Analysis
-
max time kernel
76s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 07:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe
-
Size
1.7MB
-
MD5
e9b2521649c3c810f0928f133b2c9010
-
SHA1
bb7fc0479243a33a1a1ab163fc15c48983636c4b
-
SHA256
8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471
-
SHA512
058695c84b2b06626f51c4e45910a4ce667bb2778758d37558c00c6663b829a46ce9b73a5cfa7b20fd024ce98d772fc2194e3cea704885ce8ba5b1e37498ec73
-
SSDEEP
49152:Bix7/ix7yix7/ix7Xcix7/ix7yix7/ix7:BU/UyU/UXcU/UyU/U
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbqgolpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfnjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhdnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbopon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Polobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jofdll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kechdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjpil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lafahdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imhqbkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjmmnnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqgjkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppddpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deeqch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mohhea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jndhddaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpbglhjq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdecea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciopdca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Einebddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmgcepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmiljb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leikbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmddgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgqlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqbeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjalndpb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppddpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgqgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kamlhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajamfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelmbifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfokinhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iemalkgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keappgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dakpiajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaqfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinfli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmpce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imlhebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngjlpmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmabg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghgmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimaah32.exe -
Executes dropped EXE 64 IoCs
pid Process 3056 Behilopf.exe 1056 Bgffhkoj.exe 2304 Bkbaii32.exe 1080 Bnqned32.exe 2660 Baojapfj.exe 2924 Dhpemm32.exe 2200 Ecnoijbd.exe 2628 Eacljf32.exe 1824 Fggkcl32.exe 1728 Fnacpffh.exe 1260 Gkpfmnlb.exe 1648 Goplilpf.exe 1916 Ggnmbn32.exe 2852 Hgpjhn32.exe 576 Hlgimqhf.exe 584 Iikifegp.exe 684 Iahkpg32.exe 2300 Ifjlcmmj.exe 2020 Jmdepg32.exe 744 Jpbalb32.exe 1632 Jliaac32.exe 760 Jfofol32.exe 2424 Jpgjgboe.exe 984 Jlnklcej.exe 2340 Jbhcim32.exe 3040 Jondnnbk.exe 2636 Klbdgb32.exe 2280 Kkgahoel.exe 2772 Kdpfadlm.exe 2060 Knhjjj32.exe 2696 Kdbbgdjj.exe 2676 Klngkfge.exe 2584 Kgclio32.exe 3008 Ljddjj32.exe 3004 Llbqfe32.exe 3012 Lpnmgdli.exe 1740 Lhiakf32.exe 1148 Lhknaf32.exe 2540 Llgjaeoj.exe 1780 Lkjjma32.exe 2136 Ldbofgme.exe 1592 Lhpglecl.exe 2000 Mjaddn32.exe 1624 Mjcaimgg.exe 1084 Mmbmeifk.exe 1560 Mdiefffn.exe 680 Mcnbhb32.exe 1172 Mpebmc32.exe 1516 Mbcoio32.exe 1652 Mfokinhf.exe 1800 Mpgobc32.exe 1712 Nfahomfd.exe 2752 Nmkplgnq.exe 2704 Nefdpjkl.exe 2828 Nlqmmd32.exe 2616 Nplimbka.exe 2392 Nlcibc32.exe 1928 Napbjjom.exe 2092 Ncnngfna.exe 1724 Ndqkleln.exe 2652 Njjcip32.exe 860 Odchbe32.exe 2152 Ojmpooah.exe 296 Odedge32.exe -
Loads dropped DLL 64 IoCs
