Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 21:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe
-
Size
439KB
-
MD5
ab7bf8250c80df51930128cf59ed8d54
-
SHA1
32ffbd29a663c791ccf715fc330c53fc6ec72e58
-
SHA256
406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f
-
SHA512
cc702e300ef22df14ab8c9f38b3fe1d134bd149c5a7ac15e4aa6c1addac8e71890e34b6c9bb5468868fc8d6a360b8257052d26f3202026c090dd29cd38fad4c6
-
SSDEEP
12288:RvEPeKm2OPeKm22Vtp90NtmVtp90NtXONtE:RepEkpEYE
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjggnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aliejq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbmdpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pefoci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohfgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megkgpaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cokqfhpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Podbgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojpqpih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhngbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhgegfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gajlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kldofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coidpiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehaaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpocno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikneggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqajfmpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikhlaaif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacabgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gckmgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollljo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cclkcdpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okmceiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgqlig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnahl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefoci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcanlcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpqjeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehfkphnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjkpckob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjpipkgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haggkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Angmdoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paoedc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgelahmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbfmqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlfmoidh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eehqme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjahfkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odhhdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhdcnng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbfndggh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegidknj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imaglc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abnpjnem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjjjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncmei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbgci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhhpeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kniaap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcjqkbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpocno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbdghi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohmllf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhnnpolk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgqoech.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnpbinoe.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1740 Ocihgo32.exe 276 Podbgo32.exe 2780 Pgacaaij.exe 2756 Amebjgai.exe 2848 Aeccdila.exe 2664 Agdlfd32.exe 1376 Bmhkojab.exe 1616 Bbimbpld.exe 3000 Claake32.exe 564 Caccnllf.exe 1096 Dkbnhq32.exe 1020 Dpaceg32.exe 1948 Dmecokhm.exe 1756 Dgnhhq32.exe 2156 Ehaaei32.exe 2084 Eeeanm32.exe 384 Ehfkphnd.exe 2524 Edmkei32.exe 2364 Epdljjjm.exe 2040 Fdaephpc.exe 936 Fgbnbcmd.exe 2072 Fcingdbh.exe 1704 Ffjghppi.exe 580 Gqhadmhc.exe 2276 Gfggbcdg.exe 2544 Gjephakn.exe 2592 Hliieioi.exe 2356 Hlkekilg.exe 2464 Hpinagbm.exe 2920 Hiabjm32.exe 2628 Ilblkh32.exe 2668 Ijghmd32.exe 1348 Imhanp32.exe 1696 Ilmool32.exe 984 Jongag32.exe 1152 Jaopcbga.exe 1724 Jhkeelml.exe 1748 Jhnbklji.exe 1980 Kknklg32.exe 2332 Kgelahmn.exe 2000 Kldaon32.exe 2808 Klfndn32.exe 288 Kogffida.exe 2472 Lojclibo.exe 2348 Lhddjngm.exe 2192 Lcneklck.exe 1212 Mnffnd32.exe 876 Mipgnbnn.exe 2144 Mcghajkq.exe 2776 Mekanbol.exe 3012 Nlgfqldf.exe 2992 Nnhobgag.exe 2232 Ndgdpn32.exe 2720 Nblaajbd.exe 940 Oemjbe32.exe 1692 Ohncdp32.exe 2584 Ollljo32.exe 1444 Oedqcdim.exe 2500 Okailkhd.exe 2088 Oakaheoa.exe 608 Pkcfak32.exe 2312 Pamnnemo.exe 1768 Pceqfl32.exe 1340 Qchmll32.exe -
