Analysis
-
max time kernel
70s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 15:48
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe
-
Size
64KB
-
MD5
379b22dde8575110b1ec7f6e6e4037c0
-
SHA1
236de699ebdec50a7b78831ec4e59dbc5d15e7de
-
SHA256
138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65f
-
SHA512
dcfa2c4e5753228b88b36f1a799d75ebcb402f5938eba76d1f7a8084992cc1fd833b97153f7fe39b990bf9ed4b623b2fe89d9a85ac47c60fde7efbcd5f2432df
-
SSDEEP
1536:jy+3YcFHj+Ru0kcVpJyEp23BZo86B2L5OrDWBm:r5DYV3VpHcxU2Bm
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekhacbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clmdmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loefnpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljcbaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aihfap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bibpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jondnnbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghiaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fblmglgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgpgjepk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odchbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbiiog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmhkmki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdpcikdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befmfpbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lblcfnhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caaggpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcjnfdbp.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2932 Nhllob32.exe 2584 Neplhf32.exe 2872 Nljddpfe.exe 2632 Oohqqlei.exe 3016 Okoafmkm.exe 776 Olonpp32.exe 3028 Oomjlk32.exe 2156 Oegbheiq.exe 1952 Oancnfoe.exe 2112 Ohhkjp32.exe 2884 Okfgfl32.exe 848 Ogmhkmki.exe 1980 Pjldghjm.exe 2452 Pfbelipa.exe 2416 Pqhijbog.exe 1484 Pmojocel.exe 3068 Pfgngh32.exe 976 Pfikmh32.exe 2012 Pdlkiepd.exe 2996 Pkfceo32.exe 1848 Qeohnd32.exe 1804 Qgoapp32.exe 2784 Aniimjbo.exe 2840 Aeenochi.exe 2904 Aaloddnn.exe 2776 Agfgqo32.exe 1256 Aigchgkh.exe 376 Aijpnfif.exe 1336 Alhmjbhj.exe 860 Bilmcf32.exe 2252 Bpfeppop.exe 2404 Bnielm32.exe 1644 Bfpnmj32.exe 1924 Biojif32.exe 2908 Blmfea32.exe 2140 Bajomhbl.exe 1936 Beejng32.exe 792 Biafnecn.exe 2820 Bjbcfn32.exe 668 Bbikgk32.exe 1868 Behgcf32.exe 2216 Blaopqpo.exe 1364 Boplllob.exe 1716 Bejdiffp.exe 288 Bdmddc32.exe 1200 Bkglameg.exe 2804 Bmeimhdj.exe 2824 Baadng32.exe 2168 Cpceidcn.exe 2896 Ckiigmcd.exe 2744 Cilibi32.exe 2648 Cpfaocal.exe 1640 Cbdnko32.exe 2236 Cinfhigl.exe 2800 Cmjbhh32.exe 2564 Cddjebgb.exe 2880 Cgbfamff.exe 2900 Cmlong32.exe 1984 Clooiddm.exe 2016 Ccigfn32.exe 2224 Cgdcgm32.exe 1700 Cicpch32.exe 1216 Cpmhpbkc.exe 1732 Cckdlnjg.exe -
Loads dropped DLL 64 IoCs
pid Process 1508 138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe 1508 138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe 2932 Nhllob32.exe 2932 Nhllob32.exe 2584 Neplhf32.exe 2584 Neplhf32.exe 2872 Nljddpfe.exe 2872 Nljddpfe.exe 2632 Oohqqlei.exe 2632 Oohqqlei.exe 3016 Okoafmkm.exe 3016 Okoafmkm.exe 776 Olonpp32.exe 776 Olonpp32.exe 3028 Oomjlk32.exe 3028 Oomjlk32.exe 2156 Oegbheiq.exe 2156 Oegbheiq.exe 1952 Oancnfoe.exe 1952 Oancnfoe.exe 2112 Ohhkjp32.exe 2112 Ohhkjp32.exe 2884 Okfgfl32.exe 2884 Okfgfl32.exe 848 Ogmhkmki.exe 848 Ogmhkmki.exe 1980 Pjldghjm.exe 1980 Pjldghjm.exe 2452 Pfbelipa.exe 2452 Pfbelipa.exe 2416 Pqhijbog.exe 2416 Pqhijbog.exe 1484 Pmojocel.exe 1484 Pmojocel.exe 3068 Pfgngh32.exe 3068 Pfgngh32.exe 976 Pfikmh32.exe 976 Pfikmh32.exe 2012 Pdlkiepd.exe 2012 Pdlkiepd.exe 2996 Pkfceo32.exe 2996 Pkfceo32.exe 1848 Qeohnd32.exe 1848 Qeohnd32.exe 1804 Qgoapp32.exe 1804 Qgoapp32.exe 2784 Aniimjbo.exe 2784 Aniimjbo.exe 2840 Aeenochi.exe 2840 Aeenochi.exe 2904 Aaloddnn.exe 2904 Aaloddnn.exe 2776 Agfgqo32.exe 2776 Agfgqo32.exe 1256 Aigchgkh.exe 1256 Aigchgkh.exe 376 Aijpnfif.exe 376 Aijpnfif.exe 1336 Alhmjbhj.exe 1336 Alhmjbhj.exe 860 Bilmcf32.exe 860 Bilmcf32.exe 2252 Bpfeppop.exe 2252 Bpfeppop.