Analysis
-
max time kernel
46s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-12-2024 14:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe
-
Size
42KB
-
MD5
934132810c2f8777378d02d4f30c3080
-
SHA1
cf7a4c9c496fd75bb11207b6212e6ed54207b2cd
-
SHA256
e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3eb
-
SHA512
779e2723dd950b105d8af78196e20ad4386b2a3a775a9b7a5615f85ecae5cbca4f32f7d7b9458e7302acf95ba497ab1c45ffe69b9b0cbd196b4606a77bee7700
-
SSDEEP
768:uU/p3EgkOfAhFo5IGQS8XfQnbvOClVNsZuK+65dMhrrhmf5p0s5HX/2/1H5h:uU/4soWQTInTOCl/wJMCfFk7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adifpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jenbjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bllcnega.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nedhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eebibf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjbeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohdfqbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfcfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdqnkoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnokdaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koibpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgjldnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjcme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbaci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcfjnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Occjjnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbcfdmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfodfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbofmcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdqkifmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkcpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdgcfmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adaiee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmhjdiap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejioln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lophacfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqahqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddkgbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdcbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggoqimd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgjldnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddaemh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqkjmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpbglhjq.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1636 Ddfebnoo.exe 2976 Dicnkdnf.exe 2396 Emagacdm.exe 2756 Eelkeeah.exe 2248 Ecploipa.exe 2948 Eaeipfei.exe 2968 Enlidg32.exe 1664 Fdiogq32.exe 2408 Famope32.exe 556 Flfpabkp.exe 1116 Fcphnm32.exe 2000 Fcbecl32.exe 2960 Ghajacmo.exe 2432 Gqahqd32.exe 1476 Gneijien.exe 2132 Hkiicmdh.exe 2548 Hebnlb32.exe 2484 Hnjbeh32.exe 2140 Hfegij32.exe 1556 Hldlga32.exe 2236 Hfjpdjjo.exe 1620 Hlgimqhf.exe 1824 Ipeaco32.exe 1852 Ihpfgalh.exe 1300 Ibejdjln.exe 832 Ihbcmaje.exe 1972 Idicbbpi.exe 2124 Ihglhp32.exe 2520 Jmdepg32.exe 2916 Jmhnkfpa.exe 2076 Jajcdjca.exe 1276 Jkchmo32.exe 2700 Jehlkhig.exe 2992 Kaajei32.exe 2636 Kkjnnn32.exe 924 Kcecbq32.exe 2080 Kpicle32.exe 3044 Kjahej32.exe 2852 Llbqfe32.exe 3028 Lhpglecl.exe 936 Mgedmb32.exe 2184 Mdiefffn.exe 960 Mobfgdcl.exe 3012 Mfmndn32.exe 268 Mfokinhf.exe 2288 Mmicfh32.exe 2300 Mcckcbgp.exe 1740 Nedhjj32.exe 2348 Nlnpgd32.exe 1328 Nbhhdnlh.exe 2028 Nefdpjkl.exe 2900 Nlqmmd32.exe 2776 Nnoiio32.exe 2680 Nidmfh32.exe 2704 Njfjnpgp.exe 2724 Nbmaon32.exe 2568 Nlefhcnc.exe 2720 Nmfbpk32.exe 2312 Ndqkleln.exe 3052 Njjcip32.exe 772 Odchbe32.exe 2172 Ojmpooah.exe 684 Odedge32.exe 1680 Ojomdoof.exe -
Loads dropped DLL 64 IoCs
pid Process 1832 e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe 1832 e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe 1636 Ddfebnoo.exe 1636 Ddfebnoo.exe 2976 Dicnkdnf.exe 2976 Dicnkdnf.exe 2396 Emagacdm.exe 2396 Emagacdm.exe 2756 Eelkeeah.exe 2756 Eelkeeah.exe 2248 Ecploipa.exe 2248 Ecploipa.exe 2948 Eaeipfei.exe 2948 Eaeipfei.exe 2968 Enlidg32.exe 2968 Enlidg32.exe 1664 Fdiogq32.exe 1664 Fdiogq32.exe 2408 Famope32.exe 2408 Famope32.exe 556 Flfpabkp.exe 556 Flfpabkp.exe 1116 Fcphnm32.exe 1116 Fcphnm32.exe 2000 Fcbecl32.exe 2000 Fcbecl32.exe 2960 Ghajacmo.exe 2960 Ghajacmo.exe 2432 Gqahqd32.exe 2432 Gqahqd32.exe 1476 Gneijien.exe 1476 Gneijien.exe 2132 Hkiicmdh.exe 2132 Hkiicmdh.exe 2548 Hebnlb32.exe 2548 Hebnlb32.exe 2484 Hnjbeh32.exe 2484 Hnjbeh32.exe 2140 Hfegij32.exe 2140 Hfegij32.exe 1556 Hldlga32.exe 1556 Hldlga32.exe 2236 Hfjpdjjo.exe 2236 Hfjpdjjo.exe 1620 Hlgimqhf.exe 1620 Hlgimqhf.exe 1824 Ipeaco32.exe 1824 Ipeaco32.exe 1852 Ihpfgalh.exe 1852 Ihpfgalh.exe 1300 Ibejdjln.exe 1300 Ibejdjln.exe 832 Ihbcmaje.exe 832 Ihbcmaje.exe 1972 Idicbbpi.exe 1972 Idicbbpi.exe 2124 Ihglhp32.exe 2124 Ihglhp32.exe 2520 Jmdepg32.exe 2520 Jmdepg32.exe 2916 Jmhnkfpa.exe 2916 Jmhnkfpa.exe 2076 Jajcdjca.exe 2076 Jajcdjca.