Loads dropped DLL 64 IoCs
pid Process 2236 406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe 2236 406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe 1740 Ocihgo32.exe 1740 Ocihgo32.exe 276 Podbgo32.exe 276 Podbgo32.exe 2780 Pgacaaij.exe 2780 Pgacaaij.exe 2756 Amebjgai.exe 2756 Amebjgai.exe 2848 Aeccdila.exe 2848 Aeccdila.exe 2664 Agdlfd32.exe 2664 Agdlfd32.exe 1376 Bmhkojab.exe 1376 Bmhkojab.exe 1616 Bbimbpld.exe 1616 Bbimbpld.exe 3000 Claake32.exe 3000 Claake32.exe 564 Caccnllf.exe 564 Caccnllf.exe 1096 Dkbnhq32.exe 1096 Dkbnhq32.exe 1020 Dpaceg32.exe 1020 Dpaceg32.exe 1948 Dmecokhm.exe 1948 Dmecokhm.exe 1756 Dgnhhq32.exe 1756 Dgnhhq32.exe 2156 Ehaaei32.exe 2156 Ehaaei32.exe 2084 Eeeanm32.exe 2084 Eeeanm32.exe 384 Ehfkphnd.exe 384 Ehfkphnd.exe 2524 Edmkei32.exe 2524 Edmkei32.exe 2364 Epdljjjm.exe 2364 Epdljjjm.exe 2040 Fdaephpc.exe 2040 Fdaephpc.exe 936 Fgbnbcmd.exe 936 Fgbnbcmd.exe 2072 Fcingdbh.exe 2072 Fcingdbh.exe 1704 Ffjghppi.exe 1704 Ffjghppi.exe 580 Gqhadmhc.exe 580 Gqhadmhc.exe 2276 Gfggbcdg.exe 2276 Gfggbcdg.exe 2544 Gjephakn.exe 2544 Gjephakn.exe 2592 Hliieioi.exe 2592 Hliieioi.exe 2356 Hlkekilg.exe 2356 Hlkekilg.exe 2464 Hpinagbm.exe 2464 Hpinagbm.exe 2920 Hiabjm32.exe 2920 Hiabjm32.exe 2628 Ilblkh32.exe 2628 Ilblkh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cggffocg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jcekdg32.exe Process not Found File created C:\Windows\SysWOW64\Dcppmg32.exe Dcnchg32.exe File opened for modification C:\Windows\SysWOW64\Pnebgcqb.exe Pconjjql.exe File created C:\Windows\SysWOW64\Cokqfhpa.exe Cdflhppk.exe File created C:\Windows\SysWOW64\Eacnpoqi.exe Epdafl32.exe File created C:\Windows\SysWOW64\Ghmkhobf.dll Aohbaq32.exe File created C:\Windows\SysWOW64\Jlddbgai.exe Jnadfk32.exe File opened for modification C:\Windows\SysWOW64\Pjngfjha.exe Ongfai32.exe File opened for modification C:\Windows\SysWOW64\Agdlfd32.exe Aeccdila.exe File created C:\Windows\SysWOW64\Bmhkojab.exe Agdlfd32.exe File created C:\Windows\SysWOW64\Ofbikf32.exe Onehadbj.exe File created C:\Windows\SysWOW64\Gddfepbh.dll Jlegic32.exe File created C:\Windows\SysWOW64\Igeggkoq.exe Hkngbj32.exe File created C:\Windows\SysWOW64\Jopfgaod.dll Lmjdia32.exe File created C:\Windows\SysWOW64\Cehaip32.dll Dlmcaijm.exe File created C:\Windows\SysWOW64\Ecidbfbb.exe Eiapjq32.exe File created C:\Windows\SysWOW64\Nbegonmd.exe Ncpjnahm.exe File created C:\Windows\SysWOW64\Cnhhia32.exe Ckgogfmg.exe File opened for modification C:\Windows\SysWOW64\Dcnchg32.exe Djfooa32.exe File created C:\Windows\SysWOW64\Geckno32.exe Geqnho32.exe File created C:\Windows\SysWOW64\Opeeam32.dll Ifngiqlg.exe File opened for modification C:\Windows\SysWOW64\Facjobce.exe Fcnmne32.exe File opened for modification C:\Windows\SysWOW64\Bmhkojab.exe Agdlfd32.exe File created C:\Windows\SysWOW64\Klliop32.dll Eekpknlf.exe File created C:\Windows\SysWOW64\Bdpjjaiq.exe Bmfamg32.exe File created C:\Windows\SysWOW64\Ifbinipg.dll Cojlfckj.exe File opened for modification C:\Windows\SysWOW64\Dgnhhq32.exe Dmecokhm.exe File created C:\Windows\SysWOW64\Paemac32.exe Peolmb32.exe File created C:\Windows\SysWOW64\Blonkf32.dll Edmnnakm.exe File created C:\Windows\SysWOW64\Adnegldo.exe Qdlialfb.exe File created C:\Windows\SysWOW64\Fcgocdok.dll Nlfdjphd.exe File created C:\Windows\SysWOW64\Aocgll32.exe Qlbnja32.exe File created C:\Windows\SysWOW64\Obddhc32.dll Gjgmhaim.exe File created C:\Windows\SysWOW64\Egonba32.dll Iejkel32.exe File created C:\Windows\SysWOW64\Mgomoboc.exe Mglpjc32.exe File created C:\Windows\SysWOW64\Meecojqp.dll Fpjlpclc.exe File created C:\Windows\SysWOW64\Phibbk32.exe Poqniegj.exe File created C:\Windows\SysWOW64\Pkdknq32.exe Pdjcaf32.exe File created C:\Windows\SysWOW64\Apbkag32.dll Gbhpidak.exe File opened for modification C:\Windows\SysWOW64\Medggj32.exe Mhpgnfpn.exe File opened for modification C:\Windows\SysWOW64\Idepdhia.exe Ijmkkc32.exe File created C:\Windows\SysWOW64\Fhdlbd32.exe Fgqcel32.exe File created C:\Windows\SysWOW64\Nhcdgfop.dll Pbaide32.exe File created C:\Windows\SysWOW64\Bjpjnd32.dll Gpfpmonn.exe File created C:\Windows\SysWOW64\Fdkkjm32.dll Kkmhej32.exe File created C:\Windows\SysWOW64\Hdnclg32.dll Ndadld32.exe File created C:\Windows\SysWOW64\Hbkpfa32.exe Hajdniep.exe File created C:\Windows\SysWOW64\Dcaghm32.exe Dlfbck32.exe File created C:\Windows\SysWOW64\Iqpiepcn.exe Ihedan32.exe File created C:\Windows\SysWOW64\Fcnfibmg.dll Pconjjql.exe File created C:\Windows\SysWOW64\Bdpaan32.dll Coacdg32.exe File created C:\Windows\SysWOW64\Adfoppcf.dll Bmhkojab.exe File created C:\Windows\SysWOW64\Bqilfp32.exe Bhngbm32.exe File created C:\Windows\SysWOW64\Djfooa32.exe Dfhficcn.exe File created C:\Windows\SysWOW64\Ikkoagjo.exe Ihmcelkk.exe File created