Analysis
-
max time kernel
89s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 16:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe
-
Size
63KB
-
MD5
ef7a8381f2e3897966206dea989301a6
-
SHA1
b22c2a973b08e8e8c2bc50b0ca53d304e83a85d5
-
SHA256
152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7
-
SHA512
ff354f5cc3689dc6baefb409eac020689ec7b69282db7ce33b2577830ffe64434c1ca5b12f70f2390feec3569a9be90f03c4e76d0f56ac01f8dc0e6fdfeb4166
-
SSDEEP
1536:s1uD0cAW/IBCeEWu1UOCfK25SQbIRpH1juIZok:s1uRAW/IBCrWud4K+S6IRpH1juIZok
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeobfgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfioaaah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonhbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqbnnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpbokj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkgdmbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdnjlcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klkjbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejqenmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgpjpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oigokj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfcohfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdkdffm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnecjgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npgppdpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkhpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeknakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egepce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgbpmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldangbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpdej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacabgig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhjnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aecdpmbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcgkeonp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiffbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfdcckn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkkeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilneef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddeia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfgaaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidngh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lamkllea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeobfgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffaeneno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djcpqidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohoogbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnaihhgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qloiqcbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnonp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcebnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibnppn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocodbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhkdgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccdnipal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnejqmie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhifmcfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefeaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iefeaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdoaackf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlekm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkkgnmqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alfdcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egljjmkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knhoig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gapbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbbkabdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbihpbpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqcncnpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnagbc32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2460 Daplmimi.exe 2868 Dkhpfo32.exe 3028 Dmgmbj32.exe 2620 Eipjmk32.exe 2736 Edhkpcdb.exe 2768 Eghdanac.exe 1576 Eabeal32.exe 1580 Fadagl32.exe 2496 Fdekigip.exe 2320 Fdggofgn.exe 2224 Fqqdigko.exe 2208 Gfmmanif.exe 2128 Gqendf32.exe 2332 Gjnbmlmj.exe 1944 Gomhkb32.exe 2616 Gdjpcj32.exe 2204 Higiih32.exe 2528 Hqbnnj32.exe 1556 Hjkbfpah.exe 928 Hgobpd32.exe 1848 Hiblmldn.exe 1936 Hchpjddc.exe 2592 Imcaijia.exe 1588 Iijbnkne.exe 1724 Ipcjje32.exe 2216 Ibdclp32.exe 3012 Jhchjgoh.exe 2972 Jfiekc32.exe 2744 Jbpfpd32.exe 2880 Jepoao32.exe 2788 Jpfcohfk.exe 1188 Kciifc32.exe 872 Kdlbckee.exe 1748 Kneflplf.exe 1252 Kjlgaa32.exe 2280 Lfgaaa32.exe 1248 Lflklaoc.exe 632 Mbbkabdh.exe 468 Mgaqohql.exe 2076 Mqjehngm.exe 2364 Mgdmeh32.exe 772 Mjeffc32.exe 996 Npdkdjhp.exe 2540 Nbbhpegc.exe 796 Nilpmo32.exe 1040 Npfhjifm.exe 1048 Necqbp32.exe 2392 Nmjicn32.exe 1716 Nbgakd32.exe 2660 Neemgp32.exe 2968 Nnnbqeib.exe 2724 Nlabjj32.exe 2912 