Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-01-2025 07:09
Behavioral task
behavioral1
Sample
8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93N.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
120 seconds
General
-
Target
8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93N.exe
-
Size
93KB
-
MD5
b472c470dc7e5cabed1c840f04f40f90
-
SHA1
e4ecffd334ceb74045e72af843c2e05de81364c2
-
SHA256
8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93
-
SHA512
dccfc2145440e9f2f8a6011e7990f46c2a944062850d7d4a1ede8c4cf0c403fe420172a46906396fa8e6fef7350ba243eb9ece9ffe762a42ef54f07a77e162dd
-
SSDEEP
1536:rvYATJjg6NJPMem6bZGiYUWfpH1DaYfMZRWuLsV+1J:rgAlhZzZFWfpHgYfc0DV+1J
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmjjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpcnbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcidkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meljbqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbniohpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfbjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkoeoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaekljjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnngi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laidgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiqibj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgifd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglfcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnnnbaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amglgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icplje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeokba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqllghon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepanje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miclhpjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkgeehnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhkcnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oknhdjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiknnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppqoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpcpdfhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goddjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjoii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peeabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmkdhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmddgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnlpeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngjlpmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pilbocej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkdioh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odflmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbkpcpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmddgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqnhmgmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnkege32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imogcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pncjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkedjo32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2844 Lpnopm32.exe 3012 Loaokjjg.exe 2608 Llepen32.exe 2628 Lcohahpn.exe 1488 Lemdncoa.exe 1724 Lofifi32.exe 3028 Lcadghnk.exe 2172 Lhnmoo32.exe 584 Lnkege32.exe 2812 Mdendpbg.exe 2452 Mhqjen32.exe 1780 Mdgkjopd.exe 1020 Mkacfiga.exe 2228 Mjdcbf32.exe 3044 Mpnkopeh.exe 2872 Mkcplien.exe 2460 Mpphdpcf.exe 2780 Mdldeo32.exe 1896 Mfmqmgbm.exe 2348 Moeeelhn.exe 2032 Mgmmfjip.exe 1248 Mlieoqgg.exe 2312 Nohaklfk.exe 1152 Njmfhe32.exe 2476 Nkobpmlo.exe 2752 Nojnql32.exe 2772 Ndggib32.exe 2652 Nkaoemjm.exe 2156 Nffccejb.exe 2800 Nghpjn32.exe 2208 Noohlkpc.exe 2144 Ngjlpmnn.exe 2636 Nkehql32.exe 2892 Nqbaic32.exe 2224 Okhefl32.exe 1760 Occjjnap.exe 2440 Ofafgipc.exe 2184 Oninhgae.exe 2252 Oqgjdbpi.exe 2236 Ojpomh32.exe 1900 Omnkicen.exe 1136 Obkcajde.exe 1464 Offpbi32.exe 1764 Olchjp32.exe 2320 Opodknco.exe 396 Ofilgh32.exe 2256 Oighcd32.exe 1540 Ombddbah.exe 1532 Pndalkgf.exe 2700 Pbomli32.exe 2568 Pfkimhhi.exe 1512 Piieicgl.exe 3020 Phledp32.exe 2288 Ppcmfn32.exe 2816 Pbajbi32.exe 1256 Pepfnd32.exe 2420 Pilbocej.exe 2192 Pljnkodm.exe 2360 Pjmnfk32.exe 1960 Pbdfgilj.exe 832 Pdecoa32.exe 3060 Pllkpn32.exe 1668 Pjoklkie.exe 2340 Pmnghfhi.exe -
Loads dropped DLL 64 IoCs
pid Process 2268 8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93N.exe 2268 8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93N.exe 2844 Lpnopm32.exe 2844 Lpnopm32.exe 3012 Loaokjjg.exe 3012 Loaokjjg.exe 2608 Llepen32.exe 2608 Llepen32.exe 2628 Lcohahpn.exe 2628 Lcohahpn.exe 1488 Lemdncoa.exe 1488 Lemdncoa.exe 1724 Lofifi32.exe 1724 Lofifi32.exe 3028 Lcadghnk.exe 3028 Lcadghnk.exe 2172 Lhnmoo32.exe 2172 Lhnmoo32.exe 584 Lnkege32.exe 584 Lnkege32.exe 2812 Mdendpbg.exe 2812 Mdendpbg.exe 2452 Mhqjen32.exe 2452 Mhqjen32.exe 1780 Mdgkjopd.exe 1780 Mdgkjopd.exe 1020 Mkacfiga.exe 1020 Mkacfiga.exe 2228 Mjdcbf32.exe 2228 Mjdcbf32.exe 3044 Mpnkopeh.exe 3044 Mpnkopeh.exe 2872 Mkcplien.exe 2872 Mkcplien.exe 2460 Mpphdpcf.exe 2460 Mpphdpcf.exe 2780 Mdldeo32.exe 2780 Mdldeo32.exe 1896 Mfmqmgbm.exe 1896 Mfmqmgbm.exe 2348 