95 PID 4200 wrote to memory of 4972 4200 Ncmaeb32.exe 96 PID 4200 wrote to memory of 4972 4200 Ncmaeb32.exe 96 PID 4200 wrote to memory of 4972 4200 Ncmaeb32.exe 96 PID 4972 wrote to memory of 3316 4972 Nghmfqmm.exe 97 PID 4972 wrote to memory of 3316 4972 Nghmfqmm.exe 97 PID 4972 wrote to memory of 3316 4972 Nghmfqmm.exe 97 PID 3316 wrote to memory of 2800 3316 Njgjbllq.exe 98 PID 3316 wrote to memory of 2800 3316 Njgjbllq.exe 98 PID 3316 wrote to memory of 2800 3316 Njgjbllq.exe 98 PID 2800 wrote to memory of 2136 2800 Nnbebk32.exe 99 PID 2800 wrote to memory of 2136 2800 Nnbebk32.exe 99 PID 2800 wrote to memory of 2136 2800 Nnbebk32.exe 99 PID 2136 wrote to memory of 2612 2136 Npabof32.exe 100 PID 2136 wrote to memory of 2612 2136 Npabof32.exe 100 PID 2136 wrote to memory of 2612 2136 Npabof32.exe 100 PID 2612 wrote to memory of 4888 2612 Ndlnoelf.exe 101 PID 2612 wrote to memory of 4888 2612 Ndlnoelf.exe 101 PID 2612 wrote to memory of 4888 2612 Ndlnoelf.exe 101 PID 4888 wrote to memory of 3116 4888 Ngkjlpkj.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80N.exe"C:\Users\Admin\AppData\Local\Temp\ce7928577de2a9731fbae8131746dd935a2440e70f9b320e49d34d942fc75e80N.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3884 -
C:\Windows\SysWOW64\Ldeohh32.exeC:\Windows\system32\Ldeohh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3348 -
C:\Windows\SysWOW64\Lfckdcoe.exeC:\Windows\system32\Lfckdcoe.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Windows\SysWOW64\Llbpbjlj.exeC:\Windows\system32\Llbpbjlj.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Windows\SysWOW64\Llemgj32.exeC:\Windows\system32\Llemgj32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\Mpcenhpn.exeC:\Windows\system32\Mpcenhpn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Mcabjcoa.exeC:\Windows\system32\Mcabjcoa.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Mgokpbeh.exeC:\Windows\system32\Mgokpbeh.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3544 -
C:\Windows\SysWOW64\Mgageace.exeC:\Windows\system32\Mgageace.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Megdfnhm.exeC:\Windows\system32\Megdfnhm.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4716 -
C:\Windows\SysWOW64\Mplhdghc.exeC:\Windows\system32\Mplhdghc.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Windows\SysWOW64\Ngfqqa32.exeC:\Windows\system32\Ngfqqa32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Windows\SysWOW64\Nidmml32.exeC:\Windows\system32\Nidmml32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Nlciih32.exeC:\Windows\system32\Nlciih32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\SysWOW64\Npoeif32.exeC:\Windows\system32\Npoeif32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Ncmaeb32.exeC:\Windows\system32\Ncmaeb32.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Nghmfqmm.exeC:\Windows\system32\Nghmfqmm.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\Njgjbllq.exeC:\Windows\system32\Njgjbllq.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\SysWOW64\Nnbebk32.exeC:\Windows\system32\Nnbebk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Npabof32.exeC:\Windows\system32\Npabof32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Ndlnoelf.exeC:\Windows\system32\Ndlnoelf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ngkjlpkj.exeC:\Windows\system32\Ngkjlpkj.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\Nenjgm32.exeC:\Windows\system32\Nenjgm32.exe23⤵
