Analysis
-
max time kernel
52s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02-02-2025 12:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe
-
Size
96KB
-
MD5
d6c4de31490e34e2192c2da87d9f59e5
-
SHA1
81c45a4d6129021acfb57679fe69eda2161835aa
-
SHA256
5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8
-
SHA512
471f400bed3db05236f8c277429ca9b210d02382d7222050410193ab322b046d50ec2f2bbdd296d83a1f0c2324bf3e132feea62a5f347b10523012ff8663ccce
-
SSDEEP
1536:/8dltpEPav48Bc7N2v32LCC7RZObZUUWaegPYAS:EFtcocHClUUWae/
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhaobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemfahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkeofnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdhnnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldihjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iilalc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onehadbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phmfpddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joenaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhccoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkigfdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpmeojbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anhdmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjkfglom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjfpkji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nidhfgpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpaceg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpflqfeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfhjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbnhfhoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nokdnail.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdego32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akhkkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hogddpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afngoand.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liibigjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achikonn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfjbdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lojhmjag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfphmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnobfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fholmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjpakdbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eipekmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjccbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jongag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmifiahi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpalmaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcffi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpalmaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eimien32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkgpmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahioobed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllihf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbkaoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcbmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpiffngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkapkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiabjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifhdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijffhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncejcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koelibnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgane32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eioaillo.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 932 Omjbihpn.exe 2816 Oipcnieb.exe 2852 Oegdcj32.exe 2756 Piemih32.exe 2792 Phjjkefd.exe 2696 Podbgo32.exe 2228 Phmfpddb.exe 1616 Pgacaaij.exe 2964 Pkplgoop.exe 1788 Aodnfbpm.exe 1724 Akkokc32.exe 1884 Afbpnlcd.exe 1460 Abiqcm32.exe 1964 Agfikc32.exe 2332 Ajdego32.exe 2096 Bemfjgdg.exe 900 Bpfgke32.exe 608 Bphdpe32.exe 2312 Bfblmofp.exe 940 Cpmmkdkn.exe 2168 Ciebdj32.exe 936 Clfkfeno.exe 112 Caccnllf.exe 784 Cmlqimph.exe 1364 Dfdeab32.exe 2276 Diencmcj.exe 1596 Dbnblb32.exe 2544 Dpaceg32.exe 2760 Dijgnm32.exe 2908 Dpflqfeo.exe 2920 Eioaillo.exe 2976 Ekbjgd32.exe 2688 Ehfkphnd.exe 2216 Ehhgfgla.exe 1712 Epdljjjm.exe 3000 Ekipgb32.exe 1152 Ffcahq32.exe 236 Fjajno32.exe 1156 Fihcdkom.exe 1020 Godhgedg.exe 2324 Ggpmkgab.exe 560 Gqhadmhc.exe 2340 Gjqfmb32.exe 3044 Gjccbb32.exe 972 Gckgkg32.exe 2528 Hjhlnahk.exe 1588 Hpdefh32.exe 2200 Heamno32.exe 1252 Hpgakh32.exe 1640 Hfajhblm.exe 876 Hnlnmd32.exe 3016 Hiabjm32.exe 2256 Hnnkbd32.exe 1684 Hehconob.exe 2784 Inqhhc32.exe 2176 Iekpdn32.exe 2812 Ijghmd32.exe 2616 Idpmejag.exe 2948 Ijjebd32.exe 2060 Ipfnjkgk.exe 1856 Iiobcq32.exe 1940 Iddfqi32.exe 1628 Iiaoip32.exe 2316 Jongag32.exe -
Loads dropped DLL 64 IoCs