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oaogognm.exe Onqkclni.exe File created C:\Windows\SysWOW64\Hgqlafap.exe Hadcipbi.exe File created C:\Windows\SysWOW64\Jcnoejch.exe Jggoqimd.exe File created C:\Windows\SysWOW64\Jimdcqom.exe Jmfcop32.exe File opened for modification C:\Windows\SysWOW64\Mcaafk32.exe Mjilmejf.exe File created C:\Windows\SysWOW64\Nhmbdl32.exe Macjgadf.exe File created C:\Windows\SysWOW64\Bbmcpemo.dll Macjgadf.exe File created C:\Windows\SysWOW64\Aahfdihn.exe Addfkeid.exe File created C:\Windows\SysWOW64\Mcaafk32.exe Mjilmejf.exe File opened for modification C:\Windows\SysWOW64\Immjnj32.exe Igpaec32.exe File created C:\Windows\SysWOW64\Eiabmg32.dll Emdhhdqb.exe File created C:\Windows\SysWOW64\Mmicfh32.exe Mfokinhf.exe File opened for modification C:\Windows\SysWOW64\Hbidne32.exe Hdecea32.exe File created C:\Windows\SysWOW64\Kajpmc32.dll Jlhkgm32.exe File opened for modification C:\Windows\SysWOW64\Elkofg32.exe Eafkhn32.exe File created C:\Windows\SysWOW64\Oielnd32.exe Ochcem32.exe File created C:\Windows\SysWOW64\Bgfdgq32.dll Iokfjf32.exe File created C:\Windows\SysWOW64\Ofoebc32.dll Cgjgol32.exe File created C:\Windows\SysWOW64\Imjhqh32.dll Gfnjne32.exe File created C:\Windows\SysWOW64\Cidddj32.exe Ckpckece.exe File created C:\Windows\SysWOW64\Fbegbacp.exe Elkofg32.exe File created C:\Windows\SysWOW64\Lofifi32.exe Lhlqjone.exe File created C:\Windows\SysWOW64\Hmcqik32.dll Aahimb32.exe File created C:\Windows\SysWOW64\Dkjgfien.dll Iejkhlip.exe File created C:\Windows\SysWOW64\Fdcfhj32.dll Ecploipa.exe File created C:\Windows\SysWOW64\Mfmndn32.exe Mobfgdcl.exe File opened for modification C:\Windows\SysWOW64\Lljpjchg.exe Ldokfakl.exe File opened for modification C:\Windows\SysWOW64\Addfkeid.exe Aognbnkm.exe File created C:\Windows\SysWOW64\Hkobdolo.dll Aompambg.exe File created C:\Windows\SysWOW64\Geloanjg.exe Glckihcg.exe File created C:\Windows\SysWOW64\Fjkhdlkp.dll Geloanjg.exe File opened for modification C:\Windows\SysWOW64\Jjlmkb32.exe Jeoeclek.exe File created C:\Windows\SysWOW64\Enoinika.dll Dfkclf32.exe File created C:\Windows\SysWOW64\Nedmma32.dll Ageompfe.exe File opened for modification C:\Windows\SysWOW64\Hldlga32.exe Hfegij32.exe File created C:\Windows\SysWOW64\Ihglhp32.exe Idicbbpi.exe File created C:\Windows\SysWOW64\Pofkha32.exe Piicpk32.exe File opened for modification C:\Windows\SysWOW64\Acfmcc32.exe Allefimb.exe File created C:\Windows\SysWOW64\Gfnafi32.dll Akfkbd32.exe File created C:\Windows\SysWOW64\Lbmnig32.dll Bcjcme32.exe File created C:\Windows\SysWOW64\Coacbfii.exe Bjdkjpkb.exe File created C:\Windows\SysWOW64\Nbkgbg32.exe Ndggib32.exe File opened for modification C:\Windows\SysWOW64\Ejklan32.exe Ejioln32.exe File opened for modification C:\Windows\SysWOW64\Jaeehmko.exe Jjlmkb32.exe File created C:\Windows\SysWOW64\Cdngip32.exe Cgjgol32.exe File created C:\Windows\SysWOW64\Mhgacc32.dll Gdfiofhn.exe File opened for modification C:\Windows\SysWOW64\Ghajacmo.exe Fcbecl32.exe File created C:\Windows\SysWOW64\Gfkmie32.exe Gcmamj32.exe File created C:\Windows\SysWOW64\Kdkelolf.exe Jkbaci32.exe File created C:\Windows\SysWOW64\Fniamd32.dll Mhcmedli.exe File created C:\Windows\SysWOW64\Odifibfn.dll Fkefbcmf.exe File opened for modification C:\Windows\SysWOW64\Cqleifna.exe Cgdqpq32.exe File opened for modification C:\Windows\SysWOW64\Floeof32.exe Ejklan32.exe File created C:\Windows\SysWOW64\Endjeihi.dll Cpdhna32.exe File created C:\Windows\SysWOW64\Clnehado.exe Cfcmlg32.exe File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe Cegoqlof.exe File opened for modification C:\Windows\SysWOW64\Eakooqih.exe Dpjbgh32.exe File created C:\Windows\SysWOW64\Lnjldf32.exe Lcdhgn32.exe File created C:\Windows\SysWOW64\Pifbjn32.exe Pcljmdmj.exe File created C:\Windows\SysWOW64\Achjibcl.exe Ahbekjcf.exe File opened for modification C:\Windows\SysWOW64\Adaiee32.exe Qmhahkdj.exe File created C:\Windows\SysWOW64\Ejcmmp32.exe Emoldlmc.exe File created C:\Windows\SysWOW64\Aaaqjc32.dll Ochcem32.exe File created C:\Windows\SysWOW64\Hgcdeo32.dll Dcohghbk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5312 2860 WerFault.exe 557 