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bnfblgca.exe Akhfoldn.exe File created C:\Windows\SysWOW64\Agngji32.dll Kpcqnf32.exe File created C:\Windows\SysWOW64\Lkhkagoh.dll Process not Found File created C:\Windows\SysWOW64\Iknafhjb.exe Process not Found File created C:\Windows\SysWOW64\Bgehjlpm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hiclkp32.exe Process not Found File created C:\Windows\SysWOW64\Nfigck32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mdgkjopd.exe Process not Found File created C:\Windows\SysWOW64\Mogdonoc.dll Mfjoeeeh.exe File created C:\Windows\SysWOW64\Gcahoqhf.exe Gljpncgc.exe File created C:\Windows\SysWOW64\Lecpilip.dll Kgclio32.exe File created C:\Windows\SysWOW64\Kmdlca32.dll Odgamdef.exe File created C:\Windows\SysWOW64\Mfnokgjk.dll Egonhf32.exe File created C:\Windows\SysWOW64\Lpkjfakb.dll Process not Found File created C:\Windows\SysWOW64\Hhppho32.dll Nhllob32.exe File created C:\Windows\SysWOW64\Pbpifm32.dll Process not Found File created C:\Windows\SysWOW64\Adifpk32.exe Afffenbp.exe File created C:\Windows\SysWOW64\Flapkmlj.exe Fmnopp32.exe File opened for modification C:\Windows\SysWOW64\Eimcjl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dqaode32.exe Process not Found File created C:\Windows\SysWOW64\Ccqhdmbc.exe Process not Found File created C:\Windows\SysWOW64\Leqfcn32.dll Nlpkdkkd.exe File created C:\Windows\SysWOW64\Fqalaa32.exe Flfpabkp.exe File opened for modification C:\Windows\SysWOW64\Mimgeigj.exe Mbcoio32.exe File created C:\Windows\SysWOW64\Pddjlb32.exe Process not Found File created C:\Windows\SysWOW64\Nddcimag.exe Process not Found File created C:\Windows\SysWOW64\Kneino32.dll Baigca32.exe File created C:\Windows\SysWOW64\Endjaief.exe Ekfndmfb.exe File created C:\Windows\SysWOW64\Fchook32.dll Bkegah32.exe File created C:\Windows\SysWOW64\Gnphdceh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Plbmom32.exe Process not Found File created C:\Windows\SysWOW64\Adagkoae.dll Pqhijbog.exe File opened for modification C:\Windows\SysWOW64\Abmdafpp.exe Akcldl32.exe File created C:\Windows\SysWOW64\Cmdcjbei.dll Fgigil32.exe File created C:\Windows\SysWOW64\Kofcbl32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fmhjni32.exe Fjjnan32.exe File created C:\Windows\SysWOW64\Qfljkp32.exe Qnebjc32.exe File opened for modification C:\Windows\SysWOW64\Iblola32.exe Process not Found File created C:\Windows\SysWOW64\Dkdmfe32.exe Process not Found File created C:\Windows\SysWOW64\Keoabo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hphidanj.exe Hmjlhfof.exe File opened for modification C:\Windows\SysWOW64\Fpoolael.exe Fnacpffh.exe File created C:\Windows\SysWOW64\Ojmpooah.exe Ofadnq32.exe File created C:\Windows\SysWOW64\Enjmdhnf.dll Ofhjopbg.exe File created C:\Windows\SysWOW64\Iichjc32.exe Process not Found File created C:\Windows\SysWOW64\Cfhiplmp.exe Cpnaca32.exe File created C:\Windows\SysWOW64\Kgfkgo32.dll Fhdjgoha.exe File created C:\Windows\SysWOW64\Dhbccb32.dll Process not Found File created C:\Windows\SysWOW64\Bgldklaj.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nbqjqehd.exe Process not Found File created C:\Windows\SysWOW64\Cohibp32.dll Kqknil32.exe File created C:\Windows\SysWOW64\Pjmnfk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eaqkcimg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Njpihk32.exe Process not Found File created C:\Windows\SysWOW64\Cnejim32.exe Process not Found File created C:\Windows\SysWOW64\Kbhgal32.dll Process not Found File created C:\Windows\SysWOW64\Jhgkeald.dll Bnielm32.exe File opened for modification C:\Windows\SysWOW64\Kceqjhiq.exe Kdbpnk32.exe File created C:\Windows\SysWOW64\Jfgebjnm.exe Process not Found File created C:\Windows\SysWOW64\Dokmejcg.dll Process not Found File created C:\Windows\SysWOW64\Mdmkoepk.exe Process not Found File created C:\Windows\SysWOW64\Ndmcdl32.dll Olmcchlg.exe File opened for modification C:\Windows\SysWOW64\Cgnpjkhj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Glpepj32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 8944 7724 Process not Found 1926 