Analysis
-
max time kernel
58s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-02-2025 08:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe
-
Size
1.1MB
-
MD5
a3536c516da9f2450ec8e2b093c1fdcd
-
SHA1
f38c3fd4c256da87bed74288f3237300559776c6
-
SHA256
fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823
-
SHA512
5870fb1ba0e784d6a5a26fa15c973f72ced1a05efa6f791a30d5db91bdaf3171b57d7b0ddafdc2812eb970cd31c580efd31c26f8cc14b9b9b988f9fd41a8a87d
-
SSDEEP
12288:0wXkv+m05XEvGdXEvG6IveDVqvQ6IvYvc6O:86X1dX1q5h3Z
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Necandjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elaego32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obilip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnaihhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpegka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najbbepc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hancef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofqonp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmdgmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjalch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkcagn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aolihc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqonjmbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjqbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgibijkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gljdlq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kehgkgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdajff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abnbccia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbagdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbibfmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbfcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hahoodqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqpfchka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndjhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Filnjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahoodqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bohoogbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkancm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqbbig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geqnho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihefjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkldli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgebfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeholco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okmqlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbneekan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdpjgjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phmkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjlpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhkngcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehlbihg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefpfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdbji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ommfibdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmoone32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdajff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfjgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndjhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehnknfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmipmlan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgakd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alicahno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ommfibdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egchocif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpiihgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhkbmco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjmkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbncbgoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neohbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jchhhjjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okmqlp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2216 Nmeohnil.exe 2992 Npfhjifm.exe 2984 Nbgakd32.exe 3024 Apapcnaf.exe 2804 Bkddjkej.exe 1640 Cjqglf32.exe 2248 Cgmndokg.exe 2764 Dbneekan.exe 2160 Eahkag32.exe 2308 Eajhgg32.exe 2384 Fefpfi32.exe 1848 Fondonbc.exe 1588 Hhhblgim.exe 1680 Hmfkbeoc.exe 2480 Imidgh32.exe 2620 