pid Process 2248 5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe 2248 5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe 932 Omjbihpn.exe 932 Omjbihpn.exe 2816 Oipcnieb.exe 2816 Oipcnieb.exe 2852 Oegdcj32.exe 2852 Oegdcj32.exe 2756 Piemih32.exe 2756 Piemih32.exe 2792 Phjjkefd.exe 2792 Phjjkefd.exe 2696 Podbgo32.exe 2696 Podbgo32.exe 2228 Phmfpddb.exe 2228 Phmfpddb.exe 1616 Pgacaaij.exe 1616 Pgacaaij.exe 2964 Pkplgoop.exe 2964 Pkplgoop.exe 1788 Aodnfbpm.exe 1788 Aodnfbpm.exe 1724 Akkokc32.exe 1724 Akkokc32.exe 1884 Afbpnlcd.exe 1884 Afbpnlcd.exe 1460 Abiqcm32.exe 1460 Abiqcm32.exe 1964 Agfikc32.exe 1964 Agfikc32.exe 2332 Ajdego32.exe 2332 Ajdego32.exe 2096 Bemfjgdg.exe 2096 Bemfjgdg.exe 900 Bpfgke32.exe 900 Bpfgke32.exe 608 Bphdpe32.exe 608 Bphdpe32.exe 2312 Bfblmofp.exe 2312 Bfblmofp.exe 940 Cpmmkdkn.exe 940 Cpmmkdkn.exe 2168 Ciebdj32.exe 2168 Ciebdj32.exe 936 Clfkfeno.exe 936 Clfkfeno.exe 112 Caccnllf.exe 112 Caccnllf.exe 784 Cmlqimph.exe 784 Cmlqimph.exe 1364 Dfdeab32.exe 1364 Dfdeab32.exe 2276 Diencmcj.exe 2276 Diencmcj.exe 1596 Dbnblb32.exe 1596 Dbnblb32.exe 2544 Dpaceg32.exe 2544 Dpaceg32.exe 2760 Dijgnm32.exe 2760 Dijgnm32.exe 2908 Dpflqfeo.exe 2908 Dpflqfeo.exe 2920 Eioaillo.exe 2920 Eioaillo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ngeghb32.dll Ekofgnna.exe File opened for modification C:\Windows\SysWOW64\Gicpnhbb.exe Gbigao32.exe File opened for modification C:\Windows\SysWOW64\Iaipmm32.exe Iniglajj.exe File opened for modification C:\Windows\SysWOW64\Jeidob32.exe Jchhhjjg.exe File created C:\Windows\SysWOW64\Cmimif32.exe Cbcikn32.exe File opened for modification C:\Windows\SysWOW64\Iniglajj.exe Hiblmldn.exe File opened for modification C:\Windows\SysWOW64\Iglngj32.exe Ijhmnf32.exe File opened for modification C:\Windows\SysWOW64\Cjdkllec.exe Cgeopqfp.exe File opened for modification C:\Windows\SysWOW64\Lgbdpena.exe Lkkckdhm.exe File created C:\Windows\SysWOW64\Anlbpigi.dll Ckebbgoj.exe File opened for modification C:\Windows\SysWOW64\Igeggkoq.exe Hnmcne32.exe File created C:\Windows\SysWOW64\Dbqajk32.exe Dmcibdad.exe File created C:\Windows\SysWOW64\Jkpfcnoe.exe Jnlfjjpl.exe File created C:\Windows\SysWOW64\Pfjbdn32.exe Pmamliin.exe File opened for modification C:\Windows\SysWOW64\Gklnmgic.exe Gepeep32.exe File created C:\Windows\SysWOW64\Cdcpdjga.dll Lheilofe.exe File created C:\Windows\SysWOW64\Oegdcj32.exe Oipcnieb.exe File opened for modification C:\Windows\SysWOW64\Pgjfflkf.exe Pghjqlmi.exe File opened for modification C:\Windows\SysWOW64\Cjhdgk32.exe Ccolja32.exe File created C:\Windows\SysWOW64\Cofohkgi.exe Cjifpdib.exe File opened for modification C:\Windows\SysWOW64\Pfgeoo32.exe Pmoqfi32.exe File created C:\Windows\SysWOW64\Mkpieggc.exe Mqjehngm.exe File opened for modification C:\Windows\SysWOW64\Dpmlcpdm.exe Dgbgon32.exe File created C:\Windows\SysWOW64\Ickoimie.exe Ijbjpg32.exe File created C:\Windows\SysWOW64\Cbnhfhoc.exe Almjcobe.exe File created C:\Windows\SysWOW64\Fgibijkb.exe Faljqcmk.exe File created C:\Windows\SysWOW64\Fooghg32.exe Fianpp32.exe File created C:\Windows\SysWOW64\Mllhpb32.exe Mebpchmb.exe File created C:\Windows\SysWOW64\Jddbpmpm.exe Jogjgf32.exe File created C:\Windows\SysWOW64\Mibdcakk.exe Mcekkkmc.exe File created C:\Windows\SysWOW64\Cgeopqfp.exe Cakfcfoc.exe File opened for modification C:\Windows\SysWOW64\Oldooi32.exe Nnpofe32.exe File created C:\Windows\SysWOW64\Adbmjbif.exe Anhdmh32.exe File created C:\Windows\SysWOW64\Cbhghabh.dll Gnbelong.exe File created C:\Windows\SysWOW64\Hebkoj32.dll Ciebdj32.exe File created C:\Windows\SysWOW64\Ehonebqq.exe Dadehh32.exe File opened for modification C:\Windows\SysWOW64\Epbamc32.exe Eoqeekme.exe File created C:\Windows\SysWOW64\Dmjmmehk.dll Qifnjm32.exe File opened for modification C:\Windows\SysWOW64\Flbgak32.exe Fooghg32.exe File created C:\Windows\SysWOW64\Fdakhmhh.dll Cpmmkdkn.exe File opened for modification C:\Windows\SysWOW64\Ilnqhddd.exe Iiodliep.exe File created C:\Windows\SysWOW64\Kpmbqj32.dll Ckilmfke.exe File created C:\Windows\SysWOW64\Jjjfbikh.exe Jiiikq32.exe File created C:\Windows\SysWOW64\Lhbhdnio.exe Lnmcge32.exe File opened for modification C:\Windows\SysWOW64\Kononm32.exe Knkbimbg.exe File created C:\Windows\SysWOW64\Pnjpdphd.exe Pddlggin.exe File opened for modification C:\Windows\SysWOW64\Onkjocjd.exe Ollncgjq.exe File created C:\Windows\SysWOW64\Eigbfb32.exe Eoanij32.exe File created C:\Windows\SysWOW64\Kjopnh32.exe Kebgea32.exe File opened for modification C:\Windows\SysWOW64\Gqhadmhc.exe Ggpmkgab.exe File created C:\Windows\SysWOW64\Gomhkb32.exe Gicpnhbb.exe File created C:\Windows\SysWOW64\Eqdlookk.dll Niombolm.exe File created C:\Windows\SysWOW64\Emgkqnci.dll Dcppmg32.exe File created C:\Windows\SysWOW64\Kphgke32.dll Fdjddf32.exe File created C:\Windows\SysWOW64\Hphiggmf.dll Mnqdpj32.exe File created C:\Windows\SysWOW64\Qajiek32.exe Qechqj32.exe File opened for modification C:\Windows\SysWOW64\Dcijmhdj.exe Dgbiggof.exe File opened for modification C:\Windows\SysWOW64\Hpbilmop.exe Hldpfnij.exe File created C:\Windows\SysWOW64\Epdljjjm.exe Ehhgfgla.exe File created C:\Windows\SysWOW64\Mjhlcioh.dll Dogbolep.exe File created C:\Windows\SysWOW64\Lfimpl32.dll Fmjkbfnh.exe File opened for modification C:\Windows\SysWOW64\Cjifpdib.exe Cmeffp32.exe File created C:\Windows\SysWOW64\Mmpmjpba.exe Mffdmfjd.exe File created C:\Windows\SysWOW64\Ecjkkp32.exe Ekofgnna.