Analysis
-
max time kernel
39s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-01-2025 02:17
Behavioral task
behavioral1
Sample
e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe
-
Size
337KB
-
MD5
fc5ef39c25e91f407db7fae93fa21bf0
-
SHA1
bdee3a0837a4858990eb3e656ffcb415c8aa7abd
-
SHA256
e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25
-
SHA512
0a86491b4dc233e87e79347af936c03886431e291ccb153e7749f1399ca42c1933a7715a5f298f38ef25d34eb32f43fe9d0a9e9438b10f03c572570d37599e5d
-
SSDEEP
3072:NOfu7CKG7/+MXgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:AzRnX1+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljndga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbljfdoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeokdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbolce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dplbpaim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmiojla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alqplmlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmamliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcppmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhgbibgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfkkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqplmlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cobkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhjdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eimien32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdbchd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqmmhdka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjfbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfalaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apeflmjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhigo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlfebcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhffikob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjfbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmeiei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmafmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcimop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nffcebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeglqpaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhani32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llalgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccileljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feklja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmighemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkancm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbblpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbddfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpeebhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omddmkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopkai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonenbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fepnhjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkdlaplh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infjfblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klamohhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggncop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccmanjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphmbolk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijpjik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdekigip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jonqfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neemgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkddjkej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplkhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfcoel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahobdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijegeg32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1860 Qhgbibgg.exe 2996 Adncoc32.exe 2760 Aocgll32.exe 2780 Bjfkbhae.exe 760 Bineidcj.exe 1988 Bgcbja32.exe 2408 Cfkkam32.exe 1748 Cfmhfm32.exe 2172 Dbhbfmkd.exe 3056 Dplbpaim.exe 2372 Dmgmbj32.exe 1648 Eganqo32.exe 2040 Edhkpcdb.exe 2156 Epnldd32.exe 2164 Fepnhjdh.exe 824 Fdekigip.exe 2152 Fkdlaplh.exe 1804 Fcoaebjc.exe 1508 Ghnfci32.exe 1704 