pid Process 2316 8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe 2316 8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe 3056 Behilopf.exe 3056 Behilopf.exe 1056 Bgffhkoj.exe 1056 Bgffhkoj.exe 2304 Bkbaii32.exe 2304 Bkbaii32.exe 1080 Bnqned32.exe 1080 Bnqned32.exe 2660 Baojapfj.exe 2660 Baojapfj.exe 2924 Dhpemm32.exe 2924 Dhpemm32.exe 2200 Ecnoijbd.exe 2200 Ecnoijbd.exe 2628 Eacljf32.exe 2628 Eacljf32.exe 1824 Fggkcl32.exe 1824 Fggkcl32.exe 1728 Fnacpffh.exe 1728 Fnacpffh.exe 1260 Gkpfmnlb.exe 1260 Gkpfmnlb.exe 1648 Goplilpf.exe 1648 Goplilpf.exe 1916 Ggnmbn32.exe 1916 Ggnmbn32.exe 2852 Hgpjhn32.exe 2852 Hgpjhn32.exe 576 Hlgimqhf.exe 576 Hlgimqhf.exe 584 Iikifegp.exe 584 Iikifegp.exe 684 Iahkpg32.exe 684 Iahkpg32.exe 2300 Ifjlcmmj.exe 2300 Ifjlcmmj.exe 2020 Jmdepg32.exe 2020 Jmdepg32.exe 744 Jpbalb32.exe 744 Jpbalb32.exe 1632 Jliaac32.exe 1632 Jliaac32.exe 760 Jfofol32.exe 760 Jfofol32.exe 2424 Jpgjgboe.exe 2424 Jpgjgboe.exe 984 Jlnklcej.exe 984 Jlnklcej.exe 2340 Jbhcim32.exe 2340 Jbhcim32.exe 3040 Jondnnbk.exe 3040 Jondnnbk.exe 2636 Klbdgb32.exe 2636 Klbdgb32.exe 2280 Kkgahoel.exe 2280 Kkgahoel.exe 2772 Kdpfadlm.exe 2772 Kdpfadlm.exe 2060 Knhjjj32.exe 2060 Knhjjj32.exe 2696 Kdbbgdjj.exe 2696 Kdbbgdjj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Felcbk32.exe Fhhbif32.exe File created C:\Windows\SysWOW64\Gdfiofhn.exe Gmlablaa.exe File opened for modification C:\Windows\SysWOW64\Qaqlbmbn.exe Qpaohjkk.exe File created C:\Windows\SysWOW64\Cofdbf32.dll Pcljmdmj.exe File opened for modification C:\Windows\SysWOW64\Paaddgkj.exe Ohipla32.exe File opened for modification C:\Windows\SysWOW64\Dfhdnn32.exe Ckbpqe32.exe File opened for modification C:\Windows\SysWOW64\Aeghng32.exe Aompambg.exe File created C:\Windows\SysWOW64\Fbflbd32.dll Bacefpbg.exe File created C:\Windows\SysWOW64\Kqdodila.dll Ebqngb32.exe File created C:\Windows\SysWOW64\Gdpemeck.dll Dmebcgbb.exe File created C:\Windows\SysWOW64\Mpikik32.exe Lcdjpfgh.exe File created C:\Windows\SysWOW64\Onoqfehp.exe Ogdhik32.exe File opened for modification C:\Windows\SysWOW64\Qfljmmjl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dijgnm32.exe Process not Found File created C:\Windows\SysWOW64\Oikbkegk.dll Hmlkfo32.exe File created C:\Windows\SysWOW64\Gffdobll.dll Kpieengb.exe File created C:\Windows\SysWOW64\Gjjafkpe.exe Fabmmejd.exe File created C:\Windows\SysWOW64\Malpee32.exe Process not Found File created C:\Windows\SysWOW64\Fcichb32.exe Fefcmehe.exe File opened for modification C:\Windows\SysWOW64\Jdlacfca.exe Jjfmem32.exe File created C:\Windows\SysWOW64\Ligleljk.dll Mpqjmh32.exe File created C:\Windows\SysWOW64\Ebakdbbk.dll Process not Found File created C:\Windows\SysWOW64\Chfkee32.dll Ajhddk32.exe File opened for modification C:\Windows\SysWOW64\Bnicbh32.exe Bgokfnij.exe File created C:\Windows\SysWOW64\Hkmaed32.exe Hhoeii32.exe File created C:\Windows\SysWOW64\Omhkcnfg.exe Ocpfkh32.exe File opened for modification C:\Windows\SysWOW64\Olkifaen.exe Obbdml32.exe File opened for modification C:\Windows\SysWOW64\Gefolhja.exe Glnkcc32.exe File opened for modification C:\Windows\SysWOW64\Djlbkcfn.exe Dofnnkfg.exe File created C:\Windows\SysWOW64\Cbcfbege.exe Clinfk32.exe File opened for modification C:\Windows\SysWOW64\Kajiigba.exe Kcginj32.exe File created C:\Windows\SysWOW64\Cnhnhd32.dll Nhbciaki.exe File created C:\Windows\SysWOW64\Qhbokp32.dll Fodgkp32.exe File created C:\Windows\SysWOW64\Lnlfdk32.dll Ebialmjb.exe File created C:\Windows\SysWOW64\Mllhne32.exe Mohhea32.exe File created C:\Windows\SysWOW64\Bgdfjfmi.exe Bbikig32.exe File created C:\Windows\SysWOW64\Nefdpjkl.exe Nmkplgnq.exe File created C:\Windows\SysWOW64\Ccgobkao.dll Nqbaic32.exe File created C:\Windows\SysWOW64\Pjahakgb.exe Pfflql32.exe File opened for modification C:\Windows\SysWOW64\Baneak32.exe Bjbqmi32.exe File created C:\Windows\SysWOW64\Hnbaif32.exe Hbkqdepm.exe File created C:\Windows\SysWOW64\Hjojpeec.dll Aoomflpd.exe File opened for modification C:\Windows\SysWOW64\Hhmhcigh.exe Goddjc32.exe File created C:\Windows\SysWOW64\Admgglep.exe Ajdcofop.exe File opened for modification C:\Windows\SysWOW64\Lelljepm.exe Lkcgapjl.exe File created C:\Windows\SysWOW64\Ekndacia.dll Aohdmdoh.exe File opened for modification C:\Windows\SysWOW64\Noohlkpc.exe Nhepoaif.exe File opened for modification C:\Windows\SysWOW64\Ncipjieo.exe Nlohmonb.exe File created C:\Windows\SysWOW64\Afcghbgp.exe Anhbdpje.exe File opened for modification C:\Windows\SysWOW64\Pjlgle32.exe Pbepkh32.exe File created C:\Windows\SysWOW64\Ajamfh32.exe Apkihofl.exe File created C:\Windows\SysWOW64\Gnngnk32.dll Epnkip32.exe File created C:\Windows\SysWOW64\Mohhea32.exe Lepclldc.exe File opened for modification C:\Windows\SysWOW64\Kkgahoel.exe Klbdgb32.exe File created C:\Windows\SysWOW64\Bbhccm32.exe Blkjkflb.exe File opened for modification C:\Windows\SysWOW64\Lhnmoo32.exe Ladebd32.exe File created C:\Windows\SysWOW64\Apefjqob.exe Afmbak32.exe File created C:\Windows\SysWOW64\Jkcgmf32.dll Cmaeoo32.exe File opened for modification C:\Windows\SysWOW64\Jcdmbk32.exe Johaalea.exe File opened for modification C:\Windows\SysWOW64\Mpalfabn.exe Process not Found File created C:\Windows\SysWOW64\Egihcl32.exe Eqopfbfn.exe File opened for modification C:\Windows\SysWOW64\Fldabn32.exe Fmaqgaae.exe File created C:\Windows\SysWOW64\Hhfmbq32.exe Hlpmmpam.exe File created C:\Windows\SysWOW64\Okkfmmqj.