C:\Windows\SysWOW64\Mdbido32.dll Phfaknce.exe File opened for modification C:\Windows\SysWOW64\Bjcgdojn.exe Bcfbbe32.exe File created C:\Windows\SysWOW64\Ckmfbf32.exe Ccfoah32.exe File created C:\Windows\SysWOW64\Pgihlk32.dll Jplinckj.exe File created C:\Windows\SysWOW64\Opqjjalh.dll Obdjjb32.exe File created C:\Windows\SysWOW64\Nolilcpb.dll Cmbiap32.exe File created C:\Windows\SysWOW64\Hpiaec32.dll Pmbfoh32.exe File created C:\Windows\SysWOW64\Jknlfg32.exe Ikkoagjo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2684 2764 Process not Found 1117 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbaebh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpjjaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kniaap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mocogc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgnil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfkbeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijhmnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhjbjam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomhkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhedachg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdflepqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkiae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnljkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihkea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfnpnfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moecghdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahemf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieoiai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdaephpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjdia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhqmogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaopcbga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqilfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmhej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmmnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koafcppm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oinbglkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpocno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjahfkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiifjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gflcplhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmlif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folknlae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mloigc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehfkphnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bojogp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecidbfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaglc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leilnllb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnncf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipgnbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfjik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopqoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibdcnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boppmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmcaijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhdcnng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degage32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndadld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidmniqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggppdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keodflee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcppmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jodkkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfbcae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfckbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbcda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnflif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohbaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbfin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlokdgp.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeijelle.dll" Emfbgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gepeep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkhkbmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gckmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkcmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdljjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gflcplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieoiai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pamnnemo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhlcnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbqkgihm.dll" Lgqmhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gckfmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhobgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpfpmonn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmpdoffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhchnllb.dll" Pghklq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajcpgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmlokdgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mghjcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmgenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhihnldi.dll" Coidpiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhcgnj32.dll" Pdpcgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iopqoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aibfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaipmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbidbf32.dll" Eahkag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiegpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncepanci.dll" Njcmeqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnncm32.dll" Cihqdoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgneg32.dll" Nopqlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hliieioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aadlgk32.dll" Kciifc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gemfghek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgihlk32.dll" Jplinckj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nndkdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llpbeaak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chfkjibh.dll" Jdjioh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnjpdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaipao32.dll" Aiegpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oncpmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgkkdnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iicoai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admlfida.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahcbbhl.dll" Jgjkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oakaheoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcinmkpj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jclpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbdhinmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkboiamh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmeffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjkpckob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgmaphdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpfpmonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onbedbmj.dll" Lmlofhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khfcgbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqimoc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1740 2236 406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe 29 PID 2236 wrote to memory of 1740 2236 406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe 29 PID 2236 wrote to memory of 1740 2236 406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe 29 PID 2236 wrote to memory of 1740 2236 406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe 29 PID 1740 wrote to memory of 276 1740 Ocihgo32.exe 30 PID 1740 wrote to memory of 276 1740 Ocihgo32.exe 30 PID 1740 wrote to memory of 276 1740 Ocihgo32.exe 30 PID 1740 wrote to memory of 276 1740 Ocihgo32.exe 30 PID 276 wrote to memory of 2780 276 Podbgo32.exe 31 PID 276 wrote to memory of 2780 276 Podbgo32.exe 31 PID 276 wrote to memory of 2780 276 Podbgo32.exe 31 PID 276 wrote to memory of 2780 276 Podbgo32.exe 31 PID 2780 wrote to memory of 2756 2780 Pgacaaij.exe 32 PID 2780 wrote to memory of 2756 2780 Pgacaaij.exe 32 PID 2780 wrote to memory of 2756 2780 Pgacaaij.exe 32 PID 2780 wrote to memory of 2756 2780 Pgacaaij.exe 32 PID 2756 wrote to memory of 2848 2756 Amebjgai.exe 33 PID 2756 wrote to memory of 2848 2756 Amebjgai.exe 33 PID 2756 wrote to memory of 2848 2756 Amebjgai.exe 33 PID 2756 wrote to memory of 2848 2756 Amebjgai.exe 33 PID 2848 wrote to memory of 2664 2848 Aeccdila.exe 34 PID 2848 wrote to memory of 2664 2848 Aeccdila.exe 34 PID 2848 wrote to memory of 2664 2848 Aeccdila.exe 34 PID 2848 wrote to memory of 2664 2848 Aeccdila.exe 34 PID 2664 wrote to memory of 1376 2664 Agdlfd32.exe 35 PID 2664 wrote to memory of 1376 2664 Agdlfd32.exe 35 PID 2664 wrote to memory of 1376 2664 Agdlfd32.exe 35 PID 2664 wrote to memory of 1376 2664 Agdlfd32.exe 35 PID 1376 wrote to memory of 1616 1376 Bmhkojab.exe 36 PID 1376 wrote to memory of 1616 1376 Bmhkojab.exe 36 PID 1376 wrote to memory of 1616 1376 Bmhkojab.exe 36 PID 1376 wrote to memory of 1616 1376 Bmhkojab.exe 36 PID 1616 wrote to memory of 3000 1616 Bbimbpld.exe 37 PID 1616 wrote to memory of 3000 1616 Bbimbpld.exe 37 PID 1616 wrote to memory of 3000 1616 Bbimbpld.exe 37 PID 1616 wrote to memory of 3000 1616 Bbimbpld.exe 37 PID 3000 wrote to memory of 564 3000 Claake32.exe 38 PID 3000 wrote to memory of 564 3000 Claake32.exe 38 PID 3000 wrote to