Gnphfppi.exe 2628 Hkfeec32.exe 2652 Hjkbfpah.exe 1480 Hmlkhk32.exe 1924 Hiblmldn.exe 2232 Ibmmkaik.exe 1720 Imcaijia.exe 1708 Iljkofkg.exe 2960 Iaipmm32.exe 828 Jonqfq32.exe 3024 Jfkbqcam.exe 2848 Jepoao32.exe 2560 Keehmobp.exe 2220 Kciifc32.exe 1264 Klamohhj.exe 2128 Kkfjpemb.exe 2604 Kkigfdjo.exe 2084 Ljndga32.exe 2212 Lomidgkl.exe 1824 Llainlje.exe 2908 Lflklaoc.exe 2180 Lngpac32.exe 2684 Mbehgabe.exe 1560 Mbgela32.exe 1980 Mmafmo32.exe 1732 Mfijfdca.exe 1044 Mmcbbo32.exe 928 Mflgkd32.exe 944 Npdkdjhp.exe 872 Nilpmo32.exe 652 Nbddfe32.exe 2316 Nlmiojla.exe 2440 Neemgp32.exe 2720 Nhffikob.exe 2608 Nbljfdoh.exe 1352 Onbkle32.exe 2536 Ododdlcd.exe 2668 Oacdmpan.exe 3044 Ophanl32.exe 3028 Ofbikf32.exe 1920 Opkndldc.exe 2404 Plaoim32.exe 1564 Pfgcff32.exe 616 Ppogok32.exe 1304 Ppjjcogn.exe -
Loads dropped DLL 64 IoCs
pid Process 2056 e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe 2056 e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe 1860 Qhgbibgg.exe 1860 Qhgbibgg.exe 2996 Adncoc32.exe 2996 Adncoc32.exe 2760 Aocgll32.exe 2760 Aocgll32.exe 2780 Bjfkbhae.exe 2780 Bjfkbhae.exe 760 Bineidcj.exe 760 Bineidcj.exe 1988 Bgcbja32.exe 1988 Bgcbja32.exe 2408 Cfkkam32.exe 2408 Cfkkam32.exe 1748 Cfmhfm32.exe 1748 Cfmhfm32.exe 2172 Dbhbfmkd.exe 2172 Dbhbfmkd.exe 3056 Dplbpaim.exe 3056 Dplbpaim.exe 2372 Dmgmbj32.exe 2372 Dmgmbj32.exe 1648 Eganqo32.exe 1648 Eganqo32.exe 2040 Edhkpcdb.exe 2040 Edhkpcdb.exe 2156 Epnldd32.exe 2156 Epnldd32.exe 2164 Fepnhjdh.exe 2164 Fepnhjdh.exe 824 Fdekigip.exe 824 Fdekigip.exe 2152 Fkdlaplh.exe 2152 Fkdlaplh.exe 1804 Fcoaebjc.exe 1804 Fcoaebjc.exe 1508 Ghnfci32.exe 1508 Ghnfci32.exe 1704 Gnphfppi.exe 1704 Gnphfppi.exe 2628 Hkfeec32.exe 2628 Hkfeec32.exe 2652 Hjkbfpah.exe 2652 Hjkbfpah.exe 1480 Hmlkhk32.exe 1480 Hmlkhk32.exe 1924 Hiblmldn.exe 1924 Hiblmldn.exe 2232 Ibmmkaik.exe 2232 Ibmmkaik.exe 2964 Infjfblm.exe 2964 Infjfblm.exe 1708 Iljkofkg.exe 1708 Iljkofkg.exe 2960 Iaipmm32.exe 2960 Iaipmm32.exe 828 Jonqfq32.exe 828 Jonqfq32.exe 3024 Jfkbqcam.exe 3024 Jfkbqcam.exe 2848 Jepoao32.exe 2848 Jepoao32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ljfckodo.exe Lolbjahp.exe File created C:\Windows\SysWOW64\Fdkqbd32.dll Akhndf32.exe File opened for modification C:\Windows\SysWOW64\Fcgdjmlo.exe Fiopah32.exe File created C:\Windows\SysWOW64\Qfganb32.exe Qfedhb32.exe File opened for modification C:\Windows\SysWOW64\Ffeoid32.exe Fefboabg.exe File created C:\Windows\SysWOW64\Bineidcj.exe Bjfkbhae.exe File created C:\Windows\SysWOW64\Dnhgifal.dll Dbhbfmkd.exe File created C:\Windows\SysWOW64\Hnimeg32.exe Hbblpf32.exe File created C:\Windows\SysWOW64\Ppjjcogn.exe Ppogok32.exe File opened for modification C:\Windows\SysWOW64\Fiopah32.exe Fimclh32.exe File opened for modification C:\Windows\SysWOW64\Hjfbaj32.exe Gqmmhdka.exe File opened for modification C:\Windows\SysWOW64\Mpeebhhf.exe Lcqdidim.exe File created C:\Windows\SysWOW64\Mjfabd32.dll Kfbjjjci.exe File created C:\Windows\SysWOW64\Qahlpkhh.exe Pbcooo32.exe File opened for modification C:\Windows\SysWOW64\Qahlpkhh.exe Pbcooo32.exe File opened for modification C:\Windows\SysWOW64\Ggncop32.exe Gaajfi32.exe File created C:\Windows\SysWOW64\Alqplmlb.exe Adekhkng.exe File created C:\Windows\SysWOW64\Aamekk32.exe Qfganb32.exe File created C:\Windows\SysWOW64\Pkgoccel.dll Npdkdjhp.exe File created C:\Windows\SysWOW64\Ododdlcd.exe Onbkle32.exe File created C:\Windows\SysWOW64\Mofeco32.dll Klimcf32.exe File created C:\Windows\SysWOW64\Gdmcbojl.exe Fhfbmn32.exe File opened for modification C:\Windows\SysWOW64\Bkgchckl.exe Boqbcbeh.exe File opened for modification C:\Windows\SysWOW64\Gbolce32.exe Feklja32.exe File created C:\Windows\SysWOW64\Jfdmbl32.dll Ibmmkaik.exe File opened for modification C:\Windows\SysWOW64\Omddmkhl.exe Oclpdf32.exe File created C:\Windows\SysWOW64\Pjligacm.dll Hkdkhl32.exe File created C:\Windows\SysWOW64\Npqbka32.dll Jgfghodj.exe File created C:\Windows\SysWOW64\Ihpfhhme.dll Kmeiei32.exe File created C:\Windows\SysWOW64\Dcppmg32.exe Dcnchg32.exe File opened for modification C:\Windows\SysWOW64\Fefboabg.exe Ffcbce32.exe File opened for modification C:\Windows\SysWOW64\Ppogok32.exe Pfgcff32.exe File opened for modification C:\Windows\SysWOW64\Ndbjgjqh.exe Nnhakp32.exe File opened for modification C:\Windows\SysWOW64\Oaiglnih.exe Onhnjclg.exe File