Ibhieo32.exe 896 Kpiihgoh.exe 1780 Ojdlkp32.exe 2024 Bohoogbk.exe 304 Dkolblkk.exe 320 Dlcfnk32.exe 1552 Dcojbm32.exe 1984 Ehopnk32.exe 872 Ebhani32.exe 652 Elaego32.exe 2956 Eoanij32.exe 2072 Faedpdcc.exe 828 Fbdpjgjf.exe 2740 Fgibijkb.exe 2560 Fangfcki.exe 2284 Gljdlq32.exe 1496 Gkancm32.exe 1724 Gdjblboj.exe 2600 Hancef32.exe 2372 Hfdbji32.exe 3032 Homfboco.exe 2368 Iiekkdjo.exe 2640 Icmlnmgb.exe 2180 Ibbioilj.exe 2684 Iionacad.exe 940 Jajbfeop.exe 1560 Jehklc32.exe 2324 Jjdcdjcm.exe 1752 Jmelfeqn.exe 1248 Jilmkffb.exe 432 Kmjfae32.exe 2260 Kiafff32.exe 2632 Kehgkgha.exe 1600 Kjdpcnfi.exe 2952 Kldlmqml.exe 2868 Linfpi32.exe 2880 Mdajff32.exe 2800 Mahgejhf.exe 2572 Mjcljlea.exe 2824 Mjeholco.exe 2816 Nncaejie.exe 2584 Ncpjnahm.exe 2380 Ncbfcq32.exe 1824 Nkmkgc32.exe 2404 Nhalag32.exe 2184 Nidhfgpl.exe 2152 Ogiegc32.exe 2516 Oqajqi32.exe 1508 Omhjejai.exe -
Loads dropped DLL 64 IoCs
pid Process 2268 fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe 2268 fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe 2216 Nmeohnil.exe 2216 Nmeohnil.exe 2992 Npfhjifm.exe 2992 Npfhjifm.exe 2984 Nbgakd32.exe 2984 Nbgakd32.exe 3024 Apapcnaf.exe 3024 Apapcnaf.exe 2804 Bkddjkej.exe 2804 Bkddjkej.exe 1640 Cjqglf32.exe 1640 Cjqglf32.exe 2248 Cgmndokg.exe 2248 Cgmndokg.exe 2764 Dbneekan.exe 2764 Dbneekan.exe 2160 Eahkag32.exe 2160 Eahkag32.exe 2308 Eajhgg32.exe 2308 Eajhgg32.exe 2384 Fefpfi32.exe 2384 Fefpfi32.exe 1848 Fondonbc.exe 1848 Fondonbc.exe 1588 Hhhblgim.exe 1588 Hhhblgim.exe 1680 Hmfkbeoc.exe 1680 Hmfkbeoc.exe 2480 Imidgh32.exe 2480 Imidgh32.exe 2620 Ibhieo32.exe 2620 Ibhieo32.exe 896 Kpiihgoh.exe 896 Kpiihgoh.exe 1780 Ojdlkp32.exe 1780 Ojdlkp32.exe 2024 Bohoogbk.exe 2024 Bohoogbk.exe 304 Dkolblkk.exe 304 Dkolblkk.exe 320 Dlcfnk32.exe 320 Dlcfnk32.exe 1552 Dcojbm32.exe 1552 Dcojbm32.exe 1984 Ehopnk32.exe 1984 Ehopnk32.exe 872 Ebhani32.exe 872 Ebhani32.exe 652 Elaego32.exe 652 Elaego32.exe 2956 Eoanij32.exe 2956 Eoanij32.exe 2072 Faedpdcc.exe 2072 Faedpdcc.exe 828 Fbdpjgjf.exe 828 Fbdpjgjf.exe 2740 Fgibijkb.exe 2740 Fgibijkb.exe 2560 Fangfcki.exe 2560 Fangfcki.exe 2284 Gljdlq32.exe 2284 Gljdlq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Omhjejai.exe Oqajqi32.exe File opened for modification C:\Windows\SysWOW64\Bakgmgpe.exe Angafl32.exe File opened for modification C:\Windows\SysWOW64\Gmipmlan.exe Gigjch32.exe File created C:\Windows\SysWOW64\Hemggm32.exe Hmpemkkf.exe File opened for modification C:\Windows\SysWOW64\Jbhkngcd.exe Imkbeqem.exe File opened for modification C:\Windows\SysWOW64\Qfbahldf.exe Pinqoh32.exe File created C:\Windows\SysWOW64\Klmhcl32.dll Nncaejie.exe File created C:\Windows\SysWOW64\Mjoflc32.dll Pnefiq32.exe File created C:\Windows\SysWOW64\Jepjpajn.exe Jncenh32.exe File opened for modification C:\Windows\SysWOW64\Lpekln32.exe Kbajci32.exe File created C:\Windows\SysWOW64\Ifljcanj.exe Ickaaf32.exe File created C:\Windows\SysWOW64\Joagkd32.exe Jkcoee32.exe File created C:\Windows\SysWOW64\Cjmhanqn.dll Kjdpcnfi.exe File created C:\Windows\SysWOW64\Nncaejie.exe Mjeholco.exe File created C:\Windows\SysWOW64\Omhjejai.exe Oqajqi32.exe File created C:\Windows\SysWOW64\Obilip32.exe Ogpkhb32.exe File opened for modification C:\Windows\SysWOW64\Pmmppm32.exe Phmkaf32.exe File created C:\Windows\SysWOW64\Lphmdc32.dll Dqknqleg.exe File created C:\Windows\SysWOW64\Ffccjk32.dll Kigidd32.exe File opened for modification C:\Windows\SysWOW64\Okhgaqfj.exe Ogfagmck.exe File created C:\Windows\SysWOW64\Fondonbc.exe Fefpfi32.exe File opened for modification C:\Windows\SysWOW64\Fangfcki.exe Fgibijkb.exe File created C:\Windows\SysWOW64\Clogijoi.dll Oiqaed32.exe File created C:\Windows\SysWOW64\Dpicceon.exe Cemfnh32.exe File opened for modification C:\Windows\SysWOW64\Iebmaoed.exe Iapghlbe.exe File created C:\Windows\SysWOW64\Plgojd32.dll Kpiihgoh.exe File created C:\Windows\SysWOW64\Nbbfjogd.dll Kehgkgha.exe File created C:\Windows\SysWOW64\Laodbj32.dll Gdjblboj.exe File opened for modification C:\Windows\SysWOW64\Iionacad.exe Ibbioilj.exe File created C:\Windows\SysWOW64\Alicahno.exe Aflkiapg.exe File created C:\Windows\SysWOW64\Dopdgoif.dll Ofphdi32.exe File created C:\Windows\SysWOW64\Lhpcanhb.dll Dghlfe32.exe File created C:\Windows\SysWOW64\Jqmadn32.exe Jnlhbb32.exe File created C:\Windows\SysWOW64\Cjqglf32.exe Bkddjkej.exe File created C:\Windows\SysWOW64\Hndnokni.dll Dcojbm32.exe File created C:\Windows\SysWOW64\Fqbbig32.exe Eqpfchka.exe File opened for modification C:\Windows\SysWOW64\Mkldli32.exe