Analysis
-
max time kernel
33s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
14-01-2025 23:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe
-
Size
96KB
-
MD5
687f401c23cebea3028943b2b8fd3e54
-
SHA1
3dadda8da031525380145c440da34d8feba77ca9
-
SHA256
481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31
-
SHA512
de3fd53126452bd1f7332ea3efbbe46c693d146f6f919d7e8502f3d9fae198cedd26c5358393644d067f5f3ed52b6bdbd55941cea7b5492ead1a3843654514a8
-
SSDEEP
1536:UMdobbartPi+yWCd2bkvW2Lf7RZObZUUWaegPYAW:EbaBi++dYkv7fClUUWaeF
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmmpdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnhidmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdokceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgkanomj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imidgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpeebhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggbgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmkcoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haggijgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofefqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edmkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldfldpqf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmiihjak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqqdigko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flphccbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjlnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afhbljko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhlgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehjmppo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaogbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dibjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjgdfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcfak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdkfic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplfmfmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haejcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbieing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofklpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljeabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaliaphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcpkldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmfkbeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdkfic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmholgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dedkbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonqiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfflfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejcab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmfpabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmdjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmohcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhkeelml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqngjcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmggcmgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbdjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjcekj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olnipn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnlolhoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cihojiok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekofgnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccileljk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieiegf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfhmai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkblm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmdpcle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egimdmmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkkepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnihneon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dibjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoalpaaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofbikf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imdjlida.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2252 Bphdpe32.exe 2976 Bjnhnn32.exe 2948 Bcfmfc32.exe 3020 Ciebdj32.exe 2924 Cihojiok.exe 640 Ckkhga32.exe 2724 Cmlqimph.exe 776 Dmomnlne.exe 1976 Dggbgadf.exe 1472 Dihkimag.exe 2000 Dcpoab32.exe 1708 Dhodpidl.exe 2084 Eokiabjf.exe 2088 Ekdglcmh.exe 1956 Edmkei32.exe 708 Fnhlcn32.exe 1660 Ffcahq32.exe 1656 Fmofjj32.exe 1156 Ffhkcpal.exe 612 Ffjghppi.exe 1620 Foblaefj.exe 2824 Gqfeom32.exe 2004 Gednek32.exe 1020 Gefjjk32.exe 688 Gppkkikh.exe 2460 Gjephakn.exe 2864 Hjhlnahk.exe 2960 Hmheol32.exe 2920 Hlnbqijd.exe 2876 Hhdcejph.exe 2744 Idkcjk32.exe 2580 Imfeip32.exe 3052 Ifniaeqk.exe 2240 Idbjkj32.exe 3060 Ilmool32.exe 2148 Jgeobdkc.exe 2028 Jhkeelml.exe 2288 Jhnbklji.exe 2472 Jddbpmpm.exe 2524 Kahciaog.exe 2192 Kdilkllh.exe 2064 Kjfdcc32.exe 