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 5400 5404 Process not Found 1131 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkielpdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmlhbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddobpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgppmpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebnic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejadibmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kheofahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdbflnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfofol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbqkeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmnkglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndgbgefh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnapnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memlki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdipfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmepkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeekmjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmbdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepjea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dofnnkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felekcop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcojam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgfgkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbggpfci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfhhflmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebialmjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhibakmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goplilpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmhcigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngkfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfkeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biiiempl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggnmbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omphocck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhaooec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffqqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmnbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokahhac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojabdlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkifaen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnlpaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfbbjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhepoaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedhgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klkfdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccecheeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diqmcgca.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgklc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhndnpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbblda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kglbad32.dll" Lonibk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eddmlhaq.dll" Lkjjma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpeaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iciopdca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qifnhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekcfk32.dll" Edoefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maflig32.dll" Jbnlaqhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggkipci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbopon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhknaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jepmdoim.dll" Oaigib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcmnja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcoaml32.dll" Alageg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll" Hmdkjmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgfbnp32.dll" Gnabcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkhaooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojeffiih.dll" Bbikig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pchjmjfn.dll" Gdflgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfjfik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coicfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eafkhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkmmlgik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjmnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egeecf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjlgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odchbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Ccgklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hibgkjee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeoedmpg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iebldo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmf32.dll" Fejfmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hememgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnbibolf.dll" Mdgkjopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbbomjnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedhkkno.dll" Fdapcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koiillaq.dll" Lpoaheja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajenah32.dll" Lpgqlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaimopli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbokp32.dll" Fodgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpogiglp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnahilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmlfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agfnig32.dll" Ckhbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnjjadh.dll" Jmlddeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgobkao.dll" Nqbaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcoolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjdldd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjgiidkl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 