Lbncbgoh.exe File opened for modification C:\Windows\SysWOW64\Eqpfchka.exe Edghighp.exe File opened for modification C:\Windows\SysWOW64\Mjcljlea.exe Mahgejhf.exe File created C:\Windows\SysWOW64\Hahoodqi.exe Dcppmg32.exe File created C:\Windows\SysWOW64\Fcnmploa.dll Jidppaio.exe File created C:\Windows\SysWOW64\Jncenh32.exe Jgjman32.exe File opened for modification C:\Windows\SysWOW64\Kcjqlm32.exe Kjalch32.exe File created C:\Windows\SysWOW64\Dlahmcbg.dll Dgehfodh.exe File created C:\Windows\SysWOW64\Ndbfldme.dll Nbgakd32.exe File created C:\Windows\SysWOW64\Plnbai32.dll Jajbfeop.exe File created C:\Windows\SysWOW64\Egchocif.exe Ehnknfdn.exe File created C:\Windows\SysWOW64\Fbhhlo32.exe Fjmdgmnl.exe File created C:\Windows\SysWOW64\Ihphlqal.dll Ldjmkq32.exe File created C:\Windows\SysWOW64\Nhlkkabh.exe Nkhkbmco.exe File created C:\Windows\SysWOW64\Ogfagmck.exe Nnnmoh32.exe File opened for modification C:\Windows\SysWOW64\Kbjmhd32.exe Jimodo32.exe File opened for modification C:\Windows\SysWOW64\Ommfibdg.exe Oceaql32.exe File opened for modification C:\Windows\SysWOW64\Edghighp.exe Egchocif.exe File created C:\Windows\SysWOW64\Fhlpince.dll Mjcljlea.exe File created C:\Windows\SysWOW64\Mofjof32.dll Pbnfdpge.exe File opened for modification C:\Windows\SysWOW64\Okbgkk32.exe Najbbepc.exe File created C:\Windows\SysWOW64\Cpldjajo.exe Bdbfpafn.exe File opened for modification C:\Windows\SysWOW64\Okmqlp32.exe Ofphdi32.exe File created C:\Windows\SysWOW64\Ekiaac32.exe Dghlfe32.exe File created C:\Windows\SysWOW64\Najbbepc.exe Necandjo.exe File created C:\Windows\SysWOW64\Acldpojj.exe Qmoone32.exe File created C:\Windows\SysWOW64\Dhknigfq.exe Dhiacg32.exe File created C:\Windows\SysWOW64\Hfkdpp32.dll Eqpfchka.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3556 3528 WerFault.exe 253 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inffdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbgkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kehgkgha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjqlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdigocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhficcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kigidd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdonpjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbbig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbljmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmndokg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdpcnfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hngbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimodo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbadcbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdajff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncaejie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diklpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filnjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npfhjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnfdpge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnaihhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbajci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpnekc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingogcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpckee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgakd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdjblboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpekln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfagmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqnho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbihmcqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickaaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdlkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehopnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgibijkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iionacad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdpjgjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fangfcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjmhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqcgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjqglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahoodqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidppaio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdobqgpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homfboco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilmkffb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpicceon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eahkag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hancef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajbfeop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faedpdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edghighp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcoee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbneekan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahgejhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najbbepc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoffmhd.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chdjpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdobqgpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acldpojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofphdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbebcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmeohnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nljikmpj.dll" Jmelfeqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kldlmqml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idafbjna.dll" Lpekln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekiaac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbhhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogpkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcppmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehopnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plnbai32.dll" Jajbfeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjchk32.dll" Kldlmqml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogiegc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahoodqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcchl32.dll" Idihponj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dldldj32.dll" Lhclfphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geckno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifljcanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcleaanm.dll" Jnlhbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgehfodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npfhjifm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omhjejai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmppm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiqaed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hphljkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajqmqmfm.dll" Hfdbji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhalag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidppaio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nndjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfbibki.dll" Acldpojj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aikine32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimkbqpd.dll" Ogiegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idiphpjd.dll" Nlnqeeeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nppceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oceaql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpehje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjqglf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlcfnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllgeipk.dll" Pejejkhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahoodqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhclfphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmipmlan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eajhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofmhcg32.dll" Ibhieo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcebdo32.dll" Hancef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqajqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neohbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefpfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifddhm32.dll" Inffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcjqlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajdoni32.dll" Gffmqq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iapghlbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfdigocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcagbppl.dll" Kiafff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pegaje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geqnho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aflkiapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgdco32.dll" Blmikkle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2268 