Nbljfdoh.exe 2756 Oldooi32.exe 2552 Ohkpdj32.exe 2696 Oacdmpan.exe 828 Oiniaboi.exe 2920 Obgmjh32.exe 1868 Olobcm32.exe 1084 Ofefqf32.exe 2144 Ppmkilbp.exe 2060 Phhonn32.exe 580 Pelpgb32.exe 1872 Pbppqf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2904 152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe 2904 152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe 2460 Daplmimi.exe 2460 Daplmimi.exe 2868 Dkhpfo32.exe 2868 Dkhpfo32.exe 3028 Dmgmbj32.exe 3028 Dmgmbj32.exe 2620 Eipjmk32.exe 2620 Eipjmk32.exe 2736 Edhkpcdb.exe 2736 Edhkpcdb.exe 2768 Eghdanac.exe 2768 Eghdanac.exe 1576 Eabeal32.exe 1576 Eabeal32.exe 1580 Fadagl32.exe 1580 Fadagl32.exe 2496 Fdekigip.exe 2496 Fdekigip.exe 2320 Fdggofgn.exe 2320 Fdggofgn.exe 2224 Fqqdigko.exe 2224 Fqqdigko.exe 2208 Gfmmanif.exe 2208 Gfmmanif.exe 2128 Gqendf32.exe 2128 Gqendf32.exe 2332 Gjnbmlmj.exe 2332 Gjnbmlmj.exe 1944 Gomhkb32.exe 1944 Gomhkb32.exe 2616 Gdjpcj32.exe 2616 Gdjpcj32.exe 2204 Higiih32.exe 2204 Higiih32.exe 2528 Hqbnnj32.exe 2528 Hqbnnj32.exe 1556 Hjkbfpah.exe 1556 Hjkbfpah.exe 928 Hgobpd32.exe 928 Hgobpd32.exe 1848 Hiblmldn.exe 1848 Hiblmldn.exe 1936 Hchpjddc.exe 1936 Hchpjddc.exe 2592 Imcaijia.exe 2592 Imcaijia.exe 1588 Iijbnkne.exe 1588 Iijbnkne.exe 1724 Ipcjje32.exe 1724 Ipcjje32.exe 2216 Ibdclp32.exe 2216 Ibdclp32.exe 3012 Jhchjgoh.exe 3012 Jhchjgoh.exe 2972 Jfiekc32.exe 2972 Jfiekc32.exe 2744 Jbpfpd32.exe 2744 Jbpfpd32.exe 2880 Jepoao32.exe 2880 Jepoao32.exe 2788 Jpfcohfk.exe 2788 Jpfcohfk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hfdbji32.exe Hjnaehgj.exe File created C:\Windows\SysWOW64\Geedqq32.dll Ojlmgg32.exe File opened for modification C:\Windows\SysWOW64\Eqninhmc.exe Ejcaanfg.exe File created C:\Windows\SysWOW64\Ckdpinhf.exe Ccileljk.exe File created C:\Windows\SysWOW64\Flfgiimk.dll Eeijpdbd.exe File created C:\Windows\SysWOW64\Mfejocnp.dll Kqijck32.exe File created C:\Windows\SysWOW64\Dipfpa32.dll Ndekok32.exe File created C:\Windows\SysWOW64\Ogiqffhl.exe Opohil32.exe File created C:\Windows\SysWOW64\Denollgl.dll Ceclmc32.exe File opened for modification C:\Windows\SysWOW64\Dkhpfo32.exe Daplmimi.exe File created C:\Windows\SysWOW64\Egkfbg32.dll Gkfkoi32.exe File created C:\Windows\SysWOW64\Lmjbphod.exe Ldangbhd.exe File opened for modification C:\Windows\SysWOW64\Hghhngjb.exe Ggekhhle.exe File created C:\Windows\SysWOW64\Gpgcne32.dll Lekeak32.exe File created C:\Windows\SysWOW64\Fohacl32.exe Fcaankpf.exe File opened for modification C:\Windows\SysWOW64\Bomcgfjh.exe Bjqjoolp.exe File created C:\Windows\SysWOW64\Egepce32.exe Eonhbg32.exe File created C:\Windows\SysWOW64\Lflklaoc.exe Lfgaaa32.exe File opened for modification C:\Windows\SysWOW64\Gepeep32.exe Glgqlkdl.exe File opened for modification C:\Windows\SysWOW64\Iaknmm32.exe Ilneef32.exe File opened for modification C:\Windows\SysWOW64\Hljljflh.exe Hepdml32.exe File created C:\Windows\SysWOW64\Aahoageo.dll Mcmnbbja.exe File created C:\Windows\SysWOW64\Eidcdc32.dll Fnjkdcii.exe File created C:\Windows\SysWOW64\Okdahbmm.exe Oblmom32.exe File created C:\Windows\SysWOW64\Njhhid32.dll Gkgdbh32.exe File created C:\Windows\SysWOW64\Ffogha32.dll Fdhlphff.exe File created C:\Windows\SysWOW64\Mddidnqa.exe Mmjqhd32.exe File created C:\Windows\SysWOW64\Elpgjjhd.dll Dkmmdg32.exe File created C:\Windows\SysWOW64\Pfgkdg32.dll Omqnfiip.exe File created C:\Windows\SysWOW64\Ikmjnnah.exe Iaheqe32.exe File created C:\Windows\SysWOW64\Ighchh32.dll Bgndnd32.exe File opened for modification C:\Windows\SysWOW64\Ggekhhle.exe Gpkckneh.exe File created C:\Windows\SysWOW64\Kmbjko32.dll Dhhhphmc.exe File created C:\Windows\SysWOW64\Jfdmbl32.dll Hchpjddc.exe File opened for modification C:\Windows\SysWOW64\Cfmceomm.exe Cldolj32.exe File created C:\Windows\SysWOW64\Mlfpml32.dll Lnipilbb.exe File opened for modification C:\Windows\SysWOW64\Pgkjji32.exe Pcmadj32.exe File opened for modification C:\Windows\SysWOW64\Amjkgbhe.exe Agmbolin.exe File opened for modification C:\Windows\SysWOW64\Babpgo32.exe Bfmlif32.exe File created C:\Windows\SysWOW64\Nbljfdoh.exe Nlabjj32.exe File created C:\Windows\SysWOW64\Iglkoaad.exe Iabcbg32.exe File created C:\Windows\SysWOW64\Egbkjc32.dll Bmdehgcf.exe File created C:\Windows\SysWOW64\Pdcjhkpn.dll Pdhdcnng.exe File opened for modification C:\Windows\SysWOW64\Diljpn32.exe Clhifj32.exe File created C:\Windows\SysWOW64\Bmhjjiab.dll Gomhkb32.exe File created C:\Windows\SysWOW64\Jfbeip32.dll Ipcjje32.exe File created C:\Windows\SysWOW64\Mgogqmha.dll Fclmem32.exe File created C:\Windows\SysWOW64\Ijcmipjh.exe Ipkhpk32.exe File created C:\Windows\SysWOW64\Ogadkajl.exe Onipbl32.exe File created C:\Windows\SysWOW64\Dlnnak32.dll Cdejpg32.exe File opened for modification C:\Windows\SysWOW64\Jcknqicd.exe Jgdmkhnp.exe File opened for modification C:\Windows\SysWOW64\Khmamhek.exe Jpbmhf32.exe File opened for modification C:\Windows\SysWOW64\Apjpglfn.exe Ajpgkb32.exe File created C:\Windows\SysWOW64\Hpipeaaf.dll Dnfkefad.exe File opened for modification C:\Windows\SysWOW64\Fbbcdh32.exe Eabgjeef.exe File created