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilkpogmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdjaecc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfegij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aniimjbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqbecp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopphehb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmjnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipiljgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdhif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbkipok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmcfeia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnifja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcbbjcif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcnkgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iflmjihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhmcelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhdqdnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcqgpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebcmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnipkkdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njoocijc.dll" Ijklknbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffjaickl.dll" Ehkhaqpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfqdk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glpdde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Findhdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahcjenki.dll" Iplnnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidqce32.dll" Kgfoie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgkii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knfndjdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjijqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiecgjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmojkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhaflo32.dll" Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnllhjif.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eolmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodhamlk.dll" Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjallg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieaiebmn.dll" Dkadjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khlili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkqmpip.dll" Ihdpbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heealhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmpife32.dll" Kbigpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imafcg32.dll" Alihaioe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqbecp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cifelgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahgni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pleofj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hafock32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diidjpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgapag32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gafqbm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbonaedo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmcqik32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjnolikh.dll" Bejdiffp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1508 wrote to memory of 2932 1508 138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe 30 PID 1508 wrote to memory of 2932 1508 138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe 30 PID 1508 wrote to memory of 2932 1508 138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe 30 PID 1508 wrote to memory of 2932 1508 138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe 30 PID 2932 wrote to memory of 2584 2932 Nhllob32.exe 31 PID 2932 wrote to memory of 2584 2932 Nhllob32.exe 31 PID 2932 wrote to memory of 2584 2932 Nhllob32.exe 31 PID 2932 wrote to memory of 2584 2932 Nhllob32.exe 31 PID 2584 wrote to memory of 2872 2584 Neplhf32.exe 32 PID 2584 wrote to memory of 2872 2584 Neplhf32.exe 32 PID 2584 wrote to memory of 2872 2584 Neplhf32.exe 32 PID 2584 wrote to memory of 2872 2584 Neplhf32.exe 32 PID 2872 wrote to memory of 2632 2872 Nljddpfe.exe 33 PID 2872 wrote to memory of 2632 2872 Nljddpfe.exe 33 PID 2872 wrote to memory of 2632 2872 Nljddpfe.exe 33 PID 2872 wrote to memory of 2632 2872 Nljddpfe.exe 33 PID 2632 wrote to memory of 3016 2632 Oohqqlei.exe 34 PID 2632 wrote to memory of 3016 2632 Oohqqlei.exe 34 PID 2632 wrote to memory of 3016 2632 Oohqqlei.exe 34 PID 