Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2024 20:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2daded13a8e1fb836447bfd182fd917080f4ec1f6e3d0dbb07f0b8c11d8f139d.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
2daded13a8e1fb836447bfd182fd917080f4ec1f6e3d0dbb07f0b8c11d8f139d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
2daded13a8e1fb836447bfd182fd917080f4ec1f6e3d0dbb07f0b8c11d8f139d.exe
-
Size
64KB
-
MD5
90994f9e0bb099cc56f23e17f86bc1f0
-
SHA1
5f6bb778a0da191bd722057108801d73656caea6
-
SHA256
2daded13a8e1fb836447bfd182fd917080f4ec1f6e3d0dbb07f0b8c11d8f139d
-
SHA512
676658bd1eeb12f9a18507cc50d40151096796f2f31615a54b6fb90a242f0cd4381a7149f742dc54a5bdb95f0e01f12a9b60a1444b7d00405066365269b77986
-
SSDEEP
1536:ikBqODAFz2Ny1+8sgYVQUJZZBZZZZZZZZZZZZZZEZZZZZZZDZZZZZMqFj05kkx2V:PBqV2N8H7Fq1KsXds
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfeeabda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogkmgba.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dojqjdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihlbf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boeebnhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgehfkop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cglbhhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injmcmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Felbnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apodoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcalieg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aafemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfeaopqo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjlpjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbnnpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbanbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iibccgep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ginnfgop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdilnojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkcfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckclhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlbcnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnaaib32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flinkojm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdnabjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmqfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfgdpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhknpmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epndknin.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjichj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmqfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnqjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpjoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaoaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbkfkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icknfcol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoopgnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbbagk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiieicml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfpdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiloco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 2daded13a8e1fb836447bfd182fd917080f4ec1f6e3d0dbb07f0b8c11d8f139d.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihbdplfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdedak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqfpckhm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkpbin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpdcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jniood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgpoihnl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagkhd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meamcg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2724 Gaamlecg.exe 2832 Gdoihpbk.exe 216 Gkiaej32.exe 2548 Gacjadad.exe 3816 Gdafnpqh.exe 2384 Ggpbjkpl.exe 3132 Ginnfgop.exe 1812 Gphgbafl.exe 5036 Ggbook32.exe 312 Gnlgleef.exe 3556 Gdfoio32.exe 2332 Hkpheidp.exe 3384 Hnodaecc.exe 1736 Hdilnojp.exe 2692 Hgghjjid.exe 4956 Hammhcij.exe 3568 Hdkidohn.exe 3320 Hjhalefe.exe 5016 Haoimcgg.exe 1300 Hhiajmod.exe 1020 Hjjnae32.exe 1632 Hpdfnolo.exe 1164 Hhknpmma.exe 1764 Hnhghcki.exe 840 Hpfcdojl.exe 2612 Ihnkel32.exe 1984 Ijogmdqm.exe 4876 Injcmc32.exe 2736 Iqipio32.exe 2752 Ihphkl32.exe 3788 Igchfiof.exe 4868 Inmpcc32.exe 5064 Ihbdplfi.exe 544 Igedlh32.exe 1660 Ijcahd32.exe 756 Iakiia32.exe 3516 Idieem32.exe 2408 Iggaah32.exe 1936 Ijfnmc32.exe 112 Idkbkl32.exe 4896 Igjngh32.exe 1588 Ijhjcchb.exe 1844 Iqbbpm32.exe 3000 Jdnoplhh.exe 748 Jkhgmf32.exe 2520 Jbaojpgb.exe 4252 Jjmcnbdm.exe 1480 Jbdlop32.exe 1400 Jgadgf32.exe 2344 Jnkldqkc.exe 3360 Jdedak32.exe 1944 Jkomneim.exe 4952 Jjamia32.exe 1760 Jbiejoaj.exe 4372 Jqlefl32.exe 836 Jibmgi32.exe 2688 Jjdjoane.exe 4440 Jbkbpoog.exe 3940 Kqnbkl32.exe 1296 Kdinljnk.exe 3500 Kkcfid32.exe 2728 Knbbep32.exe 3884 Kiggbhda.exe 3252 Kkfcndce.