1824 Kogffida.exe 2636 Lddoopbi.exe 1740 Ldfldpqf.exe 952 Lbjlnd32.exe 948 Ljeabf32.exe 2392 Ldnbeokn.exe 1536 Ljjjmeie.exe 1172 Mcbofk32.exe 2848 Mmkcoq32.exe 1560 Mbhlgg32.exe 2940 Mmmpdp32.exe 2780 Mcghajkq.exe 2792 Mmpmjpba.exe 876 Mnaiah32.exe 2372 Mifmoa32.exe 2840 Mlejkl32.exe 2096 Nhljpmlm.exe 1088 Nbaomf32.exe 288 Nhngem32.exe 1064 Nnhobgag.exe 1040 Nebgoa32.exe 1596 Njopgh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2124 481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe 2124 481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe 2252 Bphdpe32.exe 2252 Bphdpe32.exe 2976 Bjnhnn32.exe 2976 Bjnhnn32.exe 2948 Bcfmfc32.exe 2948 Bcfmfc32.exe 3020 Ciebdj32.exe 3020 Ciebdj32.exe 2924 Cihojiok.exe 2924 Cihojiok.exe 640 Ckkhga32.exe 640 Ckkhga32.exe 2724 Cmlqimph.exe 2724 Cmlqimph.exe 776 Dmomnlne.exe 776 Dmomnlne.exe 1976 Dggbgadf.exe 1976 Dggbgadf.exe 1472 Dihkimag.exe 1472 Dihkimag.exe 2000 Dcpoab32.exe 2000 Dcpoab32.exe 1708 Dhodpidl.exe 1708 Dhodpidl.exe 2084 Eokiabjf.exe 2084 Eokiabjf.exe 2088 Ekdglcmh.exe 2088 Ekdglcmh.exe 1956 Edmkei32.exe 1956 Edmkei32.exe 708 Fnhlcn32.exe 708 Fnhlcn32.exe 1660 Ffcahq32.exe 1660 Ffcahq32.exe 1656 Fmofjj32.exe 1656 Fmofjj32.exe 1156 Ffhkcpal.exe 1156 Ffhkcpal.exe 612 Ffjghppi.exe 612 Ffjghppi.exe 1620 Foblaefj.exe 1620 Foblaefj.exe 2824 Gqfeom32.exe 2824 Gqfeom32.exe 2004 Gednek32.exe 2004 Gednek32.exe 1020 Gefjjk32.exe 1020 Gefjjk32.exe 688 Gppkkikh.exe 688 Gppkkikh.exe 2460 Gjephakn.exe 2460 Gjephakn.exe 2864 Hjhlnahk.exe 2864 Hjhlnahk.exe 2960 Hmheol32.exe 2960 Hmheol32.exe 2920 Hlnbqijd.exe 2920 Hlnbqijd.exe 2876 Hhdcejph.exe 2876 Hhdcejph.exe 2744 Idkcjk32.exe 2744 Idkcjk32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jocceo32.exe Jekoljgo.exe File created C:\Windows\SysWOW64\Mqhhbn32.exe Mkkpjg32.exe File opened for modification C:\Windows\SysWOW64\Ccileljk.exe Cicggcke.exe File created C:\Windows\SysWOW64\Pfahiebp.dll Egimdmmc.exe File opened for modification C:\Windows\SysWOW64\Almjcobe.exe Aknnil32.exe File created C:\Windows\SysWOW64\Emceag32.exe Egimdmmc.exe File created C:\Windows\SysWOW64\Nekdie32.dll Nakeib32.exe File created C:\Windows\SysWOW64\Kneacffj.dll Ipameehe.exe File created C:\Windows\SysWOW64\Fmengo32.dll Pejcab32.exe File created C:\Windows\SysWOW64\Nnhobgag.exe Nhngem32.exe File created C:\Windows\SysWOW64\Pmlgof32.dll Bmgddcnf.exe File created C:\Windows\SysWOW64\Njobpa32.exe Nqgngk32.exe File created C:\Windows\SysWOW64\Eminngdn.dll Qdkfic32.exe File created C:\Windows\SysWOW64\Dcpkli32.dll Almjcobe.exe File opened for modification C:\Windows\SysWOW64\Lddagi32.exe Lohiob32.exe File created C:\Windows\SysWOW64\Imfeip32.exe Idkcjk32.exe File created C:\Windows\SysWOW64\Ollljo32.exe Oebdndlp.exe File opened for modification C:\Windows\SysWOW64\Acbieing.exe Acplpjpj.exe File created C:\Windows\SysWOW64\Nbqmdahf.dll Mjeffc32.exe File opened for modification C:\Windows\SysWOW64\Acplpjpj.exe Ajghgd32.exe File created C:\Windows\SysWOW64\Gohqfe32.dll Hlnbqijd.exe File opened for modification C:\Windows\SysWOW64\Njopgh32.exe Nebgoa32.exe File created C:\Windows\SysWOW64\Ebkggjeg.dll Olnipn32.exe File opened for modification C:\Windows\SysWOW64\Icjmpd32.exe Hfflfp32.exe File created C:\Windows\SysWOW64\Jehbfjia.exe Iefeaj32.exe File opened for modification C:\Windows\SysWOW64\Ofefqf32.exe Opkndldc.exe File opened for modification C:\Windows\SysWOW64\Ilmool32.exe Idbjkj32.exe File opened for modification C:\Windows\SysWOW64\Adncoc32.exe Aaogbh32.exe File created C:\Windows\SysWOW64\Hpmdjf32.exe Hfdpaqej.exe File created C:\Windows\SysWOW64\Njpcmifp.dll Adncoc32.exe File created C:\Windows\SysWOW64\Bhojoaaa.dll Iljkofkg.exe File created C:\Windows\SysWOW64\Oonopkmp.dll Khpaidpk.exe File opened for modification C:\Windows\SysWOW64\Gppkkikh.exe Gefjjk32.exe File created C:\Windows\SysWOW64\Kaehnfoi.dll Nnhobgag.exe File opened for modification C:\Windows\SysWOW64\Olnipn32.exe Oedqcdim.exe File opened for modification C:\Windows\SysWOW64\Klgpmgod.exe Kocodbpk.exe File opened for modification C:\Windows\SysWOW64\Gicpnhbb.exe Gojkecka.exe File created C:\Windows\SysWOW64\Hkhbkc32.exe Hqbnnj32.exe File created C:\Windows\SysWOW64\Iilocklc.exe Ipcjje32.exe File created C:\Windows\SysWOW64\Mpoibb32.dll Imfeip32.exe File opened for modification C:\Windows\SysWOW64\Fgqcel32.exe Fmholgpj.exe File created C:\Windows\SysWOW64\Cbekip32.dll Lcnhcdkp.exe File created C:\Windows\SysWOW64\Fjbmkg32.dll Mlejkl32.exe File created C:\Windows\SysWOW64\Conpielo.dll Aqimoc32.exe File created C:\Windows\SysWOW64\Bfphmi32.exe Bmgddcnf.exe File created C:\Windows\SysWOW64\Fofkbnkh.dll Aaogbh32.exe File created C:\Windows\SysWOW64\Iljkofkg.exe Iilocklc.exe File created C:\Windows\SysWOW64\Qbcebiqf.dll Onehadbj.exe File created C:\Windows\SysWOW64\Nekofg32.dll Klgpmgod.exe File created C:\Windows\SysWOW64\Bjnhnn32.exe Bphdpe32.exe File created C:\Windows\SysWOW64\Nnbdij32.dll Fgfckbfa.exe File created