2632 wrote to memory of 3016 2632 Oohqqlei.exe 34 PID 3016 wrote to memory of 776 3016 Okoafmkm.exe 35 PID 3016 wrote to memory of 776 3016 Okoafmkm.exe 35 PID 3016 wrote to memory of 776 3016 Okoafmkm.exe 35 PID 3016 wrote to memory of 776 3016 Okoafmkm.exe 35 PID 776 wrote to memory of 3028 776 Olonpp32.exe 36 PID 776 wrote to memory of 3028 776 Olonpp32.exe 36 PID 776 wrote to memory of 3028 776 Olonpp32.exe 36 PID 776 wrote to memory of 3028 776 Olonpp32.exe 36 PID 3028 wrote to memory of 2156 3028 Oomjlk32.exe 37 PID 3028 wrote to memory of 2156 3028 Oomjlk32.exe 37 PID 3028 wrote to memory of 2156 3028 Oomjlk32.exe 37 PID 3028 wrote to memory of 2156 3028 Oomjlk32.exe 37 PID 2156 wrote to memory of 1952 2156 Oegbheiq.exe 38 PID 2156 wrote to memory of 1952 2156 Oegbheiq.exe 38 PID 2156 wrote to memory of 1952 2156 Oegbheiq.exe 38 PID 2156 wrote to memory of 1952 2156 Oegbheiq.exe 38 PID 1952 wrote to memory of 2112 1952 Oancnfoe.exe 39 PID 1952 wrote to memory of 2112 1952 Oancnfoe.exe 39 PID 1952 wrote to memory of 2112 1952 Oancnfoe.exe 39 PID 1952 wrote to memory of 2112 1952 Oancnfoe.exe 39 PID 2112 wrote to memory of 2884 2112 Ohhkjp32.exe 40 PID 2112 wrote to memory of 2884 2112 Ohhkjp32.exe 40 PID 2112 wrote to memory of 2884 2112 Ohhkjp32.exe 40 PID 2112 wrote to memory of 2884 2112 Ohhkjp32.exe 40 PID 2884 wrote to memory of 848 2884 Okfgfl32.exe 41 PID 2884 wrote to memory of 848 2884 Okfgfl32.exe 41 PID 2884 wrote to memory of 848 2884 Okfgfl32.exe 41 PID 2884 wrote to memory of 848 2884 Okfgfl32.exe 41 PID 848 wrote to memory of 1980 848 Ogmhkmki.exe 42 PID 848 wrote to memory of 1980 848 Ogmhkmki.exe 42 PID 848 wrote to memory of 1980 848 Ogmhkmki.exe 42 PID 848 wrote to memory of 1980 848 Ogmhkmki.exe 42 PID 1980 wrote to memory of 2452 1980 Pjldghjm.exe 43 PID 1980 wrote to memory of 2452 1980 Pjldghjm.exe 43 PID 1980 wrote to memory of 2452 1980 Pjldghjm.exe 43 PID 1980 wrote to memory of 2452 1980 Pjldghjm.exe 43 PID 2452 wrote to memory of 2416 2452 Pfbelipa.exe 44 PID 2452 wrote to memory of 2416 2452 Pfbelipa.exe 44 PID 2452 wrote to memory of 2416 2452 Pfbelipa.exe 44 PID 2452 wrote to memory of 2416 2452 Pfbelipa.exe 44 PID 2416 wrote to memory of 1484 2416 Pqhijbog.exe 45 PID 2416 wrote to memory of 1484 2416 Pqhijbog.exe 45 PID 2416 wrote to memory of 1484 2416 Pqhijbog.exe 45 PID 2416 wrote to memory of 1484 2416 Pqhijbog.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe"C:\Users\Admin\AppData\Local\Temp\138fc56ff601fd6fa3be1ed933799ecac49d15d579d3d4e6eacd123823dbb65fN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Oancnfoe.exeC:\Windows\system32\Oancnfoe.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1484 -
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1256 -
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:376 -
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1336 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2404 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe34⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe35⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe36⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe37⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe38⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe39⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe40⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe41⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe42⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe43⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe44⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe46⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe47⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe48⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe49⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe50⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe51⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe53⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe54⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe55⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe56⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe57⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe58⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe59⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe60⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe61⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe62⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe63⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe64⤵