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2672 3656 WerFault.exe 624 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbnhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkefcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lheilofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdailaib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbilmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joenaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dendcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iglkoaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollncgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcoel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqngjcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcibdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmldj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekbjgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqcaoghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhookh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abiqcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llomhllh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekoljgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deljfqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcifdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfebcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoqfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfcohfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodlfmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojqjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knaqcabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbadfdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemfjgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnopmegg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npneeocq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahioobed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfphmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoinbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnealbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehconob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfcqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcncg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghloe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcfle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijgnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghppa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogddpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceioieei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfonhgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gheola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbgak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Podbgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjajno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekofgnna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnobl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplinckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklnmgic.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqfmdp32.dll" Gfgpgmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcobdgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfdkgij.dll" Dnfkefad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipfnjkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jinghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himgihno.dll" Gjpakdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gepeep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olgdpp32.dll" Pglclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmhcg32.dll" Johlpoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhaobd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjkfglom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhehmkqn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koeeoljm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abfjga32.dll" Hnlnmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebiomefn.dll" Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pccdqloh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegenopb.dll" Hjieapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkepdbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhcdfiom.dll" Ijmfiefj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aandhbgj.dll" Kaihjbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaihjbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bklicbjm.dll" Iiodliep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhclfphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcllfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiedgbnd.dll" Ddnhidmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgqjfn32.dll" Jncenh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfkbhae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oldooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njobpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddnhidmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeoapde.dll" Kebgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fihcdkom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppibcink.dll" Epnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limhol32.dll" Mbkkepio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpgakh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iiobcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkloip32.dll" Jogjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqbnnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lobbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabdbh32.dll" Nnpofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lindbn32.dll" Enjand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glgpqf32.dll" Fgcgebhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faonqiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfmdfe32.dll" Jdplmflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diklpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mncfgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legcjjjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaamhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mncfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Legcjjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmlqimph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpchof32.dll" Kjhahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bipaodah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekjikadb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnfhfmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjojj32.dll" Oqcffi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmamliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaheqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knodnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmbenc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqngjcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efkjha32.dll" Eijffhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqdaal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbkaoce.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2248 wrote to memory of 932 2248 5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe 29 PID 2248 wrote to memory of 932 2248 5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe 29 PID 2248 wrote to memory of 932 2248 5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe 29 PID 2248 wrote to memory of 932 2248 5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe 29 PID 932 wrote to memory of 2816 932 Omjbihpn.exe 30 PID 932 wrote to memory of 2816 932 Omjbihpn.exe 30 PID 932 wrote to memory of 2816 932 Omjbihpn.exe 30 PID 932 wrote to memory of 2816 932 Omjbihpn.exe 30 PID 2816 wrote to memory of 2852 2816 Oipcnieb.exe 31 PID 2816 wrote to memory of 2852 2816 Oipcnieb.exe 31 PID 2816 wrote to memory of 2852 2816 Oipcnieb.exe 31 PID 2816 wrote to memory of 2852 2816 Oipcnieb.exe 31 PID 2852 wrote to memory of 2756 2852 Oegdcj32.exe 32 PID 2852 wrote to memory of 2756 2852 Oegdcj32.exe 32 PID 2852 wrote to memory of 2756 2852 Oegdcj32.exe 32 PID 2852 wrote to memory of 2756 2852 Oegdcj32.exe 32 PID 2756 wrote to memory of 2792 2756 Piemih32.exe 33 PID 2756 wrote to memory of 2792 2756 Piemih32.exe 33 PID 2756 wrote to memory of 2792 2756 Piemih32.exe 33 PID 2756 wrote to memory of 2792 2756 Piemih32.exe 33 PID 2792 wrote to memory of 2696 2792 Phjjkefd.exe 34 PID 2792 wrote to memory of 2696 2792 Phjjkefd.exe 34 PID 2792 wrote to memory of 2696 2792 Phjjkefd.exe 34 PID 2792 wrote to memory of 2696 2792 Phjjkefd.exe 34 PID 2696 wrote to memory of 2228 2696 Podbgo32.exe 35 PID 2696 wrote to memory of 2228 2696 Podbgo32.exe 35 PID 2696 wrote to memory of 2228 2696 Podbgo32.exe 35 PID 2696 wrote to memory of 2228 2696 Podbgo32.exe 35 PID 2228 wrote to memory of 1616 2228 Phmfpddb.exe 36 PID 2228 wrote to memory of 1616 2228 Phmfpddb.exe 36 PID 2228 wrote to memory of 1616 2228 Phmfpddb.exe 36 PID 2228 wrote to memory of 1616 2228 Phmfpddb.exe 36 PID 1616 wrote to memory of 2964 1616 Pgacaaij.exe 37 PID 1616 wrote to memory of 2964 1616 Pgacaaij.exe 37 PID 1616 wrote to memory of 2964 1616 Pgacaaij.exe 37 PID 1616 wrote to memory of 2964 1616 Pgacaaij.exe 37 PID 2964 wrote to memory of 1788 2964 Pkplgoop.exe 38 PID 2964 wrote to memory of 1788 2964 Pkplgoop.exe 38 PID 2964 wrote to memory of 1788 2964 Pkplgoop.exe 38 PID 2964 wrote to memory of 1788 2964 Pkplgoop.exe 38 PID 1788 wrote to memory of 1724 1788 Aodnfbpm.exe 39 PID 1788 wrote to memory of 1724 1788 Aodnfbpm.exe 39 PID 1788 wrote to memory of 1724 1788 Aodnfbpm.exe 39 PID 1788 wrote to memory of 1724 1788 Aodnfbpm.exe 39 PID 1724 wrote to memory of 1884 1724 Akkokc32.exe 40 PID 1724 wrote to memory of 1884 