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emagacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igceej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojbaham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhilimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkifaen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfmmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcodqkbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diidjpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koaclfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpimq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiiahgjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jihdnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpicle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbegbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcaafk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokfjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alihaioe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebockkal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfjnpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdjglfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgogealf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floeof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdenafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqfabdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bllcnega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeehmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpaehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adiaommc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladebd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adleoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leegbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojeomee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokilo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdqkifmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefhcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koipglep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oighcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapfhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clefdcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnipjni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkclf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allefimb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjoqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbidne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacjjacb.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaeipfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdfooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgghac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgngaoal.dll" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfkimhhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hopbda32.dll" Oococb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fniamd32.dll" Mhcmedli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ageompfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhlqjone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Paiaplin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpjbgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjhabndo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Figocipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acnkmfoc.dll" Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfakep32.dll" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmeeepjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igpaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgldklaj.dll" Ncipjieo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgfbken.dll" Ejdfqogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imogcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlboaceh.dll" Odchbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diidjpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifbphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llbncmgg.dll" Kdmban32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bolcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneanl32.dll" Qiiahgjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgogealf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmgjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiablm32.dll" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mphaobfe.dll" Onqkclni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldcapk.dll" Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogcgmi32.dll" Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nehhoand.dll" Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdphjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igceej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mebnic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpdonf32.dll" Kaajei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhogdg32.dll" Cinafkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhjbqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfopc32.dll" Pdjljpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iejkhlip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfoeb32.dll" Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll" Ehnfpifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqiqjlga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbdcgjh.dll" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gglpmlbm.dll" Hfpfdeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfmcog32.dll" Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnbekph.dll" Ddkgbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jenbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkbaci32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1832 