Analysis
-
max time kernel
79s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 04:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe
Resource
win7-20240704-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe
-
Size
64KB
-
MD5
4b5ff5e6dc72807ad9a5cbffbc757f00
-
SHA1
b7fa8c717df29184e167f00affb40108b76393ad
-
SHA256
b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becac
-
SHA512
3c1d6f26009529dbdabc3e2d7e7b69f3d9dd9db5ea3626374d22ce7877360f0cebeb2e5adff9579a9c230a999d7e16b24b3bc6cac198b903cb8a506bedce2553
-
SSDEEP
1536:AlOswwSzrfI/oNiZTqmGyzwAAWhSR8mCMqWgNtn:AlAw8fpcGDNWmCFWgL
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpidki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlofgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnmienj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapklimq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbagipfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkolakkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blinefnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olkifaen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeindm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibejdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdgmimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legaoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkmcldj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkeohhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbaopdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjilmejf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbhhdnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmlael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnleiipc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goldfelp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjhki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kageia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdlkcdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeafjiop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllqplnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljghjpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njfjnpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdiondb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajqljc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe -
Executes dropped EXE 64 IoCs
pid Process 2972 Hipmmg32.exe 2076 Hhcmhdke.exe 2748 Hnmeen32.exe 2760 Hlafnbal.exe 2724 Hnpbjnpo.exe 2648 Hdlkcdog.exe 2640 Hlccdboi.exe 2300 Hapklimq.exe 488 Hhjcic32.exe 588 Hmglajcd.exe 2092 Ifoqjo32.exe 1492 Iaeegh32.exe 380 Ifampo32.exe 2308 Ipjahd32.exe 848 Ibhndp32.exe 1592 Ibkkjp32.exe 448 Ipokcdjn.exe 2024 Ioakoq32.exe 1872 Ielclkhe.exe 888 Jhjphfgi.exe 2432 Jkhldafl.exe 1644 Jbpdeogo.exe 2388 Jabdql32.exe 2428 Jhlmmfef.exe 1792 Jepmgj32.exe 1928 Jkmeoa32.exe 2280 Jnkakl32.exe 2712 Jagnlkjd.exe 2756 Jjbbpmgo.exe 2732 Jckgicnp.exe 2896 Jkbojpna.exe 2664 Jnpkflne.exe 2660 Kcmcoblm.exe 3064 Kgkleabc.exe 108 Kjihalag.exe 1092 Klhemhpk.exe 2928 Kbdmeoob.exe 2708 Kjleflod.exe 548 Kbgjkn32.exe 2416 Kllnhg32.exe 1860 Knnkpobc.exe 2112 Kfebambf.exe 1468 Kgfoie32.exe 2992 Lblcfnhj.exe 1124 Lghlndfa.exe 1624 Ljghjpfe.exe 2360 Lqqpgj32.exe 1776 Lgkhdddo.exe 1040 Lkfddc32.exe 1448 Lneaqn32.exe 3068 Lmgalkcf.exe 1580 Ldoimh32.exe 2736 Lgmeid32.exe 2996 Lfpeeqig.exe 2616 Lngnfnji.exe 1540 Lmjnak32.exe 2460 Lohjnf32.exe 1808 Lcdfnehp.exe 2792 Ljnnko32.exe 2596 Liqoflfh.exe 2316 Lmljgj32.exe 1260 Lokgcf32.exe 1056 Lbicoamh.exe 956 Mjpkqonj.exe -
Loads dropped DLL 64 IoCs
pid Process 1196 b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe 1196 b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe 2972 Hipmmg32.exe 2972 Hipmmg32.exe 2076 Hhcmhdke.exe 2076 Hhcmhdke.exe 2748 Hnmeen32.exe 2748 Hnmeen32.exe 2760 Hlafnbal.exe 2760 Hlafnbal.exe 2724 Hnpbjnpo.exe 2724 Hnpbjnpo.exe 2648 Hdlkcdog.exe 2648 Hdlkcdog.exe 2640 Hlccdboi.exe 2640 Hlccdboi.exe 2300 Hapklimq.exe 2300 Hapklimq.exe 488 Hhjcic32.exe 488 Hhjcic32.exe 588 Hmglajcd.exe 588 Hmglajcd.exe 2092 Ifoqjo32.exe 2092 Ifoqjo32.exe 1492 Iaeegh32.exe 1492 Iaeegh32.exe 380 Ifampo32.exe 380 Ifampo32.exe 2308 Ipjahd32.exe 2308 Ipjahd32.exe 848 Ibhndp32.exe 848 Ibhndp32.exe 1592 Ibkkjp32.exe 1592 Ibkkjp32.exe 448 Ipokcdjn.exe 448 Ipokcdjn.exe 2024 Ioakoq32.exe 2024 Ioakoq32.exe 1872 Ielclkhe.exe 1872 Ielclkhe.exe 888 Jhjphfgi.exe 888 Jhjphfgi.exe 2432 Jkhldafl.exe 2432 Jkhldafl.exe 1644 Jbpdeogo.exe 1644 Jbpdeogo.exe 2388 Jabdql32.exe 2388 Jabdql32.exe 2428 Jhlmmfef.exe 2428 Jhlmmfef.exe 1792 Jepmgj32.exe 1792 Jepmgj32.exe 1928 Jkmeoa32.exe 1928 Jkmeoa32.exe 2280 Jnkakl32.exe 2280 Jnkakl32.exe 2712 Jagnlkjd.exe 2712 Jagnlkjd.exe 2756 Jjbbpmgo.exe 2756 Jjbbpmgo.exe 2732 Jckgicnp.exe 2732 Jckgicnp.exe 2896 Jkbojpna.exe 2896 Jkbojpna.