Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 23:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe
Resource
win7-20240903-en
windows7-x64
11 signatures
150 seconds
Behavioral task
behavioral2
Sample
6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe
-
Size
88KB
-
MD5
f9a7a517d620a5c296f67351400f9c49
-
SHA1
fb56c46f65a7c52f671c803800c833a78e9d0560
-
SHA256
6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330
-
SHA512
270397d37b5c667a3add5a8d48f65467a841cd84ffe6cf25218b9967aa472a189ab6f5b5e77989fc307e1f7914cf9ef0f78bb06550cee3550e4d878f6daeb4c9
-
SSDEEP
1536:xKTbmt/bY4jRM7p/ZuwFL8QOVXtE1ukVd71rFZO7+90vT:xE4bUZNLi9EIIJ15ZO7Vr
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmeolj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbold32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomdoof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeeolig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpqain32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhoice32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohagbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemegc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffodjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boidnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmdmmalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agjmim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilofhffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piqpkpml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkgjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjjag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbeofpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijklknbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpcoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmifk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgpgjepk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llgjaeoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpgobc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjicfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imokehhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenljmgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgoelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqjmncna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eacljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbnbpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkacpihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkmmodo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjfnomde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqjmncna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbicoamh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2384 Ogekpg32.exe 2920 Oehklddp.exe 1832 Ooqpdj32.exe 2736 Oghhfg32.exe 2240 Oifdbb32.exe 2724 Ooclji32.exe 2136 Oemegc32.exe 808 Olgmcmgh.exe 2456 Poeipifl.exe 2712 Pdbahpec.exe 2972 Plijimee.exe 2864 Pafbadcm.exe 1424 Pddnnp32.exe 2096 Pkofjijm.exe 1728 Pqkobqhd.exe 3024 Pkacpihj.exe 2484 Pnopldgn.exe 1188 Pdihiook.exe 1888 Pclhdl32.exe 1356 Pjfpafmb.exe 1680 Pmdmmalf.exe 3004 Pcnejk32.exe 1740 Qgjqjjll.exe 2380 Qqbecp32.exe 976 Qoeeolig.exe 1332 Qglmpi32.exe 2620 Qmifhq32.exe 2832 Accnekon.exe 2784 Aipfmane.exe 2624 Aojojl32.exe 2644 Acekjjmk.exe 1684 Afdgfelo.exe 832 Amnocpdk.exe 2300 Aollokco.exe 2936 Aeidgbaf.exe 1496 Aidphq32.exe 2072 Aapemc32.exe 388 Agjmim32.exe 1880 Ajhiei32.exe 484 Ancefgfd.exe 2312 Acqnnndl.exe 752 Agljom32.exe 1624 Ajjfkh32.exe 1792 Bnfblgca.exe 2248 Badnhbce.exe 880 Bgnfdm32.exe 1756 Bfagpiam.exe 112 Bnhoag32.exe 2756 Bmkomchi.exe 2812 Bagkmb32.exe 2728 Bcegin32.exe 2820 Bgqcjlhp.exe 2220 Bjoofhgc.exe 2600 Bibpad32.exe 2460 Bmnlbcfg.exe 2292 Baigca32.exe 1956 Bcgdom32.exe 1932 Bffpki32.exe 3028 Bidlgdlk.exe 1040 Bmphhc32.exe 768 Bcjqdmla.exe 292 Bbmapj32.exe 1688 Bekmle32.exe 764 Bigimdjh.exe -
Loads dropped DLL 64 IoCs
pid Process 1748 6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe 1748 6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe 2384 Ogekpg32.exe 2384 Ogekpg32.exe 2920 Oehklddp.exe 2920 Oehklddp.exe 1832 Ooqpdj32.exe 1832 Ooqpdj32.exe 2736 Oghhfg32.exe 2736 Oghhfg32.exe 2240 Oifdbb32.exe 2240 Oifdbb32.exe 2724 Ooclji32.exe 2724 Ooclji32.exe 2136 Oemegc32.exe 2136 Oemegc32.exe 808 Olgmcmgh.exe 808 Olgmcmgh.exe 2456 Poeipifl.exe 2456 Poeipifl.exe 2712 Pdbahpec.exe 2712 Pdbahpec.exe 2972 Plijimee.exe 2972 Plijimee.exe 2864 Pafbadcm.exe 2864 Pafbadcm.exe 1424 Pddnnp32.exe 1424 Pddnnp32.exe 2096 Pkofjijm.exe 2096 Pkofjijm.exe 1728 Pqkobqhd.exe 1728 Pqkobqhd.exe 3024 Pkacpihj.exe 3024 Pkacpihj.exe 2484 Pnopldgn.exe 2484 Pnopldgn.exe 1188 Pdihiook.exe 1188 Pdihiook.exe 1888 Pclhdl32.exe 1888 Pclhdl32.exe 1356 Pjfpafmb.exe 1356 Pjfpafmb.exe 1680 Pmdmmalf.exe 1680 Pmdmmalf.exe 3004 Pcnejk32.exe 3004 Pcnejk32.exe 1740 Qgjqjjll.exe 1740 Qgjqjjll.exe 2380 Qqbecp32.exe 