created C:\Windows\SysWOW64\Bkgchckl.exe Boqbcbeh.exe File created C:\Windows\SysWOW64\Eckcak32.exe Ejcohe32.exe File opened for modification C:\Windows\SysWOW64\Joepjokm.exe Jemkai32.exe File created C:\Windows\SysWOW64\Jbldcifi.dll Hnimeg32.exe File created C:\Windows\SysWOW64\Eimien32.exe Dcppmg32.exe File created C:\Windows\SysWOW64\Mhaobd32.exe Mgbcha32.exe File created C:\Windows\SysWOW64\Onhnjclg.exe Ofmiea32.exe File created C:\Windows\SysWOW64\Ppogmake.dll Pnodjb32.exe File created C:\Windows\SysWOW64\Dmobpn32.exe Ckilmfke.exe File opened for modification C:\Windows\SysWOW64\Neemgp32.exe Nlmiojla.exe File opened for modification C:\Windows\SysWOW64\Alknnodh.exe Acbieing.exe File created C:\Windows\SysWOW64\Gkkaem32.dll Hjhofj32.exe File opened for modification C:\Windows\SysWOW64\Ccmanjch.exe Boainhic.exe File opened for modification C:\Windows\SysWOW64\Dajlhc32.exe Dahobdpe.exe File created C:\Windows\SysWOW64\Dffbcq32.dll Ejmljg32.exe File opened for modification C:\Windows\SysWOW64\Febmfcjj.exe Fbbcdh32.exe File created C:\Windows\SysWOW64\Ekaeoj32.dll Ppogok32.exe File created C:\Windows\SysWOW64\Almjcobe.exe Alknnodh.exe File opened for modification C:\Windows\SysWOW64\Qhgbibgg.exe e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe File opened for modification C:\Windows\SysWOW64\Mdkcgk32.exe Mmpobi32.exe File opened for modification C:\Windows\SysWOW64\Fhfbmn32.exe Fdhigo32.exe File created C:\Windows\SysWOW64\Leooph32.dll Ncnmhajo.exe File created C:\Windows\SysWOW64\Djibogkn.exe Dpmeij32.exe File created C:\Windows\SysWOW64\Coledgje.dll Mlfebcnd.exe File created C:\Windows\SysWOW64\Qoobod32.dll Mjeholco.exe File opened for modification C:\Windows\SysWOW64\Pmijgn32.exe Pjhaec32.exe File opened for modification C:\Windows\SysWOW64\Hjkbfpah.exe Hkfeec32.exe File created C:\Windows\SysWOW64\Faefoo32.dll Jepoao32.exe File opened for modification C:\Windows\SysWOW64\Bgcbja32.exe Bineidcj.exe File created C:\Windows\SysWOW64\Hlcdlj32.dll Gcimop32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3100 3952 WerFault.exe 315 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfkdik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmgobfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klamohhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aenileon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfekkgla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankckagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jemkai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eekpknlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adncoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keehmobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndbjgjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenckc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpfpmonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kciifc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Almjcobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehiiop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmighemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adekhkng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmeij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eckcak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficilgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphmbolk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lknbjlnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meojkide.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjeholco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfemdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcgdjmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggncop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfalaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obniel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ognobcqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbhbfmkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbehgabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffcebdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoopie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjpncii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeebhhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplkhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjjcogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonqiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npngng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfghodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaajfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpjchicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphnlcnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbpaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhppo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgeiaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbdgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiopah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boqbcbeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnpjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhikhefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmiea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniidj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbidof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fioajqmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oacdmpan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceahlg32.dll" Nqbdllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebhani32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egebiche.dll" Pdnihiad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fncddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdmbl32.dll" Ibmmkaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egkfbg32.dll" Gphmbolk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bonenbgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lllihf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fefboabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imahgj32.dll" Lcnqin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faefoo32.dll" Jepoao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alknnodh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhdddnep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbhbfmkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkfeec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jonqfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akfaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkngmm32.dll" Ccmanjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdmdnmic.dll" Kmjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfimpl32.dll" Fiopah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfoqe32.dll" Epnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnaomeci.dll" Iaipmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anngkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkecpl32.dll" Aamekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giiinjlg.dll" Ljfckodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofmiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giemhaee.dll" Onhnjclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbljfdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpdqih32.dll" Bqambacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqicio32.dll" Cfemdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgfghodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhbihid.dll" Ompgqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lolbjahp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdbeqmag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipekmjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lomidgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adekhkng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhlhmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkdlaplh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabpoe32.dll" Lflklaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkblpcle.dll" Boifinfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ompgqonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lobpmfmi.dll" Jonqfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faonqiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknplm32.dll" Lolbjahp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnfkefad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Giikkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjkiamp.dll" Hfalaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meojkide.