- Executes dropped EXE
PID:3116 -
C:\Windows\SysWOW64\Njifhljn.exeC:\Windows\system32\Njifhljn.exe24⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Nlhbdgia.exeC:\Windows\system32\Nlhbdgia.exe25⤵
- Executes dropped EXE
PID:4892 -
C:\Windows\SysWOW64\Npcodf32.exeC:\Windows\system32\Npcodf32.exe26⤵
- Executes dropped EXE
PID:4608 -
C:\Windows\SysWOW64\Ncakqaqo.exeC:\Windows\system32\Ncakqaqo.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3640 -
C:\Windows\SysWOW64\Ngmgap32.exeC:\Windows\system32\Ngmgap32.exe28⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Njlcmk32.exeC:\Windows\system32\Njlcmk32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4124 -
C:\Windows\SysWOW64\Nngonjqd.exeC:\Windows\system32\Nngonjqd.exe30⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Npekjeph.exeC:\Windows\system32\Npekjeph.exe31⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Ndagjd32.exeC:\Windows\system32\Ndagjd32.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Ngpcgp32.exeC:\Windows\system32\Ngpcgp32.exe33⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Nfbdblnp.exeC:\Windows\system32\Nfbdblnp.exe34⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Njnpck32.exeC:\Windows\system32\Njnpck32.exe35⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Nlllof32.exeC:\Windows\system32\Nlllof32.exe36⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Odcdpd32.exeC:\Windows\system32\Odcdpd32.exe37⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ogbploeb.exeC:\Windows\system32\Ogbploeb.exe38⤵
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Ojplhkdf.exeC:\Windows\system32\Ojplhkdf.exe39⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Oloidfcj.exeC:\Windows\system32\Oloidfcj.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4472 -
C:\Windows\SysWOW64\Odfqecdl.exeC:\Windows\system32\Odfqecdl.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4316 -
C:\Windows\SysWOW64\Ogdmaocp.exeC:\Windows\system32\Ogdmaocp.exe42⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Ojbinjbc.exeC:\Windows\system32\Ojbinjbc.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Olaejfag.exeC:\Windows\system32\Olaejfag.exe44⤵
- Executes dropped EXE
PID:3364 -
C:\Windows\SysWOW64\Opmakd32.exeC:\Windows\system32\Opmakd32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Ockngp32.exeC:\Windows\system32\Ockngp32.exe46⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ofijckhg.exeC:\Windows\system32\Ofijckhg.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Onqbdihj.exeC:\Windows\system32\Onqbdihj.exe48⤵
- Executes dropped EXE
PID:4484 -
C:\Windows\SysWOW64\Oqonpdgn.exeC:\Windows\system32\Oqonpdgn.exe49⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Ocmjlpfa.exeC:\Windows\system32\Ocmjlpfa.exe50⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Ogifmn32.exeC:\Windows\system32\Ogifmn32.exe51⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ojgbij32.exeC:\Windows\system32\Ojgbij32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4104 -