wrote to memory of 2216 2268 fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe 29 PID 2268 wrote to memory of 2216 2268 fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe 29 PID 2268 wrote to memory of 2216 2268 fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe 29 PID 2268 wrote to memory of 2216 2268 fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe 29 PID 2216 wrote to memory of 2992 2216 Nmeohnil.exe 30 PID 2216 wrote to memory of 2992 2216 Nmeohnil.exe 30 PID 2216 wrote to memory of 2992 2216 Nmeohnil.exe 30 PID 2216 wrote to memory of 2992 2216 Nmeohnil.exe 30 PID 2992 wrote to memory of 2984 2992 Npfhjifm.exe 31 PID 2992 wrote to memory of 2984 2992 Npfhjifm.exe 31 PID 2992 wrote to memory of 2984 2992 Npfhjifm.exe 31 PID 2992 wrote to memory of 2984 2992 Npfhjifm.exe 31 PID 2984 wrote to memory of 3024 2984 Nbgakd32.exe 32 PID 2984 wrote to memory of 3024 2984 Nbgakd32.exe 32 PID 2984 wrote to memory of 3024 2984 Nbgakd32.exe 32 PID 2984 wrote to memory of 3024 2984 Nbgakd32.exe 32 PID 3024 wrote to memory of 2804 3024 Apapcnaf.exe 33 PID 3024 wrote to memory of 2804 3024 Apapcnaf.exe 33 PID 3024 wrote to memory of 2804 3024 Apapcnaf.exe 33 PID 3024 wrote to memory of 2804 3024 Apapcnaf.exe 33 PID 2804 wrote to memory of 1640 2804 Bkddjkej.exe 34 PID 2804 wrote to memory of 1640 2804 Bkddjkej.exe 34 PID 2804 wrote to memory of 1640 2804 Bkddjkej.exe 34 PID 2804 wrote to memory of 1640 2804 Bkddjkej.exe 34 PID 1640 wrote to memory of 2248 1640 Cjqglf32.exe 35 PID 1640 wrote to memory of 2248 1640 Cjqglf32.exe 35 PID 1640 wrote to memory of 2248 1640 Cjqglf32.exe 35 PID 1640 wrote to memory of 2248 1640 Cjqglf32.exe 35 PID 2248 wrote to memory of 2764 2248 Cgmndokg.exe 36 PID 2248 wrote to memory of 2764 2248 Cgmndokg.exe 36 PID 2248 wrote to memory of 2764 2248 Cgmndokg.exe 36 PID 2248 wrote to memory of 2764 2248 Cgmndokg.exe 36 PID 2764 wrote to memory of 2160 2764 Dbneekan.exe 37 PID 2764 wrote to memory of 2160 2764 Dbneekan.exe 37 PID 2764 wrote to memory of 2160 2764 Dbneekan.exe 37 PID 2764 wrote to memory of 2160 2764 Dbneekan.exe 37 PID 2160 wrote to memory of 2308 2160 Eahkag32.exe 38 PID 2160 wrote to memory of 2308 2160 Eahkag32.exe 38 PID 2160 wrote to memory of 2308 2160 Eahkag32.exe 38 PID 2160 wrote to memory of 2308 2160 Eahkag32.exe 38 PID 2308 wrote to memory of 2384 2308 Eajhgg32.exe 39 PID 2308 wrote to memory of 2384 2308 Eajhgg32.exe 39 PID 2308 wrote to memory of 2384 2308 Eajhgg32.exe 39 PID 2308 wrote to memory of 2384 2308 Eajhgg32.exe 39 PID 2384 wrote to memory of 1848 2384 Fefpfi32.exe 40 PID 2384 wrote to memory of 1848 2384 Fefpfi32.exe 40 PID 2384 wrote to memory of 1848 2384 Fefpfi32.exe 40 PID 2384 wrote to memory of 1848 2384 Fefpfi32.exe 40 PID 1848 wrote to memory of 1588 1848 Fondonbc.exe 41 PID 1848 wrote to memory of 1588 1848 Fondonbc.exe 41 PID 1848 wrote to memory of 1588 1848 Fondonbc.exe 41 PID 1848 wrote to memory of 1588 1848 Fondonbc.exe 41 PID 1588 wrote to memory of 1680 1588 Hhhblgim.exe 42 PID 1588 wrote to memory of 1680 1588 Hhhblgim.exe 42 PID 1588 wrote to memory of 1680 1588 Hhhblgim.exe 42 PID 1588 wrote to memory of 1680 1588 Hhhblgim.exe 42 PID 1680 wrote to memory of 2480 1680 Hmfkbeoc.exe 43 PID 1680 wrote to memory of 2480 1680 Hmfkbeoc.exe 43 PID 1680 wrote to memory of 2480 1680 Hmfkbeoc.exe 43 PID 1680 wrote to memory of 2480 1680 Hmfkbeoc.exe 43 PID 2480 wrote to memory of 2620 2480 Imidgh32.exe 44 PID 2480 wrote to memory of 2620 2480 Imidgh32.exe 44 PID 2480 wrote to memory of 2620 2480 Imidgh32.exe 44 PID 2480 wrote to memory of 2620 2480 Imidgh32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe"C:\Users\Admin\AppData\Local\Temp\fb89c3f3d15d3696be7ac789c56293344dc5c7897d2ca34ea74604e42969f823.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Nmeohnil.exeC:\Windows\system32\Nmeohnil.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Nbgakd32.exeC:\Windows\system32\Nbgakd32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Cjqglf32.exeC:\Windows\system32\Cjqglf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Cgmndokg.exeC:\Windows\system32\Cgmndokg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Dbneekan.exeC:\Windows\system32\Dbneekan.