C:\Windows\SysWOW64\Kplfmfmf.exe Khpaidpk.exe File created C:\Windows\SysWOW64\Jadpkf32.dll Gojkecka.exe File opened for modification C:\Windows\SysWOW64\Gnphfppi.exe Gicpnhbb.exe File opened for modification C:\Windows\SysWOW64\Jalmcl32.exe Jffhec32.exe File created C:\Windows\SysWOW64\Faonqiod.exe Fhfihd32.exe File created C:\Windows\SysWOW64\Plokomjo.dll Ffhkcpal.exe File opened for modification C:\Windows\SysWOW64\Cpemob32.exe Cfmhfm32.exe File created C:\Windows\SysWOW64\Pbenfb32.dll Elgioe32.exe File created C:\Windows\SysWOW64\Ijphqbpo.exe Iecohl32.exe File created C:\Windows\SysWOW64\Dihmae32.exe Dpphipbk.exe File created C:\Windows\SysWOW64\Hnjdpm32.exe Hfookk32.exe File created C:\Windows\SysWOW64\Ldcenn32.dll Mbkkepio.exe File created C:\Windows\SysWOW64\Mclepefg.dll Bkghjq32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4540 4516 WerFault.exe 346 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqdaal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkghjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goodpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejgbonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekoljgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphdpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcfmfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmiihjak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfaaalep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqqdigko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiinmnaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbdokceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeold32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnihneon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaogbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmdcngbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpaidpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqimoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dibjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamnnemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpicfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccileljk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmgho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egimdmmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfkbeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfookk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeabf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpaoojjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkconepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbhibio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdglcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahciaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilocklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggkdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhkcpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhmai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kogffida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfihd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lohiob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkfjman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnfjpib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgobpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieiegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglmifca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebdndlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjbienl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadhen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgllj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollljo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajoebigm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmohcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmfdgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmheol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmfpabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkhbkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpcep32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpmgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbkkepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmoiepan.dll" Hhdcejph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlejkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Helmiiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pibbke32.dll" Gefjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Conpielo.dll" Aqimoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhejknlm.dll" Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnihneon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Polakmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhjjiab.dll" Gnphfppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iecohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjfbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnjhd32.dll" Ilmool32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olgboogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgfckbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdibjakn.dll" Pdpcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgobpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbnckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffjghppi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adncoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nojinbej.dll" Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkgqpjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhmfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlhbc32.dll" Jephgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eedohjpf.dll" Hmheol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqendf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmjicn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkeecd32.dll" Mpeebhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icjmpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iljkofkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmifofko.dll" Lohiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbdjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcbofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilakcna.dll" Epjbienl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpaoojjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oonopkmp.dll" Khpaidpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfqigi32.dll" Dhodpidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmmpdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnkblm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmjlnacb.dll" Hbhmfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofklpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeeon32.dll" Jiinmnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkgbioee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckkhga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjpicfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmheol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoalpaaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cicggcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npgphdfm.dll" Bjnhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lohoingl.dll" Oepghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcmomb32.dll" Pnihneon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciidbebp.dll" Dhdddnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmljnfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnjhaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbhlgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bccjlodh.dll" Nhbqqlfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mclepefg.dll" Bkghjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Difplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klfpkgea.dll" Kogffida.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldnbeokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oohlaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqljdclg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2124 wrote to memory of 2252 2124 481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe 30 PID 2124 wrote to memory of 2252 2124 481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe 30 PID 2124 wrote to memory of 2252 2124 481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe 30 PID 2124 wrote to memory of 2252 2124 481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe 30 PID 2252 wrote to memory of 2976 2252 Bphdpe32.exe 31 PID 2252 wrote to memory of 2976 2252 Bphdpe32.exe 31 PID 2252 wrote to memory of 2976 2252 Bphdpe32.exe 31 PID 2252 wrote to memory of 2976 2252 Bphdpe32.exe 31 PID 2976 wrote to memory of 2948 2976 Bjnhnn32.exe 32 PID 2976 wrote to memory of 2948 2976 Bjnhnn32.exe 32 PID 2976 wrote to memory of 2948 2976 Bjnhnn32.exe 32 PID 2976 wrote to memory of 2948 2976 Bjnhnn32.exe 32 PID 2948 wrote to memory of 3020 2948 Bcfmfc32.exe 33 PID 2948 wrote to memory of 3020 2948 Bcfmfc32.exe 33 PID 2948 wrote to memory of 3020 2948 Bcfmfc32.exe 33 PID 2948 wrote to memory of 3020 2948 Bcfmfc32.exe 33 PID 3020 wrote to memory of 2924 3020 Ciebdj32.exe 34 PID 3020 wrote to memory of 2924 3020 Ciebdj32.exe 34 PID 3020 wrote to memory of 2924 3020 Ciebdj32.exe 34 PID 3020 wrote to memory of 2924 3020 Ciebdj32.exe 34 PID 2924 wrote to memory of 640 2924 Cihojiok.exe 35 PID 2924 wrote to memory of 640 2924 Cihojiok.exe 35 PID 2924 wrote to memory of 640 2924 Cihojiok.exe 35 PID 2924 wrote to memory of 640 2924 Cihojiok.exe 35 PID 640 wrote to memory of 2724 640 Ckkhga32.exe 36 PID 640 wrote to memory of 2724 640 Ckkhga32.exe 36 PID 640 wrote to memory of 2724 640 Ckkhga32.exe 36 PID 640 wrote to memory of 2724 640 Ckkhga32.exe 36 PID 2724 wrote to memory of 776 2724 Cmlqimph.exe 37 PID 