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfkfnp32.dll" Dcnchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbjbibli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagmmn32.dll" Phhhchlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kihcakpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ophanl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankckagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhaobd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkigfdjo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2056 wrote to memory of 1860 2056 e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe 29 PID 2056 wrote to memory of 1860 2056 e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe 29 PID 2056 wrote to memory of 1860 2056 e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe 29 PID 2056 wrote to memory of 1860 2056 e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe 29 PID 1860 wrote to memory of 2996 1860 Qhgbibgg.exe 30 PID 1860 wrote to memory of 2996 1860 Qhgbibgg.exe 30 PID 1860 wrote to memory of 2996 1860 Qhgbibgg.exe 30 PID 1860 wrote to memory of 2996 1860 Qhgbibgg.exe 30 PID 2996 wrote to memory of 2760 2996 Adncoc32.exe 31 PID 2996 wrote to memory of 2760 2996 Adncoc32.exe 31 PID 2996 wrote to memory of 2760 2996 Adncoc32.exe 31 PID 2996 wrote to memory of 2760 2996 Adncoc32.exe 31 PID 2760 wrote to memory of 2780 2760 Aocgll32.exe 32 PID 2760 wrote to memory of 2780 2760 Aocgll32.exe 32 PID 2760 wrote to memory of 2780 2760 Aocgll32.exe 32 PID 2760 wrote to memory of 2780 2760 Aocgll32.exe 32 PID 2780 wrote to memory of 760 2780 Bjfkbhae.exe 33 PID 2780 wrote to memory of 760 2780 Bjfkbhae.exe 33 PID 2780 wrote to memory of 760 2780 Bjfkbhae.exe 33 PID 2780 wrote to memory of 760 2780 Bjfkbhae.exe 33 PID 760 wrote to memory of 1988 760 Bineidcj.exe 34 PID 760 wrote to memory of 1988 760 Bineidcj.exe 34 PID 760 wrote to memory of 1988 760 Bineidcj.exe 34 PID 760 wrote to memory of 1988 760 Bineidcj.exe 34 PID 1988 wrote to memory of 2408 1988 Bgcbja32.exe 35 PID 1988 wrote to memory of 2408 1988 Bgcbja32.exe 35 PID 1988 wrote to memory of 2408 1988 Bgcbja32.exe 35 PID 1988 wrote to memory of 2408 1988 Bgcbja32.exe 35 PID 2408 wrote to memory of 1748 2408 Cfkkam32.exe 36 PID 2408 wrote to memory of 1748 2408 Cfkkam32.exe 36 PID 2408 wrote to memory of 1748 2408 Cfkkam32.exe 36 PID 2408 wrote to memory of 1748 2408 Cfkkam32.exe 36 PID 1748 wrote to memory of 2172 1748 Cfmhfm32.exe 37 PID 1748 wrote to memory of 2172 1748 Cfmhfm32.exe 37 PID 1748 wrote to memory of 2172 1748 Cfmhfm32.exe 37 PID 1748 wrote to memory of 2172 1748 Cfmhfm32.exe 37 PID 2172 wrote to memory of 3056 2172 Dbhbfmkd.exe 38 PID 2172 wrote to memory of 3056 2172 Dbhbfmkd.exe 38 PID 2172 wrote to memory of 3056 2172 Dbhbfmkd.exe 38 PID 2172 wrote to memory of 3056 2172 Dbhbfmkd.exe 38 PID 3056 wrote to memory of 2372 3056 Dplbpaim.exe 39 PID 3056 wrote to memory of 2372 3056 Dplbpaim.exe 39 PID 3056 wrote to memory of 2372 3056 Dplbpaim.exe 39 PID 3056 wrote to memory of 2372 3056 Dplbpaim.exe 39 PID 2372 wrote to memory of 1648 2372 Dmgmbj32.exe 40 PID 2372 wrote to memory of 1648 2372 Dmgmbj32.exe 40 PID 2372 wrote to memory of 1648 2372 Dmgmbj32.exe 40 PID 2372 wrote to memory of 1648 2372 Dmgmbj32.exe 40 PID 1648 wrote to memory of 2040 1648 Eganqo32.exe 41 PID 1648 wrote to memory of 2040 1648 Eganqo32.exe 41 PID 1648 wrote to memory of 2040 1648 Eganqo32.exe 41 PID 1648 wrote to memory of 2040 1648 Eganqo32.exe 41 PID 2040 wrote to memory of 2156 2040 Edhkpcdb.exe 42 PID 2040 wrote to memory of 2156 2040 Edhkpcdb.exe 42 PID 2040 wrote to memory of 2156 2040 Edhkpcdb.exe 42 PID 2040 wrote to memory of 2156 2040 Edhkpcdb.exe 42 PID 2156 wrote to memory of 2164 2156 Epnldd32.exe 43 PID 2156 wrote to memory of 2164 2156 Epnldd32.exe 43 PID 2156 wrote to memory of 2164 2156 Epnldd32.exe 43 PID 2156 wrote to memory of 2164 2156 Epnldd32.exe 43 PID 2164 wrote to memory of 824 2164 Fepnhjdh.exe 44 PID 2164 wrote to memory of 824 2164 Fepnhjdh.exe 44 PID 2164 wrote to memory of 824 2164 Fepnhjdh.exe 44 PID 2164 wrote to memory of 824 2164 Fepnhjdh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe"C:\Users\Admin\AppData\Local\Temp\e33b46790c22c121106287246535e33d238158ca937ba74c8d7a281edd680f25N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Bineidcj.exeC:\Windows\system32\Bineidcj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Dbhbfmkd.exeC:\Windows\system32\Dbhbfmkd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Dplbpaim.exeC:\Windows\system32\Dplbpaim.