2380 Qqbecp32.exe 976 Qoeeolig.exe 976 Qoeeolig.exe 1332 Qglmpi32.exe 1332 Qglmpi32.exe 2620 Qmifhq32.exe 2620 Qmifhq32.exe 2832 Accnekon.exe 2832 Accnekon.exe 2784 Aipfmane.exe 2784 Aipfmane.exe 2624 Aojojl32.exe 2624 Aojojl32.exe 2644 Acekjjmk.exe 2644 Acekjjmk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Emagacdm.exe Eiekpd32.exe File created C:\Windows\SysWOW64\Nmkplgnq.exe Nedhjj32.exe File created C:\Windows\SysWOW64\Faakdene.dll Eccpoo32.exe File created C:\Windows\SysWOW64\Ffhnoj32.dll Fbdlkj32.exe File created C:\Windows\SysWOW64\Jmiajbpa.dll Ibfaopoi.exe File created C:\Windows\SysWOW64\Mbbfep32.exe Mjkndb32.exe File created C:\Windows\SysWOW64\Egflhe32.dll Obgkpb32.exe File created C:\Windows\SysWOW64\Aaiioe32.dll Eclbcj32.exe File created C:\Windows\SysWOW64\Apgagg32.exe Allefimb.exe File created C:\Windows\SysWOW64\Jeqkmn32.dll Hdlkcdog.exe File opened for modification C:\Windows\SysWOW64\Nlfmbibo.exe Nmcmgm32.exe File created C:\Windows\SysWOW64\Codfplej.dll Jmfafgbd.exe File created C:\Windows\SysWOW64\Qqfkbadh.dll Loefnpnn.exe File created C:\Windows\SysWOW64\Klbgbj32.dll Omklkkpl.exe File opened for modification C:\Windows\SysWOW64\Kfbfkmeh.exe Kbgjkn32.exe File opened for modification C:\Windows\SysWOW64\Gqdefddb.exe Gbadjg32.exe File opened for modification C:\Windows\SysWOW64\Mqnifg32.exe Mnomjl32.exe File created C:\Windows\SysWOW64\Oifdbb32.exe Oghhfg32.exe File created C:\Windows\SysWOW64\Agjmim32.exe Aapemc32.exe File created C:\Windows\SysWOW64\Ljnnko32.exe Lfbbjpgd.exe File created C:\Windows\SysWOW64\Imcpdkff.dll Dobgihgp.exe File opened for modification C:\Windows\SysWOW64\Bagkmb32.exe Bmkomchi.exe File created C:\Windows\SysWOW64\Bkmjncbj.dll Nmqpam32.exe File created C:\Windows\SysWOW64\Liihgqil.dll Gjojef32.exe File created C:\Windows\SysWOW64\Pmmeon32.exe Pojecajj.exe File created C:\Windows\SysWOW64\Pplaki32.exe Pmmeon32.exe File created C:\Windows\SysWOW64\Bcegin32.exe Bagkmb32.exe File created C:\Windows\SysWOW64\Lgbgkabo.dll Hloiib32.exe File created C:\Windows\SysWOW64\Elooehob.dll Kfbfkmeh.exe File created C:\Windows\SysWOW64\Fcnkhmdp.exe Fpoolael.exe File opened for modification C:\Windows\SysWOW64\Fcnkhmdp.exe Fpoolael.exe File created C:\Windows\SysWOW64\Bfioia32.exe Bbmcibjp.exe File opened for modification C:\Windows\SysWOW64\Cenljmgq.exe Cbppnbhm.exe File opened for modification C:\Windows\SysWOW64\Aipfmane.exe Accnekon.exe File created C:\Windows\SysWOW64\Eabcggll.exe Enfgfh32.exe File created C:\Windows\SysWOW64\Ndpojd32.dll Lgkhdddo.exe File created C:\Windows\SysWOW64\Plmpblnb.exe Pnjofo32.exe File created C:\Windows\SysWOW64\Nlhhkjkc.dll Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe Cjakccop.exe File created C:\Windows\SysWOW64\Fdnolfon.exe Fcmben32.exe File created C:\Windows\SysWOW64\Hnkion32.exe Hphidanj.exe File created C:\Windows\SysWOW64\Iegjqk32.exe Ibhndp32.exe File created C:\Windows\SysWOW64\Ghjggnbo.dll Jnkakl32.exe File created C:\Windows\SysWOW64\Knbhlkkc.exe Kfkpknkq.exe File created C:\Windows\SysWOW64\Ciaefa32.exe Cfcijf32.exe File created C:\Windows\SysWOW64\Afdiondb.exe Aaimopli.exe File created C:\Windows\SysWOW64\Gpelnb32.exe Gmgpbf32.exe File opened for modification C:\Windows\SysWOW64\Kcmcoblm.exe Jpogbgmi.exe File created C:\Windows\SysWOW64\Kcdjoaee.exe Kkmand32.exe File created C:\Windows\SysWOW64\Ppcbgkka.exe Oaqbln32.exe File opened for modification C:\Windows\SysWOW64\Bckjhl32.exe Behilopf.exe File created C:\Windows\SysWOW64\Lnjeilhc.dll Lgehno32.exe File created C:\Windows\SysWOW64\Jbpdeogo.exe Jkhldafl.exe File opened for modification C:\Windows\SysWOW64\Aknlofim.exe Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Kekiphge.exe Kaompi32.exe File created C:\Windows\SysWOW64\Hicoaj32.dll Pddnnp32.exe File opened for modification C:\Windows\SysWOW64\Enbnkigh.exe Eoompl32.exe File created C:\Windows\SysWOW64\Hinqgg32.exe Hebdfind.exe File created C:\Windows\SysWOW64\Mmlkmc32.dll Ciohqa32.exe File created C:\Windows\SysWOW64\Egjbdo32.exe Edlfhc32.exe File opened for modification C:\Windows\SysWOW64\Lqhfhigj.exe Lmljgj32.exe File created C:\Windows\SysWOW64\Epojbfko.dll Aciqcifh.exe File opened for modification C:\Windows\SysWOW64\Nbjeinje.exe Nnoiio32.exe File created C:\Windows\SysWOW64\Nidmfh32.exe Neiaeiii.