2724 wrote to memory of 776 2724 Cmlqimph.exe 37 PID 2724 wrote to memory of 776 2724 Cmlqimph.exe 37 PID 2724 wrote to memory of 776 2724 Cmlqimph.exe 37 PID 776 wrote to memory of 1976 776 Dmomnlne.exe 38 PID 776 wrote to memory of 1976 776 Dmomnlne.exe 38 PID 776 wrote to memory of 1976 776 Dmomnlne.exe 38 PID 776 wrote to memory of 1976 776 Dmomnlne.exe 38 PID 1976 wrote to memory of 1472 1976 Dggbgadf.exe 39 PID 1976 wrote to memory of 1472 1976 Dggbgadf.exe 39 PID 1976 wrote to memory of 1472 1976 Dggbgadf.exe 39 PID 1976 wrote to memory of 1472 1976 Dggbgadf.exe 39 PID 1472 wrote to memory of 2000 1472 Dihkimag.exe 40 PID 1472 wrote to memory of 2000 1472 Dihkimag.exe 40 PID 1472 wrote to memory of 2000 1472 Dihkimag.exe 40 PID 1472 wrote to memory of 2000 1472 Dihkimag.exe 40 PID 2000 wrote to memory of 1708 2000 Dcpoab32.exe 41 PID 2000 wrote to memory of 1708 2000 Dcpoab32.exe 41 PID 2000 wrote to memory of 1708 2000 Dcpoab32.exe 41 PID 2000 wrote to memory of 1708 2000 Dcpoab32.exe 41 PID 1708 wrote to memory of 2084 1708 Dhodpidl.exe 42 PID 1708 wrote to memory of 2084 1708 Dhodpidl.exe 42 PID 1708 wrote to memory of 2084 1708 Dhodpidl.exe 42 PID 1708 wrote to memory of 2084 1708 Dhodpidl.exe 42 PID 2084 wrote to memory of 2088 2084 Eokiabjf.exe 43 PID 2084 wrote to memory of 2088 2084 Eokiabjf.exe 43 PID 2084 wrote to memory of 2088 2084 Eokiabjf.exe 43 PID 2084 wrote to memory of 2088 2084 Eokiabjf.exe 43 PID 2088 wrote to memory of 1956 2088 Ekdglcmh.exe 44 PID 2088 wrote to memory of 1956 2088 Ekdglcmh.exe 44 PID 2088 wrote to memory of 1956 2088 Ekdglcmh.exe 44 PID 2088 wrote to memory of 1956 2088 Ekdglcmh.exe 44 PID 1956 wrote to memory of 708 1956 Edmkei32.exe 45 PID 1956 wrote to memory of 708 1956 Edmkei32.exe 45 PID 1956 wrote to memory of 708 1956 Edmkei32.exe 45 PID 1956 wrote to memory of 708 1956 Edmkei32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe"C:\Users\Admin\AppData\Local\Temp\481256cff2e89d68d12e2b75e17f1cdce10efc7fecaa2000bbe2f421f1c08a31.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Bjnhnn32.exeC:\Windows\system32\Bjnhnn32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Bcfmfc32.exeC:\Windows\system32\Bcfmfc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Cihojiok.exeC:\Windows\system32\Cihojiok.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ckkhga32.exeC:\Windows\system32\Ckkhga32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Dmomnlne.exeC:\Windows\system32\Dmomnlne.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Dggbgadf.exeC:\Windows\system32\Dggbgadf.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Dcpoab32.exeC:\Windows\system32\Dcpoab32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Dhodpidl.exeC:\Windows\system32\Dhodpidl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Eokiabjf.exeC:\Windows\system32\Eokiabjf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Windows\SysWOW64\Ffcahq32.exeC:\Windows\system32\Ffcahq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Fmofjj32.exeC:\Windows\system32\Fmofjj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Ffhkcpal.exeC:\Windows\system32\Ffhkcpal.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Foblaefj.exeC:\Windows\system32\Foblaefj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Gednek32.exeC:\Windows\system32\Gednek32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Gefjjk32.exeC:\Windows\system32\Gefjjk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Gjephakn.exeC:\Windows\system32\Gjephakn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Hjhlnahk.exeC:\Windows\system32\Hjhlnahk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Hlnbqijd.exeC:\Windows\system32\Hlnbqijd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Hhdcejph.exeC:\Windows\system32\Hhdcejph.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Idkcjk32.exeC:\Windows\system32\Idkcjk32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Imfeip32.exeC:\Windows\system32\Imfeip32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Ifniaeqk.exeC:\Windows\system32\Ifniaeqk.exe34⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Idbjkj32.exeC:\Windows\system32\Idbjkj32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Jgeobdkc.exeC:\Windows\system32\Jgeobdkc.exe37⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Jhkeelml.exeC:\Windows\system32\Jhkeelml.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Jhnbklji.exeC:\Windows\system32\Jhnbklji.exe39⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Jddbpmpm.exeC:\Windows\system32\Jddbpmpm.exe40⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Kdilkllh.exeC:\Windows\system32\Kdilkllh.exe42⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe43⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe45⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ldfldpqf.exeC:\Windows\system32\Ldfldpqf.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Lbjlnd32.exeC:\Windows\system32\Lbjlnd32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Ljeabf32.exeC:\Windows\system32\Ljeabf32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe50⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Mcbofk32.exeC:\Windows\system32\Mcbofk32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1172 -