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Maojpk32.dll Lqqpgj32.exe File opened for modification C:\Windows\SysWOW64\Fkqlgc32.exe Flnlkgjq.exe File created C:\Windows\SysWOW64\Hddmjk32.exe Hmmdin32.exe File opened for modification C:\Windows\SysWOW64\Ijnnao32.exe Process not Found File created C:\Windows\SysWOW64\Ffcnqe32.dll Process not Found File created C:\Windows\SysWOW64\Hmglajcd.exe Hhjcic32.exe File created C:\Windows\SysWOW64\Pleofj32.exe Pnbojmmp.exe File created C:\Windows\SysWOW64\Gdnibjgk.dll Diidjpbe.exe File created C:\Windows\SysWOW64\Fijjok32.dll Hnpdcf32.exe File created C:\Windows\SysWOW64\Jfdhmk32.exe Jhahanie.exe File created C:\Windows\SysWOW64\Iocgfhhc.exe Hmdkjmip.exe File opened for modification C:\Windows\SysWOW64\Lohjnf32.exe Lmjnak32.exe File created C:\Windows\SysWOW64\Okdmjdol.exe Odjdmjgo.exe File opened for modification C:\Windows\SysWOW64\Bddbjhlp.exe Bcbfbp32.exe File created C:\Windows\SysWOW64\Boifga32.exe Bhonjg32.exe File created C:\Windows\SysWOW64\Anldhe32.dll Lljipmdl.exe File opened for modification C:\Windows\SysWOW64\Ckhpejbf.exe Process not Found File created C:\Windows\SysWOW64\Ipfbma32.dll Klhemhpk.exe File created C:\Windows\SysWOW64\Ncfoch32.exe Nagbgl32.exe File created C:\Windows\SysWOW64\Gbccnjjb.dll Gckdgjeb.exe File created C:\Windows\SysWOW64\Ckhfpp32.exe Process not Found File created C:\Windows\SysWOW64\Ejfekbaf.dll Process not Found File created C:\Windows\SysWOW64\Fgdnnl32.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Qkfocaki.exe Qcogbdkg.exe File created C:\Windows\SysWOW64\Dmcjgd32.dll Process not Found File created C:\Windows\SysWOW64\Qcogbdkg.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Gcmamj32.exe Glchpp32.exe File created C:\Windows\SysWOW64\Gmmabb32.dll Kindeddf.exe File opened for modification C:\Windows\SysWOW64\Ndlpdbnj.exe Process not Found File created C:\Windows\SysWOW64\Pfikokgf.dll Process not Found File created C:\Windows\SysWOW64\Cojeomee.exe Process not Found File created C:\Windows\SysWOW64\Nibqqh32.exe Nbhhdnlh.exe File created C:\Windows\SysWOW64\Obahbj32.dll Bdqlajbb.exe File created C:\Windows\SysWOW64\Felajbpg.exe Foahmh32.exe File opened for modification C:\Windows\SysWOW64\Nfigck32.exe Nckkgp32.exe File opened for modification C:\Windows\SysWOW64\Igebkiof.exe Icifjk32.exe File created C:\Windows\SysWOW64\Iciopdca.exe Process not Found File created C:\Windows\SysWOW64\Mhdpnm32.exe Process not Found File created C:\Windows\SysWOW64\Fggkcl32.exe Fhdjgoha.exe File created C:\Windows\SysWOW64\Dodohnaa.dll Process not Found File created C:\Windows\SysWOW64\Lfoojj32.exe Lnhgim32.exe File created C:\Windows\SysWOW64\Bmnnkl32.exe Bfdenafn.exe File created C:\Windows\SysWOW64\Kjpndcho.dll Kocpbfei.exe File opened for modification C:\Windows\SysWOW64\Khojcj32.exe Process not Found File created C:\Windows\SysWOW64\Njbdea32.exe Ndhlhg32.exe File created C:\Windows\SysWOW64\Cqfbjhgf.exe Cjljnn32.exe File created C:\Windows\SysWOW64\Ejdphkml.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nagbgl32.exe Mnifja32.exe File created C:\Windows\SysWOW64\Jamajj32.dll Flclam32.exe File opened for modification C:\Windows\SysWOW64\Difqji32.exe Dfhdnn32.exe File opened for modification C:\Windows\SysWOW64\Gamnhq32.exe Gkcekfad.exe File created C:\Windows\SysWOW64\Aphdkpjd.dll Process not Found File created C:\Windows\SysWOW64\Qaipli32.dll Olkfmi32.exe File created C:\Windows\SysWOW64\Fgnadkic.exe Fcbecl32.exe File created C:\Windows\SysWOW64\Fjjdbf32.dll Aiaoclgl.exe File created C:\Windows\SysWOW64\Fppfih32.dll Process not Found File created C:\Windows\SysWOW64\Lophacfl.exe Process not Found File created C:\Windows\SysWOW64\Ldmffpom.dll Anneqafn.exe File created C:\Windows\SysWOW64\Lpopbabj.dll Heliepmn.exe File opened for modification C:\Windows\SysWOW64\Ibkmchbh.exe Ichmgl32.exe File created C:\Windows\SysWOW64\Ljnqdhga.exe Lgpdglhn.exe File opened for modification C:\Windows\SysWOW64\Mbqkiind.exe Mobomnoq.exe File opened for modification C:\Windows\SysWOW64\Ifpelq32.exe Process not Found File created C:\Windows\SysWOW64\Ifengpdh.