3056 2316 8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe 30 PID 2316 wrote to memory of 3056 2316 8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe 30 PID 2316 wrote to memory of 3056 2316 8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe 30 PID 2316 wrote to memory of 3056 2316 8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe 30 PID 3056 wrote to memory of 1056 3056 Behilopf.exe 31 PID 3056 wrote to memory of 1056 3056 Behilopf.exe 31 PID 3056 wrote to memory of 1056 3056 Behilopf.exe 31 PID 3056 wrote to memory of 1056 3056 Behilopf.exe 31 PID 1056 wrote to memory of 2304 1056 Bgffhkoj.exe 32 PID 1056 wrote to memory of 2304 1056 Bgffhkoj.exe 32 PID 1056 wrote to memory of 2304 1056 Bgffhkoj.exe 32 PID 1056 wrote to memory of 2304 1056 Bgffhkoj.exe 32 PID 2304 wrote to memory of 1080 2304 Bkbaii32.exe 33 PID 2304 wrote to memory of 1080 2304 Bkbaii32.exe 33 PID 2304 wrote to memory of 1080 2304 Bkbaii32.exe 33 PID 2304 wrote to memory of 1080 2304 Bkbaii32.exe 33 PID 1080 wrote to memory of 2660 1080 Bnqned32.exe 34 PID 1080 wrote to memory of 2660 1080 Bnqned32.exe 34 PID 1080 wrote to memory of 2660 1080 Bnqned32.exe 34 PID 1080 wrote to memory of 2660 1080 Bnqned32.exe 34 PID 2660 wrote to memory of 2924 2660 Baojapfj.exe 35 PID 2660 wrote to memory of 2924 2660 Baojapfj.exe 35 PID 2660 wrote to memory of 2924 2660 Baojapfj.exe 35 PID 2660 wrote to memory of 2924 2660 Baojapfj.exe 35 PID 2924 wrote to memory of 2200 2924 Dhpemm32.exe 36 PID 2924 wrote to memory of 2200 2924 Dhpemm32.exe 36 PID 2924 wrote to memory of 2200 2924 Dhpemm32.exe 36 PID 2924 wrote to memory of 2200 2924 Dhpemm32.exe 36 PID 2200 wrote to memory of 2628 2200 Ecnoijbd.exe 37 PID 2200 wrote to memory of 2628 2200 Ecnoijbd.exe 37 PID 2200 wrote to memory of 2628 2200 Ecnoijbd.exe 37 PID 2200 wrote to memory of 2628 2200 Ecnoijbd.exe 37 PID 2628 wrote to memory of 1824 2628 Eacljf32.exe 38 PID 2628 wrote to memory of 1824 2628 Eacljf32.exe 38 PID 2628 wrote to memory of 1824 2628 Eacljf32.exe 38 PID 2628 wrote to memory of 1824 2628 Eacljf32.exe 38 PID 1824 wrote to memory of 1728 1824 Fggkcl32.exe 39 PID 1824 wrote to memory of 1728 1824 Fggkcl32.exe 39 PID 1824 wrote to memory of 1728 1824 Fggkcl32.exe 39 PID 1824 wrote to memory of 1728 1824 Fggkcl32.exe 39 PID 1728 wrote to memory of 1260 1728 Fnacpffh.exe 40 PID 1728 wrote to memory of 1260 1728 Fnacpffh.exe 40 PID 1728 wrote to memory of 1260 1728 Fnacpffh.exe 40 PID 1728 wrote to memory of 1260 1728 Fnacpffh.exe 40 PID 1260 wrote to memory of 1648 1260 Gkpfmnlb.exe 41 PID 1260 wrote to memory of 1648 1260 Gkpfmnlb.exe 41 PID 1260 wrote to memory of 1648 1260 Gkpfmnlb.exe 41 PID 1260 wrote to memory of 1648 1260 Gkpfmnlb.exe 41 PID 1648 wrote to memory of 1916 1648 Goplilpf.exe 42 PID 1648 wrote to memory of 1916 1648 Goplilpf.exe 42 PID 1648 wrote to memory of 1916 1648 Goplilpf.exe 42 PID 1648 wrote to memory of 1916 1648 Goplilpf.exe 42 PID 1916 wrote to memory of 2852 1916 Ggnmbn32.exe 43 PID 1916 wrote to memory of 2852 1916 Ggnmbn32.exe 43 PID 1916 wrote to memory of 2852 1916 Ggnmbn32.exe 43 PID 1916 wrote to memory of 2852 1916 Ggnmbn32.exe 43 PID 2852 wrote to memory of 576 2852 Hgpjhn32.exe 45 PID 2852 wrote to memory of 576 2852 Hgpjhn32.exe 45 PID 2852 wrote to memory of 576 2852 Hgpjhn32.exe 45 PID 2852 wrote to memory of 576 2852 Hgpjhn32.exe 45 PID 576 wrote to memory of 584 576 Hlgimqhf.exe 46 PID 576 wrote to memory of 584 576 Hlgimqhf.exe 46 PID 576 wrote to memory of 584 576 Hlgimqhf.exe 46 PID 576 wrote to memory of 584 576 Hlgimqhf.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe"C:\Users\Admin\AppData\Local\Temp\8a14feccc8579a9bb73e813f053feeddca2adc54bb72300d142d948320373471N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:584 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:744 -
C:\Windows\SysWOW64\Jliaac32.exeC:\Windows\system32\Jliaac32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Jbhcim32.exeC:\Windows\system32\Jbhcim32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3040 -