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10148 10116 WerFault.exe 984 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omioekbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkmmodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdpbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffbdadk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcbankf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeohkeoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpdgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkejcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljkaeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neknki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcgdom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjcip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmbek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpkbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnadkic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakgefqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eacljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompefj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pclhdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cadjgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpcihcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiffkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnmbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijehdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmgpbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbbpmgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbbdcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeafjiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjeinje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egokonjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkhdddo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkephn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfjnpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfjhcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfebnoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjonncab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpphhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpdeogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknlofim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblfdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkngc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojojl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgnfdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpegcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlgmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlkcdog.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggkqmoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcljcke.dll" Fkhgip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbpeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egflhe32.dll" Obgkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkjjaebl.dll" Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omklkkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nagbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnkmqkbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppcbgkka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdojgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gepafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chlfnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amaelomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpoolael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kheoph32.dll" Nedhjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckeolc32.dll" Oemegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hneeilgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkbonmp.dll" Npmphinm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmeolj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdaglmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmmagpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boogmgkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hinqgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnflke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbgbj32.dll" Omklkkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lqhfhigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhiejpim.dll" Pmpbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dknajh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dafmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaqnpc32.dll" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccofjipn.dll" Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjapamid.dll" Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpemp32.dll" Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akiobk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmnjkjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehklddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biaign32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhikme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqmamm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amfognic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfekkflj.dll" Idgglb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiegdegb.dll" Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddlfji32.dll" Jhoice32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iliebpfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jliaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodgdaah.dll" Dojddmec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcomce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbkpeake.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1748 wrote to memory of 2384 1748 6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe 30 PID 1748 wrote to memory of 2384 1748 6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe 30 PID 1748 wrote to memory of 2384 1748 6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe 30 PID 1748 wrote to memory of 2384 1748 6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe 30 PID 2384 wrote to memory of 2920 2384 Ogekpg32.exe 31 PID 2384 wrote to memory of 2920 2384 Ogekpg32.exe 31 PID 2384 wrote to memory of 2920 2384 Ogekpg32.exe 31 PID 2384 wrote to memory of 2920 2384 Ogekpg32.exe 31 PID 2920 wrote to memory of 1832 2920 Oehklddp.exe 32 PID 2920 wrote to memory of 1832 2920 Oehklddp.exe 32 PID 2920 wrote to memory of 1832 2920 Oehklddp.exe 32 PID 2920 wrote to memory of 1832 2920 Oehklddp.exe 32 PID 1832 wrote to memory of 2736 1832 Ooqpdj32.exe 33 PID 1832 wrote to memory of 2736 1832 Ooqpdj32.exe 33 PID 1832 wrote to memory of 2736 1832 Ooqpdj32.exe 33 PID 1832 wrote to memory of 2736 1832 Ooqpdj32.exe 33 PID 2736 wrote to memory of 2240 2736 Oghhfg32.exe 34 PID 2736 wrote to memory of 2240 2736 Oghhfg32.exe 34 PID 2736 wrote to memory of 2240 2736 Oghhfg32.exe 34 PID 2736 wrote to memory of 2240 2736 Oghhfg32.exe 34 PID 2240 wrote to memory of 2724 2240 Oifdbb32.exe 35 PID 2240 wrote to memory of 2724 2240 Oifdbb32.exe 35 PID 2240 wrote to memory of 2724 2240 Oifdbb32.exe 35 PID 2240 wrote to memory of 2724 2240 Oifdbb32.exe 35 PID 2724 wrote to memory of 2136 2724 Ooclji32.exe 36 PID 2724 wrote to memory of 2136 2724 Ooclji32.exe 36 PID 2724 wrote to memory of 2136 2724 Ooclji32.exe 36 PID 2724 wrote to memory of 2136 2724 Ooclji32.exe 36 PID 2136 wrote to memory of 808 2136 Oemegc32.exe 37 PID 2136 wrote to memory of 808 2136 Oemegc32.exe 37 PID 2136 wrote to memory of 808 2136 Oemegc32.exe 37 PID 2136 wrote to memory of 808 2136 Oemegc32.exe 37 PID 808 wrote to memory of 2456 808 Olgmcmgh.exe 38 PID 808 wrote to memory of 2456 808 Olgmcmgh.exe 38 PID 808 wrote to memory of 2456 808 Olgmcmgh.exe 38 PID 808 wrote to memory of 2456 808 Olgmcmgh.exe 38 PID 2456 wrote to memory of 2712 2456 Poeipifl.exe 39 PID 2456 wrote to memory of 2712 2456 Poeipifl.exe 39 PID 2456 wrote to memory of 2712 2456 Poeipifl.exe 39 PID 2456 wrote to memory of 2712 2456 Poeipifl.exe 39 PID 2712 wrote to memory of 2972 2712 Pdbahpec.exe 40 PID 2712 wrote to memory of 2972 2712 Pdbahpec.exe 40 PID 2712 wrote to memory of 2972 2712 Pdbahpec.exe 40 PID 2712 wrote to memory of 2972 2712 Pdbahpec.exe 40 PID 2972 wrote to memory of 2864 2972 Plijimee.exe 41 PID 2972 wrote to memory of 2864 2972 Plijimee.exe 41 PID 2972 wrote to memory of 2864 2972 Plijimee.exe 41 PID 2972 wrote to memory of 2864 2972 Plijimee.exe 41 PID 2864 wrote to memory of 1424 2864 Pafbadcm.exe 42 PID 2864 wrote to memory of 1424 2864 Pafbadcm.exe 42 PID 2864 wrote to memory of 1424 2864 Pafbadcm.exe 42 PID 2864 wrote to memory of 1424 2864 Pafbadcm.exe 42 PID 1424 wrote to memory of 2096 1424 Pddnnp32.exe 43 PID 1424 wrote to memory of 2096 1424 Pddnnp32.exe 43 PID 1424 wrote to memory of 2096 1424 Pddnnp32.exe 43 PID 1424 wrote to memory of 2096 1424 Pddnnp32.exe 43 PID 2096 wrote to memory of 1728 2096 Pkofjijm.exe 44 PID 2096 wrote to memory of 1728 2096 Pkofjijm.exe 44 PID 2096 wrote to memory of 1728 2096 Pkofjijm.exe 44 PID 2096 wrote to memory of 1728 2096 Pkofjijm.exe 44 PID 1728 wrote to memory of 3024 1728 Pqkobqhd.exe 45 PID 1728 wrote to memory of 3024 1728 Pqkobqhd.exe 45 PID 1728 wrote to memory of 3024 1728 Pqkobqhd.exe 45 PID 1728 wrote to memory of 3024 1728 Pqkobqhd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe"C:\Users\Admin\AppData\Local\Temp\6b62aaeeefc0a7ea3ca1a133c1cedf85fe8531e37914316b03b41af8b92ba330.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Oifdbb32.exeC:\Windows\system32\Oifdbb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Poeipifl.exeC:\Windows\system32\Poeipifl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Pkacpihj.exeC:\Windows\system32\Pkacpihj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Pcnejk32.exeC:\Windows\system32\Pcnejk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Qqbecp32.exeC:\Windows\system32\Qqbecp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Acekjjmk.exeC:\Windows\system32\Acekjjmk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Afdgfelo.exeC:\Windows\system32\Afdgfelo.exe33⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe34⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe35⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe36⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe37⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe40⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe41⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe42⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Agljom32.exeC:\Windows\system32\Agljom32.exe43⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe44⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe45⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe46⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe48⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe49⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe52⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe53⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe54⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe55⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe56⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe57⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe59⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe60⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe61⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe62⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe63⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe64⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe65⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe67⤵PID:1320
-
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe68⤵PID:2704
-
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe69⤵
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe70⤵PID:2928
-
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe71⤵PID:2616
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe73⤵PID:2700
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe74⤵PID:2984
-
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe75⤵PID:1220
-
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1480 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe77⤵PID:320
-
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe78⤵PID:2016
-
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe79⤵PID:2480
-
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe80⤵PID:2792
-
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe81⤵PID:2544
-
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe82⤵PID:2512
-
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe83⤵PID:796
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe84⤵PID:1600
-
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe85⤵PID:3020
-
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Cakqgeoi.exeC:\Windows\system32\Cakqgeoi.exe87⤵PID:1472
-
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe88⤵PID:2880
-
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe89⤵PID:844
-
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe90⤵PID:804
-
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe91⤵PID:528
-
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe92⤵PID:1540
-
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe93⤵PID:2576
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe94⤵PID:584
-
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe95⤵PID:2424
-
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe96⤵PID:2740
-
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe97⤵PID:2676
-
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe98⤵PID:2900
-
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe99⤵PID:2904
-
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe101⤵PID:1428
-
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe102⤵PID:3036
-
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe103⤵PID:2264
-
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe104⤵
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe105⤵PID:908
-
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe106⤵PID:2400
-
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe107⤵PID:3040
-
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe108⤵PID:1668
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe109⤵PID:1404
-
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe110⤵
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe111⤵PID:2868
-
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe112⤵PID:1836
-
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe113⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe114⤵PID:1504
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe115⤵PID:1576
-
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe116⤵PID:2584
-
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe117⤵PID:1148
-
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe118⤵PID:2288
-
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe119⤵PID:2196
-
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe120⤵PID:2952
-
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe121⤵
- Drops file in System32 directory
PID:2944
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-