C:\Windows\SysWOW64\Nbjpjm32.exe Ndfppije.exe File created C:\Windows\SysWOW64\Mnbbpkjg.exe Mcmnbbja.exe File created C:\Windows\SysWOW64\Mlgabfoe.dll Akfdcckn.exe File created C:\Windows\SysWOW64\Cbickmoq.dll Enokidgl.exe File opened for modification C:\Windows\SysWOW64\Lkcehkeh.exe Legmpdga.exe File created C:\Windows\SysWOW64\Eifeam32.dll Bmfamg32.exe File opened for modification C:\Windows\SysWOW64\Nbnajcig.exe Nmaialjp.exe File created C:\Windows\SysWOW64\Lnejqmie.exe Kqaigijk.exe File created C:\Windows\SysWOW64\Lkfbmj32.exe Lhgeao32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4296 2996 WerFault.exe 1015 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neemgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbihmcqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgklcaqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inaliedk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgnkkjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgojdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjqjoolp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfclic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdqbbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijcmipjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbakiee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieoiai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clcghk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocpjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkimgflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccdnipal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjhfkqdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbfalpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmeaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odiagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifloeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehopnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkcehkeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiciboh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqijck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlljiklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmifla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngfqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhobldaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpndkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnqin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aanonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhhchlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpendha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnhnnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjfbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfmkcdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boppmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnejqmie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqplmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejkampao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpiqel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eligoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhdcnng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlgaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almjcobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpccnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcfeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ediggoma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfohoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdpinhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgppana.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgmfph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgnnicpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnpdaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiaddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poplqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkjji32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqjmec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmeaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boggkicf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pemhba32.dll" Gjjoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgdnd32.dll" Jhchjgoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klliop32.dll" Ecnpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kceijg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdhlmhgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiapjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmaojjod.dll" Cmmcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjenb32.dll" Kldofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihhjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbqgnl32.dll" Jknlfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hafdbmjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gknhlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkkdjl.dll" Bjlnaghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmjogi32.dll" Qloiqcbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nheabh32.dll" Ckeekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aggbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cefbfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiohob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oacdmpan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jccjln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbdepe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjiffd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dekaiofi.dll" Ijokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeejpjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Almjcobe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmojcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdjcaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqfiqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jepoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhniof32.dll" Gkiooocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jebojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hopibdfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgdmkhnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnpgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bffgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcogfg32.dll" Kjmeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcaqggik.dll" Genmab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbeflgfa.dll" Gjkeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcpfbhof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhifmcfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogpkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdhlphff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmfamg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejcaanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkmmdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgjjdijo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knhoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgdpnqfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djoinbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geammipo.dll" Nnidchqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdhdcnng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpohp32.dll" Pgmfph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppaimb32.dll" Poldnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibdclp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnjhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdhpbkob.dll" Hkfgnldd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmbjko32.dll" Dhhhphmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbpegdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmgmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppmkilbp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2460 2904 152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe 29 PID 2904 wrote to memory of 2460 2904 152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe 29 PID 2904 wrote to memory of 2460 2904 152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe 29 PID 2904 wrote to memory of 2460 2904 152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe 29 PID 2460 wrote to memory of 2868 2460 Daplmimi.exe 30 PID 2460 wrote to memory of 2868 2460 Daplmimi.exe 30 PID 2460 wrote to memory of 2868 2460 Daplmimi.exe 30 PID 2460 wrote to memory of 2868 2460 Daplmimi.exe 30 PID 2868 wrote to memory of 3028 2868 Dkhpfo32.exe 31 PID 2868 wrote to memory of 3028 2868 Dkhpfo32.exe 31 PID 2868 wrote to memory of 3028 2868 Dkhpfo32.exe 31 PID 2868 wrote to memory of 3028 2868 Dkhpfo32.exe 31 PID 3028 wrote to memory of 2620 3028 Dmgmbj32.exe 32 PID 3028 wrote to memory of 2620 3028 Dmgmbj32.exe 32 PID 3028 wrote to memory of 2620 3028 Dmgmbj32.exe 32 PID 3028 wrote to memory of 2620 3028 Dmgmbj32.exe 32 PID 2620 wrote to memory of 2736 2620 Eipjmk32.exe 33 PID 2620 wrote to memory of 2736 2620 Eipjmk32.exe 33 PID 2620 wrote to memory of 2736 2620 Eipjmk32.exe 33 PID 2620 wrote to memory of 2736 2620 Eipjmk32.exe 33 PID 2736 wrote to memory of 2768 2736 Edhkpcdb.exe 34 PID 2736 wrote to memory of 2768 2736 Edhkpcdb.exe 34 PID 2736 wrote to memory of 2768 2736 Edhkpcdb.exe 34 PID 2736 wrote to memory of 2768 2736 Edhkpcdb.exe 34 PID 2768 wrote to memory of 1576 2768 Eghdanac.exe 35 PID 2768 wrote to memory of 1576 2768 Eghdanac.exe 35 PID 2768 wrote to memory of 1576 2768 Eghdanac.exe 35 PID 2768 wrote to memory of 1576 2768 Eghdanac.exe 35 PID 1576 wrote to memory of 1580 1576 Eabeal32.exe 36 PID 1576 wrote to memory of 1580 1576 Eabeal32.exe 36 PID 1576 wrote to memory of 1580 1576 Eabeal32.exe 36 PID 1576 wrote to memory of 1580 1576 Eabeal32.exe 36 PID 1580 wrote to memory of 2496 1580 Fadagl32.exe 37 PID 1580 wrote to memory of 2496 1580 Fadagl32.exe 37 PID 1580 wrote to memory of 2496 1580 Fadagl32.exe 37 PID 1580 wrote to memory of 