Moeeelhn.exe 2348 Moeeelhn.exe 2032 Mgmmfjip.exe 2032 Mgmmfjip.exe 1248 Mlieoqgg.exe 1248 Mlieoqgg.exe 2312 Nohaklfk.exe 2312 Nohaklfk.exe 1152 Njmfhe32.exe 1152 Njmfhe32.exe 2476 Nkobpmlo.exe 2476 Nkobpmlo.exe 2752 Nojnql32.exe 2752 Nojnql32.exe 2772 Ndggib32.exe 2772 Ndggib32.exe 2652 Nkaoemjm.exe 2652 Nkaoemjm.exe 2156 Nffccejb.exe 2156 Nffccejb.exe 2800 Nghpjn32.exe 2800 Nghpjn32.exe 2208 Noohlkpc.exe 2208 Noohlkpc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lijiaabk.exe Lkgifd32.exe File opened for modification C:\Windows\SysWOW64\Lhlbbg32.exe Lenffl32.exe File created C:\Windows\SysWOW64\Egqcce32.dll Lhlbbg32.exe File opened for modification C:\Windows\SysWOW64\Qfkgdd32.exe Qcmkhi32.exe File created C:\Windows\SysWOW64\Bdfjnkne.exe Blobmm32.exe File created C:\Windows\SysWOW64\Lofifi32.exe Lemdncoa.exe File created C:\Windows\SysWOW64\Lnkege32.exe Lhnmoo32.exe File opened for modification C:\Windows\SysWOW64\Hljaigmo.exe Hhoeii32.exe File opened for modification C:\Windows\SysWOW64\Mhkfnlme.exe Meljbqna.exe File created C:\Windows\SysWOW64\Pfmden32.dll Eqcjaa32.exe File opened for modification C:\Windows\SysWOW64\Abdeoe32.exe Acadchoo.exe File created C:\Windows\SysWOW64\Lmalgq32.exe Lkbpke32.exe File opened for modification C:\Windows\SysWOW64\Aldfcpjn.exe Aejnfe32.exe File opened for modification C:\Windows\SysWOW64\Ihpgce32.exe Ifbkgj32.exe File created C:\Windows\SysWOW64\Jmibmhoj.exe Jinfli32.exe File created C:\Windows\SysWOW64\Pfapgnji.dll Capdpcge.exe File created C:\Windows\SysWOW64\Ilefmc32.dll Icbipe32.exe File created C:\Windows\SysWOW64\Hcdkmafl.dll Nnodgbed.exe File created C:\Windows\SysWOW64\Fkbhkj32.dll Bceeqi32.exe File opened for modification C:\Windows\SysWOW64\Pcnfdl32.exe Oekehomj.exe File created C:\Windows\SysWOW64\Gidhbgag.exe Geilah32.exe File created C:\Windows\SysWOW64\Lhioglih.dll Icplje32.exe File created C:\Windows\SysWOW64\Mfdgjene.dll Nphghn32.exe File created C:\Windows\SysWOW64\Ooggpiek.exe Omhkcnfg.exe File created C:\Windows\SysWOW64\Hdhbci32.exe Hajfgnjc.exe File created C:\Windows\SysWOW64\Fejifdab.exe Fblljhbo.exe File created C:\Windows\SysWOW64\Njljfe32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cbjnqh32.exe Coladm32.exe File opened for modification C:\Windows\SysWOW64\Hpfoboml.exe Process not Found File created C:\Windows\SysWOW64\Ejnbekph.dll Dboglhna.exe File created C:\Windows\SysWOW64\Enpdjfgj.exe Eomdoj32.exe File created C:\Windows\SysWOW64\Lhjdeqif.dll Process not Found File opened for modification C:\Windows\SysWOW64\Afpogk32.exe Aohgfm32.exe File opened for modification C:\Windows\SysWOW64\Jcleiclo.exe Jqnhmgmk.exe File created C:\Windows\SysWOW64\Bnipnnpb.dll Ofdeeb32.exe File created C:\Windows\SysWOW64\Hipnaoog.dll Lkbpke32.exe File opened for modification C:\Windows\SysWOW64\Nbqjqehd.exe Nobndj32.exe File opened for modification C:\Windows\SysWOW64\Kffqqm32.exe Knohpo32.exe File created C:\Windows\SysWOW64\Llepen32.exe Loaokjjg.exe File opened for modification C:\Windows\SysWOW64\Pncjad32.exe Pflbpg32.exe File opened for modification C:\Windows\SysWOW64\Mjlejl32.exe Process not Found File created C:\Windows\SysWOW64\Fhhofe32.dll Dckcnj32.exe File created C:\Windows\SysWOW64\Iifmcp32.dll Mdgkjopd.exe File created C:\Windows\SysWOW64\Ijidfpci.exe Igkhjdde.exe File created C:\Windows\SysWOW64\Bakaaepk.exe Boleejag.exe File created C:\Windows\SysWOW64\Eqkjmcmq.exe Empomd32.exe File created C:\Windows\SysWOW64\Pmnonj32.dll Cdfgmnpa.exe File opened for modification C:\Windows\SysWOW64\Dmgoif32.exe Djicmk32.exe File opened for modification C:\Windows\SysWOW64\Gbhcpmkm.exe Gpjfcali.exe File created C:\Windows\SysWOW64\Gkedjo32.exe Glbdnbpk.exe File created C:\Windows\SysWOW64\Bopffl32.dll Bhbmip32.exe File opened for modification C:\Windows\SysWOW64\Cgbfcjag.exe Cdcjgnbc.exe File created C:\Windows\SysWOW64\Mhkhgd32.exe Process not Found File created C:\Windows\SysWOW64\Ohcnpfgn.dll Gaebfdba.exe File opened for modification C:\Windows\SysWOW64\Babbng32.exe Bngfmhbj.exe File created C:\Windows\SysWOW64\Qcoljb32.dll Mpcgbhig.exe File opened for modification C:\Windows\SysWOW64\Bfbjdf32.exe Bphaglgo.exe File created C:\Windows\SysWOW64\Eikcigkl.dll Kmklak32.exe File created C:\Windows\SysWOW64\Cheleg32.dll Cmqihg32.exe File opened for modification C:\Windows\SysWOW64\Cpbkhabp.exe Caokmd32.exe File opened for modification C:\Windows\SysWOW64\Efoifiep.exe Ebcmfj32.exe File created C:\Windows\SysWOW64\Kgocef32.dll Hgoadp32.exe File created C:\Windows\SysWOW64\Nlecok32.dll Nffccejb.