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe65⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe66⤵PID:2024
-
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe67⤵PID:2364
-
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe68⤵PID:2660
-
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe69⤵PID:868
-
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe70⤵PID:2504
-
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe71⤵PID:2728
-
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe72⤵PID:2712
-
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe73⤵PID:2576
-
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe74⤵PID:3012
-
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe75⤵PID:588
-
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe76⤵PID:2260
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe77⤵PID:764
-
C:\Windows\SysWOW64\Dhobddbf.exeC:\Windows\system32\Dhobddbf.exe78⤵PID:1368
-
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe79⤵PID:1380
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe80⤵
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe81⤵PID:1680
-
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe82⤵PID:1624
-
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe83⤵PID:2464
-
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe84⤵PID:1784
-
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe85⤵PID:2008
-
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe86⤵PID:2040
-
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe87⤵PID:744
-
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe88⤵PID:2700
-
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe89⤵PID:2604
-
C:\Windows\SysWOW64\Ejgemkbm.exeC:\Windows\system32\Ejgemkbm.exe90⤵PID:3008
-
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe91⤵PID:2056
-
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe92⤵PID:2336
-
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe93⤵PID:2420
-
C:\Windows\SysWOW64\Ehmbng32.exeC:\Windows\system32\Ehmbng32.exe94⤵PID:1040
-
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe95⤵PID:1760
-
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe96⤵PID:2888
-
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe97⤵PID:2944
-
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe98⤵PID:2412
-
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe99⤵PID:2368
-
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe100⤵PID:1016
-
C:\Windows\SysWOW64\Edfpih32.exeC:\Windows\system32\Edfpih32.exe101⤵PID:2520
-
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe102⤵PID:2976
-
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe103⤵PID:2736
-
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe104⤵PID:2912
-
C:\Windows\SysWOW64\Fdhlnhhc.exeC:\Windows\system32\Fdhlnhhc.exe105⤵PID:2748
-
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe106⤵PID:1652
-
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe108⤵PID:2892
-
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe109⤵PID:1744
-
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe110⤵PID:2344
-
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe111⤵PID:768
-
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe112⤵PID:1872
-
C:\Windows\SysWOW64\Fjjnan32.exeC:\Windows\system32\Fjjnan32.exe113⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe114⤵PID:1808
-
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe115⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe116⤵PID:2588
-
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe117⤵PID:2640
-
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe118⤵PID:1320
-
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe119⤵PID:2180
-
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe120⤵
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe121⤵PID:2220
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-