2496 1580 Fadagl32.exe 37 PID 2496 wrote to memory of 2320 2496 Fdekigip.exe 38 PID 2496 wrote to memory of 2320 2496 Fdekigip.exe 38 PID 2496 wrote to memory of 2320 2496 Fdekigip.exe 38 PID 2496 wrote to memory of 2320 2496 Fdekigip.exe 38 PID 2320 wrote to memory of 2224 2320 Fdggofgn.exe 39 PID 2320 wrote to memory of 2224 2320 Fdggofgn.exe 39 PID 2320 wrote to memory of 2224 2320 Fdggofgn.exe 39 PID 2320 wrote to memory of 2224 2320 Fdggofgn.exe 39 PID 2224 wrote to memory of 2208 2224 Fqqdigko.exe 40 PID 2224 wrote to memory of 2208 2224 Fqqdigko.exe 40 PID 2224 wrote to memory of 2208 2224 Fqqdigko.exe 40 PID 2224 wrote to memory of 2208 2224 Fqqdigko.exe 40 PID 2208 wrote to memory of 2128 2208 Gfmmanif.exe 41 PID 2208 wrote to memory of 2128 2208 Gfmmanif.exe 41 PID 2208 wrote to memory of 2128 2208 Gfmmanif.exe 41 PID 2208 wrote to memory of 2128 2208 Gfmmanif.exe 41 PID 2128 wrote to memory of 2332 2128 Gqendf32.exe 42 PID 2128 wrote to memory of 2332 2128 Gqendf32.exe 42 PID 2128 wrote to memory of 2332 2128 Gqendf32.exe 42 PID 2128 wrote to memory of 2332 2128 Gqendf32.exe 42 PID 2332 wrote to memory of 1944 2332 Gjnbmlmj.exe 43 PID 2332 wrote to memory of 1944 2332 Gjnbmlmj.exe 43 PID 2332 wrote to memory of 1944 2332 Gjnbmlmj.exe 43 PID 2332 wrote to memory of 1944 2332 Gjnbmlmj.exe 43 PID 1944 wrote to memory of 2616 1944 Gomhkb32.exe 44 PID 1944 wrote to memory of 2616 1944 Gomhkb32.exe 44 PID 1944 wrote to memory of 2616 1944 Gomhkb32.exe 44 PID 1944 wrote to memory of 2616 1944 Gomhkb32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe"C:\Users\Admin\AppData\Local\Temp\152576b47aaaf10a82be29576d508a3d6a4ac396e611b36f7e2ea65cb9e9def7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Dkhpfo32.exeC:\Windows\system32\Dkhpfo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Eipjmk32.exeC:\Windows\system32\Eipjmk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Edhkpcdb.exeC:\Windows\system32\Edhkpcdb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Eghdanac.exeC:\Windows\system32\Eghdanac.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Fdggofgn.exeC:\Windows\system32\Fdggofgn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Fqqdigko.exeC:\Windows\system32\Fqqdigko.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Gfmmanif.exeC:\Windows\system32\Gfmmanif.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Gqendf32.exeC:\Windows\system32\Gqendf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Gjnbmlmj.exeC:\Windows\system32\Gjnbmlmj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Higiih32.exeC:\Windows\system32\Higiih32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Hqbnnj32.exeC:\Windows\system32\Hqbnnj32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Hiblmldn.exeC:\Windows\system32\Hiblmldn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Imcaijia.exeC:\Windows\system32\Imcaijia.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Iijbnkne.exeC:\Windows\system32\Iijbnkne.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Ipcjje32.exeC:\Windows\system32\Ipcjje32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Ibdclp32.exeC:\Windows\system32\Ibdclp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Jhchjgoh.exeC:\Windows\system32\Jhchjgoh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Jfiekc32.exeC:\Windows\system32\Jfiekc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Jbpfpd32.exeC:\Windows\system32\Jbpfpd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Jepoao32.exeC:\Windows\system32\Jepoao32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Kciifc32.exeC:\Windows\system32\Kciifc32.exe33⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Kdlbckee.exeC:\Windows\system32\Kdlbckee.exe34⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Kneflplf.exeC:\Windows\system32\Kneflplf.exe35⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Kjlgaa32.exeC:\Windows\system32\Kjlgaa32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Lfgaaa32.exeC:\Windows\system32\Lfgaaa32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2280 -
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe38⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Mbbkabdh.exeC:\Windows\system32\Mbbkabdh.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Mgaqohql.exeC:\Windows\system32\Mgaqohql.exe40⤵
- Executes dropped EXE