wrote to memory of 1636 1832 e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe 30 PID 1832 wrote to memory of 1636 1832 e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe 30 PID 1832 wrote to memory of 1636 1832 e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe 30 PID 1832 wrote to memory of 1636 1832 e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe 30 PID 1636 wrote to memory of 2976 1636 Ddfebnoo.exe 31 PID 1636 wrote to memory of 2976 1636 Ddfebnoo.exe 31 PID 1636 wrote to memory of 2976 1636 Ddfebnoo.exe 31 PID 1636 wrote to memory of 2976 1636 Ddfebnoo.exe 31 PID 2976 wrote to memory of 2396 2976 Dicnkdnf.exe 32 PID 2976 wrote to memory of 2396 2976 Dicnkdnf.exe 32 PID 2976 wrote to memory of 2396 2976 Dicnkdnf.exe 32 PID 2976 wrote to memory of 2396 2976 Dicnkdnf.exe 32 PID 2396 wrote to memory of 2756 2396 Emagacdm.exe 33 PID 2396 wrote to memory of 2756 2396 Emagacdm.exe 33 PID 2396 wrote to memory of 2756 2396 Emagacdm.exe 33 PID 2396 wrote to memory of 2756 2396 Emagacdm.exe 33 PID 2756 wrote to memory of 2248 2756 Eelkeeah.exe 34 PID 2756 wrote to memory of 2248 2756 Eelkeeah.exe 34 PID 2756 wrote to memory of 2248 2756 Eelkeeah.exe 34 PID 2756 wrote to memory of 2248 2756 Eelkeeah.exe 34 PID 2248 wrote to memory of 2948 2248 Ecploipa.exe 35 PID 2248 wrote to memory of 2948 2248 Ecploipa.exe 35 PID 2248 wrote to memory of 2948 2248 Ecploipa.exe 35 PID 2248 wrote to memory of 2948 2248 Ecploipa.exe 35 PID 2948 wrote to memory of 2968 2948 Eaeipfei.exe 36 PID 2948 wrote to memory of 2968 2948 Eaeipfei.exe 36 PID 2948 wrote to memory of 2968 2948 Eaeipfei.exe 36 PID 2948 wrote to memory of 2968 2948 Eaeipfei.exe 36 PID 2968 wrote to memory of 1664 2968 Enlidg32.exe 37 PID 2968 wrote to memory of 1664 2968 Enlidg32.exe 37 PID 2968 wrote to memory of 1664 2968 Enlidg32.exe 37 PID 2968 wrote to memory of 1664 2968 Enlidg32.exe 37 PID 1664 wrote to memory of 2408 1664 Fdiogq32.exe 38 PID 1664 wrote to memory of 2408 1664 Fdiogq32.exe 38 PID 1664 wrote to memory of 2408 1664 Fdiogq32.exe 38 PID 1664 wrote to memory of 2408 1664 Fdiogq32.exe 38 PID 2408 wrote to memory of 556 2408 Famope32.exe 39 PID 2408 wrote to memory of 556 2408 Famope32.exe 39 PID 2408 wrote to memory of 556 2408 Famope32.exe 39 PID 2408 wrote to memory of 556 2408 Famope32.exe 39 PID 556 wrote to memory of 1116 556 Flfpabkp.exe 40 PID 556 wrote to memory of 1116 556 Flfpabkp.exe 40 PID 556 wrote to memory of 1116 556 Flfpabkp.exe 40 PID 556 wrote to memory of 1116 556 Flfpabkp.exe 40 PID 1116 wrote to memory of 2000 1116 Fcphnm32.exe 41 PID 1116 wrote to memory of 2000 1116 Fcphnm32.exe 41 PID 1116 wrote to memory of 2000 1116 Fcphnm32.exe 41 PID 1116 wrote to memory of 2000 1116 Fcphnm32.exe 41 PID 2000 wrote to memory of 2960 2000 Fcbecl32.exe 42 PID 2000 wrote to memory of 2960 2000 Fcbecl32.exe 42 PID 2000 wrote to memory of 2960 2000 Fcbecl32.exe 42 PID 2000 wrote to memory of 2960 2000 Fcbecl32.exe 42 PID 2960 wrote to memory of 2432 2960 Ghajacmo.exe 43 PID 2960 wrote to memory of 2432 2960 Ghajacmo.exe 43 PID 2960 wrote to memory of 2432 2960 Ghajacmo.exe 43 PID 2960 wrote to memory of 2432 2960 Ghajacmo.exe 43 PID 2432 wrote to memory of 1476 2432 Gqahqd32.exe 44 PID 2432 wrote to memory of 1476 2432 Gqahqd32.exe 44 PID 2432 wrote to memory of 1476 2432 Gqahqd32.exe 44 PID 2432 wrote to memory of 1476 2432 Gqahqd32.exe 44 PID 1476 wrote to memory of 2132 1476 Gneijien.exe 45 PID 1476 wrote to memory of 2132 1476 Gneijien.exe 45 PID 1476 wrote to memory of 2132 1476 Gneijien.exe 45 PID 1476 wrote to memory of 2132 1476 Gneijien.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe"C:\Users\Admin\AppData\Local\Temp\e80ef984442345465fec005ffd8e1f0fa1e69b03b6034132b84b891dc8b2d3ebN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Eaeipfei.exeC:\Windows\system32\Eaeipfei.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Famope32.exeC:\Windows\system32\Famope32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Fcphnm32.exeC:\Windows\system32\Fcphnm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2140 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe33⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe34⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe36⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe37⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe39⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe40⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe41⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe42⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe43⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:960 -