memory of 564 3000 Claake32.exe 38 PID 3000 wrote to memory of 564 3000 Claake32.exe 38 PID 564 wrote to memory of 1096 564 Caccnllf.exe 39 PID 564 wrote to memory of 1096 564 Caccnllf.exe 39 PID 564 wrote to memory of 1096 564 Caccnllf.exe 39 PID 564 wrote to memory of 1096 564 Caccnllf.exe 39 PID 1096 wrote to memory of 1020 1096 Dkbnhq32.exe 40 PID 1096 wrote to memory of 1020 1096 Dkbnhq32.exe 40 PID 1096 wrote to memory of 1020 1096 Dkbnhq32.exe 40 PID 1096 wrote to memory of 1020 1096 Dkbnhq32.exe 40 PID 1020 wrote to memory of 1948 1020 Dpaceg32.exe 41 PID 1020 wrote to memory of 1948 1020 Dpaceg32.exe 41 PID 1020 wrote to memory of 1948 1020 Dpaceg32.exe 41 PID 1020 wrote to memory of 1948 1020 Dpaceg32.exe 41 PID 1948 wrote to memory of 1756 1948 Dmecokhm.exe 42 PID 1948 wrote to memory of 1756 1948 Dmecokhm.exe 42 PID 1948 wrote to memory of 1756 1948 Dmecokhm.exe 42 PID 1948 wrote to memory of 1756 1948 Dmecokhm.exe 42 PID 1756 wrote to memory of 2156 1756 Dgnhhq32.exe 43 PID 1756 wrote to memory of 2156 1756 Dgnhhq32.exe 43 PID 1756 wrote to memory of 2156 1756 Dgnhhq32.exe 43 PID 1756 wrote to memory of 2156 1756 Dgnhhq32.exe 43 PID 2156 wrote to memory of 2084 2156 Ehaaei32.exe 44 PID 2156 wrote to memory of 2084 2156 Ehaaei32.exe 44 PID 2156 wrote to memory of 2084 2156 Ehaaei32.exe 44 PID 2156 wrote to memory of 2084 2156 Ehaaei32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe"C:\Users\Admin\AppData\Local\Temp\406f867aff76e8ea8a0d7c98e4fcf24a8046ee17963fab99b1f770b99a0f634f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Ocihgo32.exeC:\Windows\system32\Ocihgo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Podbgo32.exeC:\Windows\system32\Podbgo32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Aeccdila.exeC:\Windows\system32\Aeccdila.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Bmhkojab.exeC:\Windows\system32\Bmhkojab.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Bbimbpld.exeC:\Windows\system32\Bbimbpld.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Claake32.exeC:\Windows\system32\Claake32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Caccnllf.exeC:\Windows\system32\Caccnllf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Dkbnhq32.exeC:\Windows\system32\Dkbnhq32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Dpaceg32.exeC:\Windows\system32\Dpaceg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Dmecokhm.exeC:\Windows\system32\Dmecokhm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Dgnhhq32.exeC:\Windows\system32\Dgnhhq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Eeeanm32.exeC:\Windows\system32\Eeeanm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2084 -
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:384 -
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Fdaephpc.exeC:\Windows\system32\Fdaephpc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Fgbnbcmd.exeC:\Windows\system32\Fgbnbcmd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Fcingdbh.exeC:\Windows\system32\Fcingdbh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Gfggbcdg.exeC:\Windows\system32\Gfggbcdg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Gjephakn.exeC:\Windows\system32\Gjephakn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Hlkekilg.exeC:\Windows\system32\Hlkekilg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Hiabjm32.exeC:\Windows\system32\Hiabjm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Ilblkh32.exeC:\Windows\system32\Ilblkh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Ijghmd32.exeC:\Windows\system32\Ijghmd32.exe33⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe34⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe35⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Jongag32.exeC:\Windows\system32\Jongag32.exe36⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Jaopcbga.exeC:\Windows\system32\Jaopcbga.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Jhkeelml.exeC:\Windows\system32\Jhkeelml.exe38⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Jhnbklji.exeC:\Windows\system32\Jhnbklji.exe39⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Kknklg32.exeC:\Windows\system32\Kknklg32.exe40⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Kldaon32.exeC:\Windows\system32\Kldaon32.exe42⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Klfndn32.exeC:\Windows\system32\Klfndn32.exe43⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe44⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe45⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Lhddjngm.exeC:\Windows\system32\Lhddjngm.exe46⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Lcneklck.exeC:\Windows\system32\Lcneklck.exe47⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Mnffnd32.exeC:\Windows\system32\Mnffnd32.exe48⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Mipgnbnn.exeC:\Windows\system32\Mipgnbnn.