C:\Windows\SysWOW64\Olfoee32.exeC:\Windows\system32\Olfoee32.exe53⤵
- Executes dropped EXE
PID:3312 -
C:\Windows\SysWOW64\Ocpgbodo.exeC:\Windows\system32\Ocpgbodo.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ofncnkcb.exeC:\Windows\system32\Ofncnkcb.exe55⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Onekoh32.exeC:\Windows\system32\Onekoh32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Pqcgkc32.exeC:\Windows\system32\Pqcgkc32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Pdoclbla.exeC:\Windows\system32\Pdoclbla.exe58⤵
- Executes dropped EXE
PID:3548 -
C:\Windows\SysWOW64\Pgnphnke.exeC:\Windows\system32\Pgnphnke.exe59⤵
- Executes dropped EXE
PID:4904 -
C:\Windows\SysWOW64\Pjlldiji.exeC:\Windows\system32\Pjlldiji.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Pmjhpdil.exeC:\Windows\system32\Pmjhpdil.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Pqfdac32.exeC:\Windows\system32\Pqfdac32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Windows\SysWOW64\Pgplnmib.exeC:\Windows\system32\Pgplnmib.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Pfcmij32.exeC:\Windows\system32\Pfcmij32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Pnjejgpo.exeC:\Windows\system32\Pnjejgpo.exe65⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Pqhafcoc.exeC:\Windows\system32\Pqhafcoc.exe66⤵PID:4456
-
C:\Windows\SysWOW64\Pcgmbnnf.exeC:\Windows\system32\Pcgmbnnf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3676 -
C:\Windows\SysWOW64\Pcijhnld.exeC:\Windows\system32\Pcijhnld.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Pgdfim32.exeC:\Windows\system32\Pgdfim32.exe69⤵PID:2772
-
C:\Windows\SysWOW64\Pjcbeh32.exeC:\Windows\system32\Pjcbeh32.exe70⤵
- System Location Discovery: System Language Discovery
PID:4760 -
C:\Windows\SysWOW64\Pmanaccd.exeC:\Windows\system32\Pmanaccd.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Pdhfbacf.exeC:\Windows\system32\Pdhfbacf.exe72⤵PID:4960
-
C:\Windows\SysWOW64\Pckfnn32.exeC:\Windows\system32\Pckfnn32.exe73⤵
- Drops file in System32 directory
PID:116 -
C:\Windows\SysWOW64\Pfjcji32.exeC:\Windows\system32\Pfjcji32.exe74⤵PID:1544
-
C:\Windows\SysWOW64\Pnakkf32.exeC:\Windows\system32\Pnakkf32.exe75⤵PID:1620
-
C:\Windows\SysWOW64\Qmdkfcaa.exeC:\Windows\system32\Qmdkfcaa.exe76⤵PID:2724
-
C:\Windows\SysWOW64\Qdkcgqad.exeC:\Windows\system32\Qdkcgqad.exe77⤵PID:2636
-
C:\Windows\SysWOW64\Qgiodlqh.exeC:\Windows\system32\Qgiodlqh.exe78⤵PID:4816
-
C:\Windows\SysWOW64\Qjhlpgpk.exeC:\Windows\system32\Qjhlpgpk.exe79⤵PID:2960
-
C:\Windows\SysWOW64\Qncgqf32.exeC:\Windows\system32\Qncgqf32.exe80⤵PID:3056
-
C:\Windows\SysWOW64\Qqadmagh.exeC:\Windows\system32\Qqadmagh.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Qcppimfl.exeC:\Windows\system32\Qcppimfl.exe82⤵PID:5168
-
C:\Windows\SysWOW64\Qfolehep.exeC:\Windows\system32\Qfolehep.exe83⤵PID:5208
-
C:\Windows\SysWOW64\Anedfffb.exeC:\Windows\system32\Anedfffb.exe84⤵PID:5252
-
C:\Windows\SysWOW64\Aqdqbaee.exeC:\Windows\system32\Aqdqbaee.exe85⤵
- Drops file in System32 directory
PID:5296 -
C:\Windows\SysWOW64\Adplbp32.exeC:\Windows\system32\Adplbp32.exe86⤵PID:5336
-
C:\Windows\SysWOW64\Agniok32.exeC:\Windows\system32\Agniok32.exe87⤵PID:5384
-