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 3264 5812 Process not Found 1522 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnjnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnghel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbofmcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qngopb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emaijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlddeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qejpoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folhgbid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdjgoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nallalep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hapklimq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnmienj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncfcgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobbofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opialpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoblnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjdhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqqnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgobc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhljkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljdkpfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhnifmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfmojcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogijnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfkapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfncpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnnnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkpfmnlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppigchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfoch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnbcmkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbidne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leikbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhjphfgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdhad32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amponajh.dll" Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocndipc.dll" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmkac32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gknfqppk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajqljc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpkibo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfdkoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhkdkaa.dll" Hfhcoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nckljk32.dll" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhnkffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqbidn32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igooceih.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okdmjdol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbkboega.dll" Kjeglh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glehgdkn.dll" Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaadfcpf.dll" Indnnfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpqjma.dll" Ghdiokbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djbfplfp.dll" Lfoojj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmoloenf.dll" Pafdjmkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inhcgajk.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfpeeqig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnoijbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkjnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnnbf32.dll" Fqalaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebeabe.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmglajcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgfoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkfddc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfhmhm32.dll" Epbpbnan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meabakda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnknlm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilmbdp32.dll" Hofngkga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icifjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjleflod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfmdh32.dll" Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kccllg32.dll" Ljfapjbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liqoflfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpehmcmg.dll" Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njboon32.dll" Icncgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbhbai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmfchei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpbffcca.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghajacmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplimbka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcqjf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbncfjd.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1196 wrote to memory of 2972 1196 b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe 30 PID 1196 wrote to memory of 2972 1196 b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe 30 PID 1196 wrote to memory of 2972 1196 b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe 30 PID 1196 wrote to memory of 2972 1196 b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe 30 PID 2972 wrote to memory of 2076 2972 Hipmmg32.exe 31 PID 2972 wrote to memory of 2076 2972 Hipmmg32.exe 31 PID 2972 wrote to memory of 2076 2972 Hipmmg32.exe 31 PID 2972 wrote to memory of 2076 2972 Hipmmg32.exe 31 PID 2076 wrote to memory of 2748 2076 Hhcmhdke.exe 32 PID 2076 wrote to memory of 2748 2076 Hhcmhdke.exe 32 PID 2076 wrote to memory of 2748 2076 Hhcmhdke.exe 32 PID 2076 wrote to memory of 2748 2076 Hhcmhdke.exe 32 PID 2748 wrote to memory of 2760 2748 Hnmeen32.exe 33 PID 2748 wrote to memory of 2760 2748 Hnmeen32.exe 33 PID 2748 wrote to memory of 2760 2748 Hnmeen32.exe 33 PID 2748 wrote to memory of 2760 2748 Hnmeen32.exe 33 PID 2760 wrote to memory of 2724 2760 Hlafnbal.exe 34 PID 2760 wrote to memory of 2724 2760 Hlafnbal.exe 34 PID 2760 wrote to memory of 2724 2760 Hlafnbal.exe 34 PID 2760 wrote to memory of 2724 2760 Hlafnbal.exe 34 PID 2724 wrote to memory of 2648 2724 Hnpbjnpo.exe 35 PID 2724 wrote to memory of 2648 2724 Hnpbjnpo.exe 35 PID 2724 wrote to memory of 2648 2724 Hnpbjnpo.exe 35 PID 2724 wrote to memory of 2648 2724 Hnpbjnpo.exe 35 PID 2648 wrote to memory of 2640 2648 Hdlkcdog.exe 36 PID 2648 wrote to memory of 2640 2648 Hdlkcdog.exe 36 PID 2648 wrote to memory of 2640 2648 Hdlkcdog.exe 36 PID 2648 wrote to memory of 2640 2648 Hdlkcdog.exe 36 PID 2640 wrote to memory of 2300 2640 Hlccdboi.exe 37 PID 2640 wrote to memory of 2300 2640 Hlccdboi.exe 37 PID 2640 wrote to memory of 2300 2640 Hlccdboi.exe 37 PID 2640 wrote to memory of 2300 2640 Hlccdboi.exe 37 PID 2300 wrote to memory of 488 2300 Hapklimq.exe 38 PID 2300 wrote to memory of 488 2300 Hapklimq.exe 38 PID 2300 wrote to memory of 488 2300 Hapklimq.exe 38 PID 2300 wrote to memory of 488 2300 Hapklimq.exe 38 PID 488 wrote to memory of 588 488 Hhjcic32.exe 39 PID 488 wrote to memory of 588 488 Hhjcic32.exe 39 PID 488 wrote to memory of 588 488 Hhjcic32.exe 39 PID 488 wrote to memory of 588 488 Hhjcic32.exe 39 PID 588 wrote to memory of 2092 588 Hmglajcd.exe 40 PID 588 wrote to memory of 2092 588 Hmglajcd.exe 40 PID 588 wrote to memory of 2092 588 Hmglajcd.exe 40 PID 588 wrote to memory of 2092 588 Hmglajcd.exe 40 PID 2092 wrote to memory of 1492 2092 Ifoqjo32.exe 41 PID 2092 wrote to memory of 1492 2092 Ifoqjo32.exe 41 PID 2092 wrote to memory of 1492 2092 Ifoqjo32.exe 41 PID 2092 wrote to memory of 1492 2092 Ifoqjo32.exe 41 PID 1492 wrote to memory of 380 1492 Iaeegh32.exe 42 PID 1492 wrote to memory of 380 1492 Iaeegh32.exe 42 PID 1492 wrote to memory of 380 1492 Iaeegh32.exe 42 PID 1492 wrote to memory of 380 1492 Iaeegh32.exe 42 PID 380 wrote to memory of 2308 380 Ifampo32.exe 43 PID 380 wrote to memory of 2308 380 Ifampo32.exe 43 PID 380 wrote to memory of 2308 380 Ifampo32.exe 43 PID 380 wrote to memory of 2308 380 Ifampo32.exe 43 PID 2308 wrote to memory of 848 2308 Ipjahd32.exe 44 PID 2308 wrote to memory of 848 2308 Ipjahd32.exe 44 PID 2308 wrote to memory of 848 2308 Ipjahd32.exe 44 PID 2308 wrote to memory of 848 2308 Ipjahd32.exe 44 PID 848 wrote to memory of 1592 848 Ibhndp32.exe 45 PID 848 wrote to memory of 1592 848 Ibhndp32.exe 45 PID 848 wrote to memory of 1592 848 Ibhndp32.exe 45 PID 848 wrote to memory of 1592 848 Ibhndp32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe"C:\Users\Admin\AppData\Local\Temp\b935e67f7e6d7f5db381f4f1619fab8f2e48c450710c8462947e45a1e32becacN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:448 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Jepmgj32.exeC:\Windows\system32\Jepmgj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe33⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe34⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe35⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe36⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe38⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe40⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe41⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe42⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe43⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe45⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Lghlndfa.exeC:\Windows\system32\Lghlndfa.exe46⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Lqqpgj32.exeC:\Windows\system32\Lqqpgj32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe49⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Lkfddc32.exeC:\Windows\system32\Lkfddc32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Lneaqn32.exeC:\Windows\system32\Lneaqn32.exe51⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Lmgalkcf.exeC:\Windows\system32\Lmgalkcf.exe52⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe53⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Lfpeeqig.exeC:\Windows\system32\Lfpeeqig.