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Eganqo32.exeC:\Windows\system32\Eganqo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Edhkpcdb.exeC:\Windows\system32\Edhkpcdb.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Epnldd32.exeC:\Windows\system32\Epnldd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Fcoaebjc.exeC:\Windows\system32\Fcoaebjc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Ghnfci32.exeC:\Windows\system32\Ghnfci32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Gnphfppi.exeC:\Windows\system32\Gnphfppi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Hkfeec32.exeC:\Windows\system32\Hkfeec32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Hmlkhk32.exeC:\Windows\system32\Hmlkhk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Hiblmldn.exeC:\Windows\system32\Hiblmldn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Ibmmkaik.exeC:\Windows\system32\Ibmmkaik.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Imcaijia.exeC:\Windows\system32\Imcaijia.exe27⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Infjfblm.exeC:\Windows\system32\Infjfblm.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Iljkofkg.exeC:\Windows\system32\Iljkofkg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Iaipmm32.exeC:\Windows\system32\Iaipmm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Jonqfq32.exeC:\Windows\system32\Jonqfq32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Jfkbqcam.exeC:\Windows\system32\Jfkbqcam.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Jepoao32.exeC:\Windows\system32\Jepoao32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Kciifc32.exeC:\Windows\system32\Kciifc32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Klamohhj.exeC:\Windows\system32\Klamohhj.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1264 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe37⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Kkigfdjo.exeC:\Windows\system32\Kkigfdjo.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Ljndga32.exeC:\Windows\system32\Ljndga32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Llainlje.exeC:\Windows\system32\Llainlje.exe41⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Lngpac32.exeC:\Windows\system32\Lngpac32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Mbehgabe.exeC:\Windows\system32\Mbehgabe.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Mbgela32.exeC:\Windows\system32\Mbgela32.exe45⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Mfijfdca.exeC:\Windows\system32\Mfijfdca.exe47⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe48⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Mflgkd32.exeC:\Windows\system32\Mflgkd32.exe49⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Npdkdjhp.exeC:\Windows\system32\Npdkdjhp.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe51⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Nbddfe32.exeC:\Windows\system32\Nbddfe32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Nlmiojla.exeC:\Windows\system32\Nlmiojla.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Nhffikob.exeC:\Windows\system32\Nhffikob.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Onbkle32.exeC:\Windows\system32\Onbkle32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1352 -
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe58⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Ophanl32.exeC:\Windows\system32\Ophanl32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe61⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe62⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Plaoim32.exeC:\Windows\system32\Plaoim32.exe63⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Pfgcff32.exeC:\Windows\system32\Pfgcff32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Qnoklc32.exeC:\Windows\system32\Qnoklc32.exe67⤵PID:592
-
C:\Windows\SysWOW64\Qggoeilh.exeC:\Windows\system32\Qggoeilh.exe68⤵PID:820
-