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Eahkag32.exeC:\Windows\system32\Eahkag32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Eajhgg32.exeC:\Windows\system32\Eajhgg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Fefpfi32.exeC:\Windows\system32\Fefpfi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Fondonbc.exeC:\Windows\system32\Fondonbc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Hhhblgim.exeC:\Windows\system32\Hhhblgim.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\Hmfkbeoc.exeC:\Windows\system32\Hmfkbeoc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Imidgh32.exeC:\Windows\system32\Imidgh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Ibhieo32.exeC:\Windows\system32\Ibhieo32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Kpiihgoh.exeC:\Windows\system32\Kpiihgoh.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Ojdlkp32.exeC:\Windows\system32\Ojdlkp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:304 -
C:\Windows\SysWOW64\Dlcfnk32.exeC:\Windows\system32\Dlcfnk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Dcojbm32.exeC:\Windows\system32\Dcojbm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1552 -
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Ebhani32.exeC:\Windows\system32\Ebhani32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:652 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2956 -
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:828 -
C:\Windows\SysWOW64\Fgibijkb.exeC:\Windows\system32\Fgibijkb.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Fangfcki.exeC:\Windows\system32\Fangfcki.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2560 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2284 -
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Gdjblboj.exeC:\Windows\system32\Gdjblboj.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Hancef32.exeC:\Windows\system32\Hancef32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe38⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe39⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ibbioilj.exeC:\Windows\system32\Ibbioilj.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Iionacad.exeC:\Windows\system32\Iionacad.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Jajbfeop.exeC:\Windows\system32\Jajbfeop.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:940 -
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe44⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1752 -
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Kmjfae32.exeC:\Windows\system32\Kmjfae32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Kiafff32.exeC:\Windows\system32\Kiafff32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Kehgkgha.exeC:\Windows\system32\Kehgkgha.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Kldlmqml.exeC:\Windows\system32\Kldlmqml.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Linfpi32.exeC:\Windows\system32\Linfpi32.exe52⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Mdajff32.exeC:\Windows\system32\Mdajff32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Mahgejhf.exeC:\Windows\system32\Mahgejhf.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Mjcljlea.exeC:\Windows\system32\Mjcljlea.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Mjeholco.exeC:\Windows\system32\Mjeholco.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Nncaejie.exeC:\Windows\system32\Nncaejie.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe58⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Ncbfcq32.exeC:\Windows\system32\Ncbfcq32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe60⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe62⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ogiegc32.exeC:\Windows\system32\Ogiegc32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Oqajqi32.exeC:\Windows\system32\Oqajqi32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Omhjejai.exeC:\Windows\system32\Omhjejai.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2008 -
C:\Windows\SysWOW64\Ogpkhb32.exeC:\Windows\system32\Ogpkhb32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Obilip32.exeC:\Windows\system32\Obilip32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1808 -
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe69⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Pbnfdpge.exeC:\Windows\system32\Pbnfdpge.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Pnefiq32.exeC:\Windows\system32\Pnefiq32.exe71⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Phmkaf32.exeC:\Windows\system32\Phmkaf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Pmmppm32.exeC:\Windows\system32\Pmmppm32.exe73⤵