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe50⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe51⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe52⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Ndgdpn32.exeC:\Windows\system32\Ndgdpn32.exe54⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe56⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Ollljo32.exeC:\Windows\system32\Ollljo32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe59⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe60⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe62⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe64⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Qchmll32.exeC:\Windows\system32\Qchmll32.exe65⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Qkcbpn32.exeC:\Windows\system32\Qkcbpn32.exe66⤵PID:1960
-
C:\Windows\SysWOW64\Qlbnja32.exeC:\Windows\system32\Qlbnja32.exe67⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe68⤵PID:1812
-
C:\Windows\SysWOW64\Agolpnjl.exeC:\Windows\system32\Agolpnjl.exe69⤵PID:2820
-
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe70⤵PID:2884
-
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe71⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe72⤵PID:648
-
C:\Windows\SysWOW64\Bbapgknp.exeC:\Windows\system32\Bbapgknp.exe73⤵PID:2788
-
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe74⤵PID:3008
-
C:\Windows\SysWOW64\Cnogmk32.exeC:\Windows\system32\Cnogmk32.exe75⤵PID:2704
-
C:\Windows\SysWOW64\Ccloea32.exeC:\Windows\system32\Ccloea32.exe76⤵PID:2292
-
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe77⤵PID:308
-
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe78⤵PID:2980
-
C:\Windows\SysWOW64\Cllmdcej.exeC:\Windows\system32\Cllmdcej.exe79⤵PID:2928
-
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe80⤵PID:1988
-
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe81⤵PID:2112
-
C:\Windows\SysWOW64\Danohi32.exeC:\Windows\system32\Danohi32.exe82⤵PID:1792
-
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe83⤵PID:1992
-
C:\Windows\SysWOW64\Dhlapc32.exeC:\Windows\system32\Dhlapc32.exe84⤵PID:2120
-
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe85⤵PID:1624
-
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe86⤵PID:1612
-
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe87⤵PID:1632
-
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe88⤵PID:2488
-
C:\Windows\SysWOW64\Ehlmnfeo.exeC:\Windows\system32\Ehlmnfeo.exe89⤵PID:888
-
C:\Windows\SysWOW64\Fdcncg32.exeC:\Windows\system32\Fdcncg32.exe90⤵PID:2228
-
C:\Windows\SysWOW64\Fhqfie32.exeC:\Windows\system32\Fhqfie32.exe91⤵PID:2712
-
C:\Windows\SysWOW64\Fnnobl32.exeC:\Windows\system32\Fnnobl32.exe92⤵PID:1636
-
C:\Windows\SysWOW64\Fgfckbfa.exeC:\Windows\system32\Fgfckbfa.exe93⤵
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe94⤵PID:1040
-
C:\Windows\SysWOW64\Fcoaebjc.exeC:\Windows\system32\Fcoaebjc.exe95⤵PID:2096
-
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe96⤵
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe97⤵PID:624
-
C:\Windows\SysWOW64\Gbfklolh.exeC:\Windows\system32\Gbfklolh.exe98⤵PID:2352
-
C:\Windows\SysWOW64\Gfdcbmbn.exeC:\Windows\system32\Gfdcbmbn.exe99⤵PID:1728
-
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Gghloe32.exeC:\Windows\system32\Gghloe32.exe101⤵PID:2172
-
C:\Windows\SysWOW64\Hbnqln32.exeC:\Windows\system32\Hbnqln32.exe102⤵PID:1968
-
C:\Windows\SysWOW64\Hgjieedg.exeC:\Windows\system32\Hgjieedg.exe103⤵PID:2380
-
C:\Windows\SysWOW64\Hgmfjdbe.exeC:\Windows\system32\Hgmfjdbe.exe104⤵PID:3016
-
C:\Windows\SysWOW64\Hfbckagm.exeC:\Windows\system32\Hfbckagm.exe105⤵PID:2512
-
C:\Windows\SysWOW64\Hmlkhk32.exeC:\Windows\system32\Hmlkhk32.exe106⤵PID:2076
-
C:\Windows\SysWOW64\Hajdniep.exeC:\Windows\system32\Hajdniep.exe107⤵
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Hbkpfa32.exeC:\Windows\system32\Hbkpfa32.exe108⤵PID:2532
-
C:\Windows\SysWOW64\Ilfadg32.exeC:\Windows\system32\Ilfadg32.exe109⤵PID:2912
-
C:\Windows\SysWOW64\Ihlbih32.exeC:\Windows\system32\Ihlbih32.exe110⤵PID:2508
-
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe111⤵PID:836
-
C:\Windows\SysWOW64\Ijmkkc32.exeC:\Windows\system32\Ijmkkc32.exe112⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe113⤵PID:2892
-
C:\Windows\SysWOW64\Iaipmm32.exeC:\Windows\system32\Iaipmm32.exe114⤵
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Jdjioh32.exeC:\Windows\system32\Jdjioh32.exe115⤵
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe116⤵PID:2984
-
C:\Windows\SysWOW64\Jpcfih32.exeC:\Windows\system32\Jpcfih32.exe117⤵PID:2816
-
C:\Windows\SysWOW64\Jmggcmgg.exeC:\Windows\system32\Jmggcmgg.exe118⤵PID:2728
-
C:\Windows\SysWOW64\Kaillp32.exeC:\Windows\system32\Kaillp32.exe119⤵PID:860
-
C:\Windows\SysWOW64\Kciifc32.exeC:\Windows\system32\Kciifc32.exe120⤵
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe121⤵PID:1804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-