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe34⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe35⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe36⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe37⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe38⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe40⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe43⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe44⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe45⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe46⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe47⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe48⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe49⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe50⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe52⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe55⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe56⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe57⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe58⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe59⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe60⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe61⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe62⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:860 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe64⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe66⤵PID:1700
-
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe67⤵PID:1676
-
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe68⤵PID:2524
-
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe69⤵PID:480
-
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe70⤵PID:1232
-
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe71⤵PID:2972
-
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe72⤵PID:2356
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe73⤵PID:2336
-
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe74⤵PID:2928
-
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe75⤵PID:2548
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe76⤵PID:2564
-
C:\Windows\SysWOW64\Pgcmbcih.exeC:\Windows\system32\Pgcmbcih.exe77⤵PID:2016
-
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe78⤵PID:1988
-
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe79⤵PID:1656
-
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe80⤵PID:624
-
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe81⤵
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe82⤵
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Pkcbnanl.exeC:\Windows\system32\Pkcbnanl.exe83⤵PID:1828
-
C:\Windows\SysWOW64\Qcogbdkg.exeC:\Windows\system32\Qcogbdkg.exe84⤵PID:1520
-
C:\Windows\SysWOW64\Qpbglhjq.exeC:\Windows\system32\Qpbglhjq.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1840 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe86⤵PID:2400
-
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe87⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe88⤵PID:2740
-
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe89⤵
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe90⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Ajpepm32.exeC:\Windows\system32\Ajpepm32.exe91⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe92⤵PID:1552
-
C:\Windows\SysWOW64\Abmgjo32.exeC:\Windows\system32\Abmgjo32.exe93⤵PID:1380
-
C:\Windows\SysWOW64\Aficjnpm.exeC:\Windows\system32\Aficjnpm.exe94⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Ahgofi32.exeC:\Windows\system32\Ahgofi32.exe95⤵PID:3016
-
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe96⤵PID:2868
-
C:\Windows\SysWOW64\Bbbpenco.exeC:\Windows\system32\Bbbpenco.exe97⤵PID:1660
-
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe98⤵PID:1720
-
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe99⤵PID:1776
-
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe100⤵PID:2224
-
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe101⤵PID:884
-
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe102⤵PID:284
-
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe103⤵PID:2712
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe104⤵PID:2688
-
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe105⤵PID:1688
-
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe107⤵PID:1920
-
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe108⤵PID:444
-
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe109⤵
- Modifies registry class
PID:1352 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe110⤵PID:1684
-
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe112⤵PID:888
-
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe113⤵PID:1612
-
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe114⤵PID:2068
-
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe115⤵PID:2784
-
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe116⤵PID:1256
-
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe117⤵PID:2864
-
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe118⤵
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe119⤵PID:2276
-
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe120⤵PID:2496
-
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe121⤵PID:2432
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-