1724 Akkokc32.exe 40 PID 1724 wrote to memory of 1884 1724 Akkokc32.exe 40 PID 1724 wrote to memory of 1884 1724 Akkokc32.exe 40 PID 1884 wrote to memory of 1460 1884 Afbpnlcd.exe 41 PID 1884 wrote to memory of 1460 1884 Afbpnlcd.exe 41 PID 1884 wrote to memory of 1460 1884 Afbpnlcd.exe 41 PID 1884 wrote to memory of 1460 1884 Afbpnlcd.exe 41 PID 1460 wrote to memory of 1964 1460 Abiqcm32.exe 42 PID 1460 wrote to memory of 1964 1460 Abiqcm32.exe 42 PID 1460 wrote to memory of 1964 1460 Abiqcm32.exe 42 PID 1460 wrote to memory of 1964 1460 Abiqcm32.exe 42 PID 1964 wrote to memory of 2332 1964 Agfikc32.exe 43 PID 1964 wrote to memory of 2332 1964 Agfikc32.exe 43 PID 1964 wrote to memory of 2332 1964 Agfikc32.exe 43 PID 1964 wrote to memory of 2332 1964 Agfikc32.exe 43 PID 2332 wrote to memory of 2096 2332 Ajdego32.exe 44 PID 2332 wrote to memory of 2096 2332 Ajdego32.exe 44 PID 2332 wrote to memory of 2096 2332 Ajdego32.exe 44 PID 2332 wrote to memory of 2096 2332 Ajdego32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe"C:\Users\Admin\AppData\Local\Temp\5c674d9d430d514c61ee5ce20a8e4eaad4ab250129db29eef9323e7aee67bfa8.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:932 -
C:\Windows\SysWOW64\Oipcnieb.exeC:\Windows\system32\Oipcnieb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Piemih32.exeC:\Windows\system32\Piemih32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Phjjkefd.exeC:\Windows\system32\Phjjkefd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Podbgo32.exeC:\Windows\system32\Podbgo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Phmfpddb.exeC:\Windows\system32\Phmfpddb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Pkplgoop.exeC:\Windows\system32\Pkplgoop.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Aodnfbpm.exeC:\Windows\system32\Aodnfbpm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Windows\SysWOW64\Akkokc32.exeC:\Windows\system32\Akkokc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Afbpnlcd.exeC:\Windows\system32\Afbpnlcd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Abiqcm32.exeC:\Windows\system32\Abiqcm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Agfikc32.exeC:\Windows\system32\Agfikc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Ajdego32.exeC:\Windows\system32\Ajdego32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Bemfjgdg.exeC:\Windows\system32\Bemfjgdg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:608 -
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Clfkfeno.exeC:\Windows\system32\Clfkfeno.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Caccnllf.exeC:\Windows\system32\Caccnllf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Diencmcj.exeC:\Windows\system32\Diencmcj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Dbnblb32.exeC:\Windows\system32\Dbnblb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Dpaceg32.exeC:\Windows\system32\Dpaceg32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Eioaillo.exeC:\Windows\system32\Eioaillo.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Ekbjgd32.exeC:\Windows\system32\Ekbjgd32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe34⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ehhgfgla.exeC:\Windows\system32\Ehhgfgla.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe36⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ekipgb32.exeC:\Windows\system32\Ekipgb32.exe37⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ffcahq32.exeC:\Windows\system32\Ffcahq32.exe38⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Fjajno32.exeC:\Windows\system32\Fjajno32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:236 -
C:\Windows\SysWOW64\Fihcdkom.exeC:\Windows\system32\Fihcdkom.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe41⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe43⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe44⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Gckgkg32.exeC:\Windows\system32\Gckgkg32.exe46⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Hjhlnahk.exeC:\Windows\system32\Hjhlnahk.exe47⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hpdefh32.exeC:\Windows\system32\Hpdefh32.exe48⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Heamno32.exeC:\Windows\system32\Heamno32.exe49⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Hpgakh32.exeC:\Windows\system32\Hpgakh32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe51⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Hnlnmd32.exeC:\Windows\system32\Hnlnmd32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Hiabjm32.exeC:\Windows\system32\Hiabjm32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Hnnkbd32.exeC:\Windows\system32\Hnnkbd32.exe54⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Hehconob.exeC:\Windows\system32\Hehconob.