- Modifies registry class
PID:2744 -
C:\Windows\SysWOW64\Amaiklki.exeC:\Windows\system32\Amaiklki.exe74⤵PID:2768
-
C:\Windows\SysWOW64\Abnbccia.exeC:\Windows\system32\Abnbccia.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Aflkiapg.exeC:\Windows\system32\Aflkiapg.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Alicahno.exeC:\Windows\system32\Alicahno.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Aimckl32.exeC:\Windows\system32\Aimckl32.exe78⤵PID:1340
-
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe79⤵PID:2676
-
C:\Windows\SysWOW64\Aolihc32.exeC:\Windows\system32\Aolihc32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Bhfjgh32.exeC:\Windows\system32\Bhfjgh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1028 -
C:\Windows\SysWOW64\Baakem32.exeC:\Windows\system32\Baakem32.exe82⤵PID:400
-
C:\Windows\SysWOW64\Bjlpjp32.exeC:\Windows\system32\Bjlpjp32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Blmikkle.exeC:\Windows\system32\Blmikkle.exe84⤵
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Chdjpl32.exeC:\Windows\system32\Chdjpl32.exe85⤵
- Modifies registry class
PID:816 -
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1488 -
C:\Windows\SysWOW64\Cgnpmg32.exeC:\Windows\system32\Cgnpmg32.exe87⤵PID:2972
-
C:\Windows\SysWOW64\Cqfdem32.exeC:\Windows\system32\Cqfdem32.exe88⤵PID:1104
-
C:\Windows\SysWOW64\Dnjeoa32.exeC:\Windows\system32\Dnjeoa32.exe89⤵PID:2784
-
C:\Windows\SysWOW64\Dgbiggof.exeC:\Windows\system32\Dgbiggof.exe90⤵PID:2220
-
C:\Windows\SysWOW64\Dqknqleg.exeC:\Windows\system32\Dqknqleg.exe91⤵
- Drops file in System32 directory
PID:1240 -
C:\Windows\SysWOW64\Dfhficcn.exeC:\Windows\system32\Dfhficcn.exe92⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe93⤵PID:632
-
C:\Windows\SysWOW64\Dqpgll32.exeC:\Windows\system32\Dqpgll32.exe94⤵PID:2400
-
C:\Windows\SysWOW64\Diklpn32.exeC:\Windows\system32\Diklpn32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Dcppmg32.exeC:\Windows\system32\Dcppmg32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:1796 -
C:\Windows\SysWOW64\Hahoodqi.exeC:\Windows\system32\Hahoodqi.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Ikqcgj32.exeC:\Windows\system32\Ikqcgj32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Idihponj.exeC:\Windows\system32\Idihponj.exe99⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Ikembicd.exeC:\Windows\system32\Ikembicd.exe100⤵PID:2512
-
C:\Windows\SysWOW64\Inffdd32.exeC:\Windows\system32\Inffdd32.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Iccnmk32.exeC:\Windows\system32\Iccnmk32.exe102⤵PID:1380
-
C:\Windows\SysWOW64\Imkbeqem.exeC:\Windows\system32\Imkbeqem.exe103⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Jbhkngcd.exeC:\Windows\system32\Jbhkngcd.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:884 -
C:\Windows\SysWOW64\Jchhhjjg.exeC:\Windows\system32\Jchhhjjg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1332 -
C:\Windows\SysWOW64\Jidppaio.exeC:\Windows\system32\Jidppaio.exe106⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Jnaihhgf.exeC:\Windows\system32\Jnaihhgf.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Jgjman32.exeC:\Windows\system32\Jgjman32.exe108⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Jncenh32.exeC:\Windows\system32\Jncenh32.exe109⤵
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Jepjpajn.exeC:\Windows\system32\Jepjpajn.exe110⤵PID:948
-
C:\Windows\SysWOW64\Knkkngol.exeC:\Windows\system32\Knkkngol.exe111⤵PID:1704
-
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1284 -
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Kigidd32.exeC:\Windows\system32\Kigidd32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Kbajci32.exeC:\Windows\system32\Kbajci32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Lpekln32.exeC:\Windows\system32\Lpekln32.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Lhclfphg.exeC:\Windows\system32\Lhclfphg.exe117⤵
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Ldjmkq32.exeC:\Windows\system32\Ldjmkq32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Lgjfmlkm.exeC:\Windows\system32\Lgjfmlkm.exe119⤵PID:1804
-
C:\Windows\SysWOW64\Mpcjfa32.exeC:\Windows\system32\Mpcjfa32.exe120⤵PID:2932
-
C:\Windows\SysWOW64\Mgmbbkij.exeC:\Windows\system32\Mgmbbkij.exe121⤵PID:956
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-