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Mbhlgg32.exeC:\Windows\system32\Mbhlgg32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1560 -
C:\Windows\SysWOW64\Mmmpdp32.exeC:\Windows\system32\Mmmpdp32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe55⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe56⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Mnaiah32.exeC:\Windows\system32\Mnaiah32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Mifmoa32.exeC:\Windows\system32\Mifmoa32.exe58⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Nhljpmlm.exeC:\Windows\system32\Nhljpmlm.exe60⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe61⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\Nnhobgag.exeC:\Windows\system32\Nnhobgag.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe65⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe66⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe67⤵
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Nlefjpid.exeC:\Windows\system32\Nlefjpid.exe69⤵PID:2584
-
C:\Windows\SysWOW64\Ofjjghik.exeC:\Windows\system32\Ofjjghik.exe70⤵PID:2348
-
C:\Windows\SysWOW64\Olgboogb.exeC:\Windows\system32\Olgboogb.exe71⤵
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Oepghe32.exeC:\Windows\system32\Oepghe32.exe72⤵
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Oohlaj32.exeC:\Windows\system32\Oohlaj32.exe73⤵
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Oebdndlp.exeC:\Windows\system32\Oebdndlp.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Ollljo32.exeC:\Windows\system32\Ollljo32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe76⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe78⤵PID:1704
-
C:\Windows\SysWOW64\Pkcfak32.exeC:\Windows\system32\Pkcfak32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe80⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Pgjfflkf.exeC:\Windows\system32\Pgjfflkf.exe81⤵PID:548
-
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe82⤵PID:872
-
C:\Windows\SysWOW64\Pdpcep32.exeC:\Windows\system32\Pdpcep32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:932 -
C:\Windows\SysWOW64\Pnihneon.exeC:\Windows\system32\Pnihneon.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe85⤵PID:2684
-
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Polakmbi.exeC:\Windows\system32\Polakmbi.exe87⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe88⤵PID:836
-
C:\Windows\SysWOW64\Qamjmh32.exeC:\Windows\system32\Qamjmh32.exe89⤵PID:1468
-
C:\Windows\SysWOW64\Qdkfic32.exeC:\Windows\system32\Qdkfic32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Aqgqid32.exeC:\Windows\system32\Aqgqid32.exe93⤵PID:3008
-
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe94⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Ajaagi32.exeC:\Windows\system32\Ajaagi32.exe96⤵PID:1632
-
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe97⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2388 -
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1180 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe100⤵PID:1724
-
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Bfmlgi32.exeC:\Windows\system32\Bfmlgi32.exe102⤵PID:2344
-
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe103⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Bfphmi32.exeC:\Windows\system32\Bfphmi32.exe104⤵PID:1576
-
C:\Windows\SysWOW64\Bklaepbn.exeC:\Windows\system32\Bklaepbn.exe105⤵PID:1640
-
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe106⤵
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe107⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe108⤵PID:2228
-
C:\Windows\SysWOW64\Cinahhff.exeC:\Windows\system32\Cinahhff.exe109⤵PID:620
-
C:\Windows\SysWOW64\Cfaaalep.exeC:\Windows\system32\Cfaaalep.exe110⤵
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Dmljnfll.exeC:\Windows\system32\Dmljnfll.exe111⤵
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe112⤵PID:2888
-
C:\Windows\SysWOW64\Dibjcg32.exeC:\Windows\system32\Dibjcg32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Doocln32.exeC:\Windows\system32\Doocln32.exe114⤵PID:2764
-
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Doapanne.exeC:\Windows\system32\Doapanne.exe116⤵PID:1940
-
C:\Windows\SysWOW64\Ddnhidmm.exeC:\Windows\system32\Ddnhidmm.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Dodlfmlb.exeC:\Windows\system32\Dodlfmlb.exe118⤵PID:832
-
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe119⤵PID:2368
-
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Ekmjanpd.exeC:\Windows\system32\Ekmjanpd.exe121⤵PID:908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-