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe45⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:268 -
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe48⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe50⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe51⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe52⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe53⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe54⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe57⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe59⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe60⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe61⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe63⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:684 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe65⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:648 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe67⤵PID:276
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe68⤵PID:2064
-
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe69⤵PID:1800
-
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe70⤵PID:2836
-
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe71⤵PID:1192
-
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe72⤵PID:2924
-
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe74⤵
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe75⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe76⤵PID:2892
-
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe77⤵PID:1040
-
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe78⤵PID:2864
-
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe80⤵PID:3008
-
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe81⤵PID:800
-
C:\Windows\SysWOW64\Paiaplin.exeC:\Windows\system32\Paiaplin.exe82⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe83⤵PID:888
-
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe84⤵
- Drops file in System32 directory
PID:676 -
C:\Windows\SysWOW64\Pifbjn32.exeC:\Windows\system32\Pifbjn32.exe85⤵PID:2304
-
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe88⤵
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe89⤵PID:2808
-
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe90⤵
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Aebmjo32.exeC:\Windows\system32\Aebmjo32.exe91⤵PID:2652
-
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe92⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Acfmcc32.exeC:\Windows\system32\Acfmcc32.exe93⤵PID:2888
-
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe94⤵PID:1940
-
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe95⤵
- Drops file in System32 directory
PID:1004 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe96⤵PID:1748
-
C:\Windows\SysWOW64\Adifpk32.exeC:\Windows\system32\Adifpk32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Akcomepg.exeC:\Windows\system32\Akcomepg.exe98⤵PID:2576
-
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe99⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe100⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe101⤵PID:2920
-
C:\Windows\SysWOW64\Bhjlli32.exeC:\Windows\system32\Bhjlli32.exe102⤵PID:2016
-
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe103⤵PID:1804
-
C:\Windows\SysWOW64\Bjmeiq32.exeC:\Windows\system32\Bjmeiq32.exe104⤵PID:932
-
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe105⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe106⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe107⤵PID:3048
-
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe112⤵PID:2796
-
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe113⤵PID:2804
-
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe114⤵PID:1960
-
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe115⤵PID:2040
-
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe117⤵
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe118⤵PID:2544
-
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe119⤵PID:544
-
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe120⤵PID:2280
-
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe121⤵PID:2228
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-