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Inqhhc32.exeC:\Windows\system32\Inqhhc32.exe56⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Iekpdn32.exeC:\Windows\system32\Iekpdn32.exe57⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Ijghmd32.exeC:\Windows\system32\Ijghmd32.exe58⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Idpmejag.exeC:\Windows\system32\Idpmejag.exe59⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ijjebd32.exeC:\Windows\system32\Ijjebd32.exe60⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Ipfnjkgk.exeC:\Windows\system32\Ipfnjkgk.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Iiobcq32.exeC:\Windows\system32\Iiobcq32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Iddfqi32.exeC:\Windows\system32\Iddfqi32.exe63⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Iiaoip32.exeC:\Windows\system32\Iiaoip32.exe64⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Jongag32.exeC:\Windows\system32\Jongag32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Jehpna32.exeC:\Windows\system32\Jehpna32.exe66⤵PID:2132
-
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe67⤵PID:3056
-
C:\Windows\SysWOW64\Jifhdphd.exeC:\Windows\system32\Jifhdphd.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:288 -
C:\Windows\SysWOW64\Jaamhb32.exeC:\Windows\system32\Jaamhb32.exe69⤵
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe71⤵PID:1704
-
C:\Windows\SysWOW64\Jogjgf32.exeC:\Windows\system32\Jogjgf32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2532 -
C:\Windows\SysWOW64\Jddbpmpm.exeC:\Windows\system32\Jddbpmpm.exe73⤵PID:2304
-
C:\Windows\SysWOW64\Knmghb32.exeC:\Windows\system32\Knmghb32.exe74⤵
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Kcipqi32.exeC:\Windows\system32\Kcipqi32.exe75⤵PID:2140
-
C:\Windows\SysWOW64\Knodnb32.exeC:\Windows\system32\Knodnb32.exe76⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe77⤵
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe78⤵
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Kcnilhap.exeC:\Windows\system32\Kcnilhap.exe79⤵PID:2956
-
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe80⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Koejqi32.exeC:\Windows\system32\Koejqi32.exe81⤵PID:1732
-
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe82⤵PID:2732
-
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe83⤵PID:1804
-
C:\Windows\SysWOW64\Lddoopbi.exeC:\Windows\system32\Lddoopbi.exe84⤵PID:2580
-
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe86⤵
- Drops file in System32 directory
PID:384 -
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe87⤵PID:2104
-
C:\Windows\SysWOW64\Lnopmegg.exeC:\Windows\system32\Lnopmegg.exe88⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Ldihjo32.exeC:\Windows\system32\Ldihjo32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1052 -
C:\Windows\SysWOW64\Ljeabf32.exeC:\Windows\system32\Ljeabf32.exe90⤵PID:2384
-
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe91⤵PID:2100
-
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe92⤵PID:2868
-
C:\Windows\SysWOW64\Lqbfdp32.exeC:\Windows\system32\Lqbfdp32.exe93⤵PID:2680
-
C:\Windows\SysWOW64\Lfonlg32.exeC:\Windows\system32\Lfonlg32.exe94⤵PID:1696
-
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe96⤵PID:1384
-
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe97⤵PID:1992
-
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe98⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe99⤵PID:2376
-
C:\Windows\SysWOW64\Mffdmfjd.exeC:\Windows\system32\Mffdmfjd.exe100⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe101⤵PID:624
-
C:\Windows\SysWOW64\Mbmebgpi.exeC:\Windows\system32\Mbmebgpi.exe102⤵PID:2440
-
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe103⤵PID:392
-
C:\Windows\SysWOW64\Mncfgh32.exeC:\Windows\system32\Mncfgh32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Niijdq32.exeC:\Windows\system32\Niijdq32.exe105⤵PID:1608
-
C:\Windows\SysWOW64\Nadoiccn.exeC:\Windows\system32\Nadoiccn.exe106⤵PID:2900
-
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe107⤵PID:3024
-
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe108⤵PID:2600
-
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe109⤵PID:2864
-
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe110⤵PID:2988
-
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe111⤵
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Nmbenc32.exeC:\Windows\system32\Nmbenc32.exe112⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Oiifcdhn.exeC:\Windows\system32\Oiifcdhn.exe113⤵PID:2684
-
C:\Windows\SysWOW64\Ofmgmhgh.exeC:\Windows\system32\Ofmgmhgh.exe114⤵PID:2516
-
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe115⤵
- Drops file in System32 directory
PID:428 -
C:\Windows\SysWOW64\Pgjfflkf.exeC:\Windows\system32\Pgjfflkf.exe116⤵PID:2480
-
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe117⤵
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Pnfkheap.exeC:\Windows\system32\Pnfkheap.exe118⤵PID:3036
-
C:\Windows\SysWOW64\Pccdqloh.exeC:\Windows\system32\Pccdqloh.exe119⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Qhdfdb32.exeC:\Windows\system32\Qhdfdb32.exe120⤵PID:2980
-
C:\Windows\SysWOW64\Qcjjakip.exeC:\Windows\system32\Qcjjakip.exe121⤵PID:2436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-