PID:468 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe41⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Mgdmeh32.exeC:\Windows\system32\Mgdmeh32.exe42⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe44⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Nbbhpegc.exeC:\Windows\system32\Nbbhpegc.exe45⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe46⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe47⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe48⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe49⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe50⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Nnnbqeib.exeC:\Windows\system32\Nnnbqeib.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe54⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe55⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Ohkpdj32.exeC:\Windows\system32\Ohkpdj32.exe56⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Oiniaboi.exeC:\Windows\system32\Oiniaboi.exe58⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe59⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe60⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Ofefqf32.exeC:\Windows\system32\Ofefqf32.exe61⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Phhonn32.exeC:\Windows\system32\Phhonn32.exe63⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe64⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Pbppqf32.exeC:\Windows\system32\Pbppqf32.exe65⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe66⤵PID:2016
-
C:\Windows\SysWOW64\Pmjaadjm.exeC:\Windows\system32\Pmjaadjm.exe67⤵PID:748
-
C:\Windows\SysWOW64\Phoeomjc.exeC:\Windows\system32\Phoeomjc.exe68⤵PID:2648
-
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe69⤵PID:1676
-
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe70⤵PID:2376
-
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe71⤵PID:2380
-
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe72⤵PID:1536
-
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe73⤵PID:2804
-
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Aglhph32.exeC:\Windows\system32\Aglhph32.exe76⤵PID:1128
-
C:\Windows\SysWOW64\Apdminod.exeC:\Windows\system32\Apdminod.exe77⤵PID:2100
-
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe78⤵PID:2488
-
C:\Windows\SysWOW64\Ahoamplo.exeC:\Windows\system32\Ahoamplo.exe79⤵PID:2676
-
C:\Windows\SysWOW64\Acdfki32.exeC:\Windows\system32\Acdfki32.exe80⤵PID:1088
-
C:\Windows\SysWOW64\Almjcobe.exeC:\Windows\system32\Almjcobe.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Aokfpjai.exeC:\Windows\system32\Aokfpjai.exe82⤵PID:2684
-
C:\Windows\SysWOW64\Adhohapp.exeC:\Windows\system32\Adhohapp.exe83⤵PID:600
-
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe84⤵PID:2672
-
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe85⤵PID:1664
-
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe86⤵PID:1660
-
C:\Windows\SysWOW64\Bncpffdn.exeC:\Windows\system32\Bncpffdn.exe87⤵PID:2020
-
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe88⤵PID:2068
-
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe89⤵PID:2864
-
C:\Windows\SysWOW64\Bdoeipjh.exeC:\Windows\system32\Bdoeipjh.exe90⤵PID:3032
-
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe91⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Bqffna32.exeC:\Windows\system32\Bqffna32.exe92⤵PID:2564
-
C:\Windows\SysWOW64\Bcdbjl32.exeC:\Windows\system32\Bcdbjl32.exe93⤵PID:2532
-
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe94⤵PID:2944
-
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe95⤵PID:2472
-
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe96⤵
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Ckdpinhf.exeC:\Windows\system32\Ckdpinhf.exe97⤵
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Cihqbb32.exeC:\Windows\system32\Cihqbb32.exe98⤵PID:932
-
C:\Windows\SysWOW64\Cpbiolnl.exeC:\Windows\system32\Cpbiolnl.exe99⤵PID:1272
-
C:\Windows\SysWOW64\Ceoagcld.exeC:\Windows\system32\Ceoagcld.exe100⤵PID:2008
-
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe101⤵PID:2324
-
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Ccdnipal.exeC:\Windows\system32\Ccdnipal.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe104⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe105⤵PID:2576
-
C:\Windows\SysWOW64\Dmopge32.exeC:\Windows\system32\Dmopge32.exe106⤵PID:1032
-
C:\Windows\SysWOW64\Dcihdo32.exeC:\Windows\system32\Dcihdo32.exe107⤵PID:2092
-
C:\Windows\SysWOW64\Djcpqidc.exeC:\Windows\system32\Djcpqidc.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Elnonp32.exeC:\Windows\system32\Elnonp32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:904 -
C:\Windows\SysWOW64\Ehdpcahk.exeC:\Windows\system32\Ehdpcahk.exe110⤵PID:604
-
C:\Windows\SysWOW64\Egljjmkp.exeC:\Windows\system32\Egljjmkp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:964 -
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe112⤵PID:1056
-
C:\Windows\SysWOW64\Fgnfpm32.exeC:\Windows\system32\Fgnfpm32.exe113⤵PID:272
-
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe114⤵PID:1668
-
C:\Windows\SysWOW64\Fcegdnna.exeC:\Windows\system32\Fcegdnna.exe115⤵PID:2848
-
C:\Windows\SysWOW64\Fmjkbfnh.exeC:\Windows\system32\Fmjkbfnh.exe116⤵PID:2556
-
C:\Windows\SysWOW64\Fcgdjmlo.exeC:\Windows\system32\Fcgdjmlo.exe117⤵PID:2948
-
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe118⤵PID:2180
-
C:\Windows\SysWOW64\Fehmlh32.exeC:\Windows\system32\Fehmlh32.exe119⤵PID:1240
-
C:\Windows\SysWOW64\Fclmem32.exeC:\Windows\system32\Fclmem32.exe120⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Fejjah32.exeC:\Windows\system32\Fejjah32.exe121⤵PID:1148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-