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Pcnfdl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11212 2932 Process not Found 1216 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikelhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hocmpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcleiclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpmjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbmkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjpem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkopndcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoleb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciepkajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmldfdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dleelp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmoppefc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icoepohq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfaqfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjpnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjngoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gieaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaqkcimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeoeclek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acadchoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfjjqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmijajbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbjdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpmijqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmncl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donojm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maanab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdinnqon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjalhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkfkidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgaeddg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlieoqgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnokdaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibbgmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajfgnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqapnjli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngekdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkdhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjckelfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apclnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgndbil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpchfdi.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofiopaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkqcb32.dll" Camnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lenffl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpakm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nohddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiqechmg.dll" Ajamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecgjdong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igmaaacj.dll" Pilbocej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdjoii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemanlnj.dll" Jcoanb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjbmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmeoijkk.dll" Nknkeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflpeo32.dll" Jcoanb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lakfjp32.dll" Laidgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcedgp32.dll" Pkfghh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abkkpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqfabdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchkhe32.dll" Geilah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibpghbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okipkm32.dll" Glfgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmmqmpdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpiacg32.dll" Ndggib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhalbm32.dll" Dfkclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgoadp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmbabj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggiofa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhlbbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmcnpjhd.dll" Gckfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cncolfcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecjgio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elmkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moeeelhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojpomh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Famcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhfjpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ailqfooi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aiqjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhnmoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjgfien.dll" Jelhmlgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiofnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddjphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdchneko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqleifna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdpnaccc.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnhnhd32.dll" Nkaoemjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laodmoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cembim32.dll" Okhefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffmipmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mobaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dggekf32.dll" Aiqjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bikjmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amglgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onipqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifijkq32.dll" Ohmoco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clnehado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdldeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckfjjqhd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2844 2268 8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93N.exe 30 PID 2268 wrote to memory of 2844 2268 8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93N.exe 30 PID 2268 wrote to memory of 2844 2268 8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93N.exe 30 PID 2268 wrote to memory of 2844 2268 8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93N.exe 30 PID 2844 wrote to memory of 3012 2844 Lpnopm32.exe 31 PID 2844 wrote to memory of 3012 2844 Lpnopm32.exe 31 PID 2844 wrote to memory of 3012 2844 Lpnopm32.exe 31 PID 2844 wrote to memory of 3012 2844 Lpnopm32.exe 31 PID 3012 wrote to memory of 2608 3012 Loaokjjg.exe 32 PID 3012 wrote to memory of 2608 3012 Loaokjjg.exe 32 PID 3012 wrote to memory of 2608 3012 Loaokjjg.exe 32 PID 3012 wrote to memory of 2608 3012 Loaokjjg.exe 32 PID 2608 wrote to memory of 2628 2608 Llepen32.exe 33 PID 2608 wrote to memory of 2628 2608 Llepen32.exe 33 PID 2608 wrote to memory of 2628 2608 Llepen32.exe 33 PID 2608 wrote to memory of 2628 2608 Llepen32.exe 33 PID 2628 wrote to memory of 1488 2628 Lcohahpn.exe 34 PID 2628 wrote to memory of 1488 2628 Lcohahpn.exe 34 PID 2628 wrote to memory of 1488 2628 Lcohahpn.exe 34 PID 2628 wrote to memory of 1488 2628 Lcohahpn.exe 34 PID 1488 wrote to memory of 1724 1488 Lemdncoa.exe 35 PID 1488 wrote to memory of 1724 1488 Lemdncoa.exe 35 PID 1488 wrote to memory of 1724 1488 Lemdncoa.exe 35 PID 1488 wrote to memory of 1724 1488 Lemdncoa.exe 35 PID 1724 wrote to memory of 3028 1724 Lofifi32.exe 36 PID 1724 wrote to memory of 3028 1724 Lofifi32.exe 36 PID 1724 wrote to memory of 3028 1724 Lofifi32.exe 36 PID 1724 wrote to memory of 3028 1724 Lofifi32.exe 36 PID 3028 wrote to memory of 2172 3028 Lcadghnk.exe 37 PID 3028 wrote to memory of 2172 3028 Lcadghnk.exe 37 PID 3028 wrote to memory of 2172 3028 Lcadghnk.exe 37 PID 3028 wrote to memory of 2172 3028 Lcadghnk.exe 37 PID 2172 wrote to memory of 584 2172 Lhnmoo32.exe 38 PID 2172 wrote to memory of 584 2172 Lhnmoo32.exe 38 PID 2172 wrote to memory of 584 2172 Lhnmoo32.exe 38 PID 2172 wrote to memory of 584 2172 Lhnmoo32.exe 38 PID 584 wrote to memory of 2812 584 Lnkege32.exe 39 PID 584 wrote to memory of 2812 584 Lnkege32.exe 39 PID 584 wrote to memory of 2812 584 Lnkege32.exe 39 PID 584 wrote to memory of 2812 584 Lnkege32.exe 39 PID 2812 wrote to memory of 2452 2812 Mdendpbg.exe 40 PID 2812 wrote to memory of 2452 2812 Mdendpbg.exe 40 PID 2812 wrote to memory of 2452 2812 Mdendpbg.exe 40 PID 2812 wrote to memory of 2452 2812 Mdendpbg.exe 40 PID 2452 wrote to memory of 1780 2452 Mhqjen32.exe 41 PID 2452 wrote to memory of 1780 2452 Mhqjen32.exe 41 PID 2452 wrote to memory of 1780 2452 Mhqjen32.exe 41 PID 2452 wrote to memory of 1780 2452 Mhqjen32.exe 41 PID 1780 wrote to memory of 1020 1780 Mdgkjopd.exe 42 PID 1780 wrote to memory of 1020 1780 Mdgkjopd.exe 42 PID 1780 wrote to memory of 1020 1780 Mdgkjopd.exe 42 PID 1780 wrote to memory of 1020 1780 Mdgkjopd.exe 42 PID 1020 wrote to memory of 2228 1020 Mkacfiga.exe 43 PID 1020 wrote to memory of 2228 1020 Mkacfiga.exe 43 PID 1020 wrote to memory of 2228 1020 Mkacfiga.exe 43 PID 1020 wrote to memory of 2228 1020 Mkacfiga.exe 43 PID 2228 wrote to memory of 3044 2228 Mjdcbf32.exe 44 PID 2228 wrote to memory of 3044 2228 Mjdcbf32.exe 44 PID 2228 wrote to memory of 3044 2228 Mjdcbf32.exe 44 PID 2228 wrote to memory of 3044 2228 Mjdcbf32.exe 44 PID 3044 wrote to memory of 2872 3044 Mpnkopeh.exe 45 PID 3044 wrote to memory of 2872 3044 Mpnkopeh.exe 45 PID 3044 wrote to memory of 2872 3044 Mpnkopeh.exe 45 PID 3044 wrote to memory of 2872 3044 Mpnkopeh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93N.exe"C:\Users\Admin\AppData\Local\Temp\8a3b85af2ac63e7d93271fb53e8313e9d76dfa528a35c7d76d97f27b501cde93N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Lcadghnk.exeC:\Windows\system32\Lcadghnk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Lhnmoo32.exeC:\Windows\system32\Lhnmoo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Mhqjen32.exeC:\Windows\system32\Mhqjen32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Mjdcbf32.exeC:\Windows\system32\Mjdcbf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1896 -
C:\Windows\SysWOW64\Moeeelhn.exeC:\Windows\system32\Moeeelhn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Mgmmfjip.exeC:\Windows\system32\Mgmmfjip.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Nojnql32.exeC:\Windows\system32\Nojnql32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Nkaoemjm.exeC:\Windows\system32\Nkaoemjm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Nkehql32.exeC:\Windows\system32\Nkehql32.exe34⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe35⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe37⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe38⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe39⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe40⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe42⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe43⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe44⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe45⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe46⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe47⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe48⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe49⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe50⤵PID:2704