C:\Windows\SysWOW64\Acnpjj32.exeC:\Windows\system32\Acnpjj32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe70⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe71⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Almjcobe.exeC:\Windows\system32\Almjcobe.exe73⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe74⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Akbgdkgm.exeC:\Windows\system32\Akbgdkgm.exe75⤵PID:3008
-
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1332 -
C:\Windows\SysWOW64\Bqambacb.exeC:\Windows\system32\Bqambacb.exe77⤵
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Bcbedm32.exeC:\Windows\system32\Bcbedm32.exe78⤵PID:3040
-
C:\Windows\SysWOW64\Boifinfg.exeC:\Windows\system32\Boifinfg.exe79⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe80⤵PID:844
-
C:\Windows\SysWOW64\Cfekkgla.exeC:\Windows\system32\Cfekkgla.exe81⤵
- System Location Discovery: System Language Discovery
PID:1280 -
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1148 -
C:\Windows\SysWOW64\Copljmpo.exeC:\Windows\system32\Copljmpo.exe83⤵PID:400
-
C:\Windows\SysWOW64\Cpbiolnl.exeC:\Windows\system32\Cpbiolnl.exe84⤵PID:1780
-
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe85⤵PID:1992
-
C:\Windows\SysWOW64\Ccdnipal.exeC:\Windows\system32\Ccdnipal.exe86⤵PID:2528
-
C:\Windows\SysWOW64\Dahobdpe.exeC:\Windows\system32\Dahobdpe.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Dajlhc32.exeC:\Windows\system32\Dajlhc32.exe88⤵PID:2820
-
C:\Windows\SysWOW64\Dhdddnep.exeC:\Windows\system32\Dhdddnep.exe89⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Dmcibdad.exeC:\Windows\system32\Dmcibdad.exe91⤵PID:1724
-
C:\Windows\SysWOW64\Dpdbdo32.exeC:\Windows\system32\Dpdbdo32.exe92⤵PID:968
-
C:\Windows\SysWOW64\Epgoio32.exeC:\Windows\system32\Epgoio32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Ekppjmia.exeC:\Windows\system32\Ekppjmia.exe94⤵PID:2648
-
C:\Windows\SysWOW64\Ehdpcahk.exeC:\Windows\system32\Ehdpcahk.exe95⤵PID:1788
-
C:\Windows\SysWOW64\Eoqeekme.exeC:\Windows\system32\Eoqeekme.exe96⤵PID:2108
-
C:\Windows\SysWOW64\Ehiiop32.exeC:\Windows\system32\Ehiiop32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Fdpjcaij.exeC:\Windows\system32\Fdpjcaij.exe98⤵PID:1868
-
C:\Windows\SysWOW64\Fimclh32.exeC:\Windows\system32\Fimclh32.exe99⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Fiopah32.exeC:\Windows\system32\Fiopah32.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Fcgdjmlo.exeC:\Windows\system32\Fcgdjmlo.exe101⤵
- System Location Discovery: System Language Discovery
PID:432 -
C:\Windows\SysWOW64\Fondonbc.exeC:\Windows\system32\Fondonbc.exe102⤵PID:1612
-
C:\Windows\SysWOW64\Ficilgai.exeC:\Windows\system32\Ficilgai.exe103⤵
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Faonqiod.exeC:\Windows\system32\Faonqiod.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Gaajfi32.exeC:\Windows\system32\Gaajfi32.exe105⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Ggncop32.exeC:\Windows\system32\Ggncop32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1912 -
C:\Windows\SysWOW64\Gdbchd32.exeC:\Windows\system32\Gdbchd32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Gafcahil.exeC:\Windows\system32\Gafcahil.exe108⤵PID:2044
-
C:\Windows\SysWOW64\Gjahfkfg.exeC:\Windows\system32\Gjahfkfg.exe109⤵PID:2344
-
C:\Windows\SysWOW64\Gcimop32.exeC:\Windows\system32\Gcimop32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Gqmmhdka.exeC:\Windows\system32\Gqmmhdka.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Hjfbaj32.exeC:\Windows\system32\Hjfbaj32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2024 -
C:\Windows\SysWOW64\Hjhofj32.exeC:\Windows\system32\Hjhofj32.exe113⤵
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Hmighemp.exeC:\Windows\system32\Hmighemp.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Hfalaj32.exeC:\Windows\system32\Hfalaj32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Hibebeqb.exeC:\Windows\system32\Hibebeqb.exe116⤵PID:1388
-
C:\Windows\SysWOW64\Jhikhefb.exeC:\Windows\system32\Jhikhefb.exe117⤵
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:632 -
C:\Windows\SysWOW64\Joepjokm.exeC:\Windows\system32\Joepjokm.exe119⤵PID:888
-
C:\Windows\SysWOW64\Jhndcd32.exeC:\Windows\system32\Jhndcd32.exe120⤵PID:2076
-
C:\Windows\SysWOW64\Jmkmlk32.exeC:\Windows\system32\Jmkmlk32.exe121⤵PID:1028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-