C:\Windows\SysWOW64\Ajlekg32.exeC:\Windows\system32\Ajlekg32.exe88⤵PID:5428
-
C:\Windows\SysWOW64\Amkagb32.exeC:\Windows\system32\Amkagb32.exe89⤵
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Aebihpkl.exeC:\Windows\system32\Aebihpkl.exe90⤵
- Drops file in System32 directory
PID:5516 -
C:\Windows\SysWOW64\Agpedkjp.exeC:\Windows\system32\Agpedkjp.exe91⤵
- Drops file in System32 directory
PID:5560 -
C:\Windows\SysWOW64\Afcfph32.exeC:\Windows\system32\Afcfph32.exe92⤵
- Drops file in System32 directory
PID:5604 -
C:\Windows\SysWOW64\Ammnmbig.exeC:\Windows\system32\Ammnmbig.exe93⤵PID:5648
-
C:\Windows\SysWOW64\Aqijmq32.exeC:\Windows\system32\Aqijmq32.exe94⤵PID:5688
-
C:\Windows\SysWOW64\Agbbjkhm.exeC:\Windows\system32\Agbbjkhm.exe95⤵PID:5732
-
C:\Windows\SysWOW64\Afebeg32.exeC:\Windows\system32\Afebeg32.exe96⤵PID:5772
-
C:\Windows\SysWOW64\Anmjfe32.exeC:\Windows\system32\Anmjfe32.exe97⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Aakfcp32.exeC:\Windows\system32\Aakfcp32.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5852 -
C:\Windows\SysWOW64\Acicol32.exeC:\Windows\system32\Acicol32.exe99⤵
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Windows\SysWOW64\Ageopj32.exeC:\Windows\system32\Ageopj32.exe100⤵PID:5932
-
C:\Windows\SysWOW64\Ajcklf32.exeC:\Windows\system32\Ajcklf32.exe101⤵PID:5972
-
C:\Windows\SysWOW64\Ambgha32.exeC:\Windows\system32\Ambgha32.exe102⤵PID:6012
-
C:\Windows\SysWOW64\Aeioio32.exeC:\Windows\system32\Aeioio32.exe103⤵PID:6052
-
C:\Windows\SysWOW64\Aclpdklo.exeC:\Windows\system32\Aclpdklo.exe104⤵PID:6092
-
C:\Windows\SysWOW64\Afjlqgkb.exeC:\Windows\system32\Afjlqgkb.exe105⤵
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Windows\SysWOW64\Bjfhae32.exeC:\Windows\system32\Bjfhae32.exe106⤵PID:940
-
C:\Windows\SysWOW64\Bmddma32.exeC:\Windows\system32\Bmddma32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3272 -
C:\Windows\SysWOW64\Beklnn32.exeC:\Windows\system32\Beklnn32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2716 -
C:\Windows\SysWOW64\Bcnljkjl.exeC:\Windows\system32\Bcnljkjl.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4788 -
C:\Windows\SysWOW64\Bfmhff32.exeC:\Windows\system32\Bfmhff32.exe110⤵PID:3524
-
C:\Windows\SysWOW64\Bncqgd32.exeC:\Windows\system32\Bncqgd32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3292 -
C:\Windows\SysWOW64\Bmfqcqql.exeC:\Windows\system32\Bmfqcqql.exe112⤵PID:4732
-
C:\Windows\SysWOW64\Benidnao.exeC:\Windows\system32\Benidnao.exe113⤵PID:4728
-
C:\Windows\SysWOW64\Bglepipb.exeC:\Windows\system32\Bglepipb.exe114⤵PID:5164
-
C:\Windows\SysWOW64\Bfoelf32.exeC:\Windows\system32\Bfoelf32.exe115⤵PID:5240
-
C:\Windows\SysWOW64\Bnfmmc32.exeC:\Windows\system32\Bnfmmc32.exe116⤵PID:5320
-
C:\Windows\SysWOW64\Badiio32.exeC:\Windows\system32\Badiio32.exe117⤵PID:5380
-
C:\Windows\SysWOW64\Bccfej32.exeC:\Windows\system32\Bccfej32.exe118⤵PID:5460
-
C:\Windows\SysWOW64\Bfabaf32.exeC:\Windows\system32\Bfabaf32.exe119⤵PID:5524
-
C:\Windows\SysWOW64\Bjmnbd32.exeC:\Windows\system32\Bjmnbd32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5576 -
C:\Windows\SysWOW64\Bmkjnp32.exeC:\Windows\system32\Bmkjnp32.exe121⤵
- Drops file in System32 directory
PID:5644
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-