-
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe51⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe52⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe53⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe54⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe55⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe56⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Pbajbi32.exeC:\Windows\system32\Pbajbi32.exe57⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe58⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe60⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe61⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe62⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe63⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe64⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Pjoklkie.exeC:\Windows\system32\Pjoklkie.exe65⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Pmnghfhi.exeC:\Windows\system32\Pmnghfhi.exe66⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe67⤵PID:992
-
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe68⤵PID:2596
-
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe69⤵PID:2692
-
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe70⤵PID:2612
-
C:\Windows\SysWOW64\Palpneop.exeC:\Windows\system32\Palpneop.exe71⤵PID:852
-
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe72⤵PID:868
-
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe73⤵PID:2768
-
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe74⤵PID:856
-
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe75⤵PID:1804
-
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe76⤵PID:2356
-
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe77⤵PID:2016
-
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe78⤵PID:2428
-
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe79⤵PID:2992
-
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe80⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe81⤵PID:1844
-
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe82⤵PID:2688
-
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe83⤵PID:656
-
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1536 -
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe85⤵PID:1620
-
C:\Windows\SysWOW64\Aohgfm32.exeC:\Windows\system32\Aohgfm32.exe86⤵
- Drops file in System32 directory
PID:612 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe87⤵PID:2108
-
C:\Windows\SysWOW64\Aebobgmi.exeC:\Windows\system32\Aebobgmi.exe88⤵PID:2920
-
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe89⤵PID:1356
-
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe90⤵PID:592
-
C:\Windows\SysWOW64\Aokckm32.exeC:\Windows\system32\Aokckm32.exe91⤵
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe92⤵PID:896
-
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe93⤵PID:1288
-
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe94⤵PID:2444
-
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe95⤵PID:1952
-
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe96⤵PID:2716
-
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe97⤵PID:2336
-
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe98⤵PID:2168
-
C:\Windows\SysWOW64\Alaqjaaa.exeC:\Windows\system32\Alaqjaaa.exe99⤵PID:1576
-
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe100⤵PID:2036
-
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe101⤵PID:2248
-
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe102⤵PID:1268
-
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe103⤵PID:1852
-
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe104⤵PID:1472
-
C:\Windows\SysWOW64\Aoaill32.exeC:\Windows\system32\Aoaill32.exe105⤵PID:696
-
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe106⤵PID:844
-
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe107⤵PID:2948
-
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe108⤵PID:2632
-
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe109⤵PID:1416
-
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe110⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe111⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe112⤵PID:2472
-
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe113⤵PID:2272
-
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe114⤵PID:876
-
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe115⤵PID:1956
-
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe116⤵PID:2148
-
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe117⤵PID:2748
-
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe118⤵PID:2576
-
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe119⤵PID:2204
-
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe120⤵PID:2644
-
C:\Windows\SysWOW64\Bnlphh32.exeC:\Windows\system32\Bnlphh32.exe121⤵PID:2040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-