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Lngnfnji.exeC:\Windows\system32\Lngnfnji.exe56⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Lohjnf32.exeC:\Windows\system32\Lohjnf32.exe58⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe59⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Ljnnko32.exeC:\Windows\system32\Ljnnko32.exe60⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Lmljgj32.exeC:\Windows\system32\Lmljgj32.exe62⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe63⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe64⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Mjpkqonj.exeC:\Windows\system32\Mjpkqonj.exe65⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe66⤵PID:1268
-
C:\Windows\SysWOW64\Mmogmjmn.exeC:\Windows\system32\Mmogmjmn.exe67⤵PID:1348
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe68⤵PID:2516
-
C:\Windows\SysWOW64\Mchoid32.exeC:\Windows\system32\Mchoid32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe70⤵PID:2292
-
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe71⤵PID:1920
-
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe72⤵PID:2808
-
C:\Windows\SysWOW64\Mpopnejo.exeC:\Windows\system32\Mpopnejo.exe73⤵PID:2636
-
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe74⤵PID:2604
-
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe75⤵PID:3060
-
C:\Windows\SysWOW64\Melifl32.exeC:\Windows\system32\Melifl32.exe76⤵PID:2856
-
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe77⤵PID:2912
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe78⤵PID:1608
-
C:\Windows\SysWOW64\Mndmoaog.exeC:\Windows\system32\Mndmoaog.exe79⤵PID:2072
-
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe80⤵PID:1600
-
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe81⤵PID:1780
-
C:\Windows\SysWOW64\Mijamjnm.exeC:\Windows\system32\Mijamjnm.exe82⤵PID:1596
-
C:\Windows\SysWOW64\Mlhnifmq.exeC:\Windows\system32\Mlhnifmq.exe83⤵
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Mngjeamd.exeC:\Windows\system32\Mngjeamd.exe84⤵PID:2468
-
C:\Windows\SysWOW64\Meabakda.exeC:\Windows\system32\Meabakda.exe85⤵
- Modifies registry class
PID:1284 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe86⤵PID:2008
-
C:\Windows\SysWOW64\Mlkjne32.exeC:\Windows\system32\Mlkjne32.exe87⤵PID:2496
-
C:\Windows\SysWOW64\Mnifja32.exeC:\Windows\system32\Mnifja32.exe88⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe89⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe90⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe91⤵
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe92⤵PID:1652
-
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe93⤵
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe94⤵PID:2060
-
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe95⤵PID:1796
-
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe96⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe97⤵PID:2104
-
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe98⤵PID:2588
-
C:\Windows\SysWOW64\Njdqka32.exeC:\Windows\system32\Njdqka32.exe99⤵PID:1740
-
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe100⤵PID:2436
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe101⤵PID:1584
-
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe102⤵PID:2380
-
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe103⤵PID:2720
-
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe105⤵PID:2728
-
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe106⤵PID:2676
-
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe107⤵PID:592
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe108⤵PID:2116
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe109⤵PID:532
-
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe110⤵PID:1340
-
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe111⤵PID:1720
-
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe112⤵PID:2200
-
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe113⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe114⤵PID:2448
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe115⤵PID:2252
-
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe116⤵PID:672
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe117⤵PID:636
-
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe118⤵PID:1128
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe119⤵PID:1836
-
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe120⤵PID:2228
-
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe121⤵PID:2052
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-