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Knbbep32.exe Kkcfid32.exe File opened for modification C:\Windows\SysWOW64\Nkqkhk32.exe Neccpd32.exe File opened for modification C:\Windows\SysWOW64\Epndknin.exe Emphocjj.exe File opened for modification C:\Windows\SysWOW64\Plkpcfal.exe Peahgl32.exe File opened for modification C:\Windows\SysWOW64\Bklfgo32.exe Bhnikc32.exe File created C:\Windows\SysWOW64\Cglbhhga.exe Cdmfllhn.exe File created C:\Windows\SysWOW64\Bfnikd32.dll Lgbloglj.exe File opened for modification C:\Windows\SysWOW64\Njfagf32.exe Nlcalieg.exe File created C:\Windows\SysWOW64\Abjfai32.dll Adndoe32.exe File opened for modification C:\Windows\SysWOW64\Cnahdi32.exe Ckclhn32.exe File created C:\Windows\SysWOW64\Cocacl32.exe Cleegp32.exe File created C:\Windows\SysWOW64\Hhjhdagb.dll Hblkjo32.exe File created C:\Windows\SysWOW64\Egdagc32.dll Jcanll32.exe File created C:\Windows\SysWOW64\Npiiffqe.exe Nnhmnn32.exe File created C:\Windows\SysWOW64\Kgdkgc32.dll Neccpd32.exe File opened for modification C:\Windows\SysWOW64\Okchnk32.exe Niakfbpa.exe File opened for modification C:\Windows\SysWOW64\Ajbmdn32.exe Aakebqbj.exe File opened for modification C:\Windows\SysWOW64\Iinqbn32.exe Icdheded.exe File opened for modification C:\Windows\SysWOW64\Phfjcf32.exe Pehngkcg.exe File created C:\Windows\SysWOW64\Qdbdcg32.exe Qoelkp32.exe File opened for modification C:\Windows\SysWOW64\Allpejfe.exe Qebhhp32.exe File created C:\Windows\SysWOW64\Lbpflbpa.dll Ojajin32.exe File opened for modification C:\Windows\SysWOW64\Ogjdmbil.exe Opclldhj.exe File created C:\Windows\SysWOW64\Gcnobqph.dll Jkhgmf32.exe File created C:\Windows\SysWOW64\Hmnmgnoh.exe Hkpqkcpd.exe File opened for modification C:\Windows\SysWOW64\Mcecjmkl.exe Mmkkmc32.exe File created C:\Windows\SysWOW64\Hebqnm32.dll Iohejo32.exe File created C:\Windows\SysWOW64\Oeeape32.dll Bgpcliao.exe File created C:\Windows\SysWOW64\Lefioe32.dll Qepkbpak.exe File created C:\Windows\SysWOW64\Poliea32.exe Plmmif32.exe File opened for modification C:\Windows\SysWOW64\Fbjena32.exe Flpmagqi.exe File created C:\Windows\SysWOW64\Jongga32.dll Gfeaopqo.exe File opened for modification C:\Windows\SysWOW64\Bfendmoc.exe Bokehc32.exe File created C:\Windows\SysWOW64\Jcbiffko.dll Kkeldnpi.exe File created C:\Windows\SysWOW64\Lnmkfh32.exe Lgccinoe.exe File opened for modification C:\Windows\SysWOW64\Njmhhefi.exe Nccokk32.exe File created C:\Windows\SysWOW64\Gpbpbecj.exe Glgcbf32.exe File created C:\Windows\SysWOW64\Migmpjdh.dll Jcmdaljn.exe File created C:\Windows\SysWOW64\Fagnlg32.dll Nliaao32.exe File created C:\Windows\SysWOW64\Hmkjpibb.dll Ooejohhq.exe File created C:\Windows\SysWOW64\Plikcm32.dll Bmeandma.exe File created C:\Windows\SysWOW64\Kiggbhda.exe Knbbep32.exe File created C:\Windows\SysWOW64\Bchace32.dll Ljdceo32.exe File opened for modification C:\Windows\SysWOW64\Kdpmbc32.exe Kmieae32.exe File created C:\Windows\SysWOW64\Aoqqpnlk.dll Chiigadc.exe File created C:\Windows\SysWOW64\Qcbhah32.dll Chqogq32.exe File created C:\Windows\SysWOW64\Ppioondd.dll Dfdpad32.exe File opened for modification C:\Windows\SysWOW64\Jbkbpoog.exe Jjdjoane.exe File opened for modification C:\Windows\SysWOW64\Nbnpcj32.exe Mhilfa32.exe File opened for modification C:\Windows\SysWOW64\Cihclh32.exe Cfigpm32.exe File created C:\Windows\SysWOW64\Ghkogl32.dll Mcgiefen.exe File created C:\Windows\SysWOW64\Qfkqjmdg.exe Ppahmb32.exe File opened for modification C:\Windows\SysWOW64\Fikbocki.exe Ffmfchle.exe File created C:\Windows\SysWOW64\Kcpahpmd.exe Kmfhkf32.exe File opened for modification C:\Windows\SysWOW64\Knqepc32.exe Kgflcifg.exe File created C:\Windows\SysWOW64\Gdapai32.dll Gdoihpbk.exe File opened for modification C:\Windows\SysWOW64\Dihlbf32.exe Dfjpfj32.exe File created C:\Windows\SysWOW64\Qjalckog.dll Qdbdcg32.exe File created C:\Windows\SysWOW64\Akccap32.exe Aefjii32.exe File created C:\Windows\SysWOW64\Fipkjb32.exe Ffaong32.exe File opened for modification C:\Windows\SysWOW64\Jnelok32.exe Jdmgfedl.exe File created C:\Windows\SysWOW64\Bohbhmfm.exe Bklfgo32.exe File opened for modification C:\Windows\SysWOW64\Hbhboolf.exe Holfoqcm.exe File created C:\Windows\SysWOW64\Ohiemobf.exe Oaompd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14796 13788 WerFault.exe 815 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekmnajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcjop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgadgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibmgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjohde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmfhkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipfmggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbighjdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pakllc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbjcljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoelkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkaobnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbnoiqdq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiipmhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phajna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allpejfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgcakon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmiclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphkkpbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbaojpgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikbocki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcejco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmkigh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmpcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiggbhda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeokal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlhgaqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompfej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akblfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqjon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfnedho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikkfqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbhqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjdjoane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgopidgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lihpif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkgbcff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhknpmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmcnbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmmboed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaekqhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgiiiidd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfpinmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfaemp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmmif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibjli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcpahpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecalcl32.dll" Alelqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hidgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjqcaao.dll" Epikpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkdgfllg.dll" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akcoajfm.dll" Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll" Iibccgep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdnoplhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdpcal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fphppfgi.dll" Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flakaffp.dll" Fpjcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klinjgke.dll" Akamff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acmobchj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbndlfi.dll" Ckfphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oanjomjp.dll" Naecop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnahdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjqlnnkp.dll" Emhkdmlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll" Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kecabifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mepfiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiloco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfokdq32.dll" Hnodaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnpban32.dll" Kqbkfkal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcngpjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmdlffhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdencf32.dll" Napjdpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogacbllg.dll" Pdfehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnhgjaml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dddllkbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfmojenc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlbdab32.dll" Lmbhgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhcjqinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibknda32.dll" Bohbhmfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bohbhmfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emihhjna.dll" Oloahhki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eicedn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmokmkpo.dll" Kjhloj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eklikcef.dll" Gflhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdagc32.dll" Jcanll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjojj32.dll" Nflkbanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaamlecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgghjjid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkldqkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkccgodj.dll" Fechomko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefjbddd.dll" Jiiicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll" Aaoaic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqkgbcff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfhqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baadiiif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jiiicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghkogl32.dll" Mcgiefen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqknpl32.dll" Hbhboolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdpjda32.dll" Kbbhqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fccfel32.dll" Ccdnjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmheim32.dll" Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnlhncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpcqcp32.dll" Ggpbjkpl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4748 wrote to memory of 2724 4748 2daded13a8e1fb836447bfd182fd917080f4ec1f6e3d0dbb07f0b8c11d8f139d.exe 83 PID 4748 wrote to memory of 2724 4748 2daded13a8e1fb836447bfd182fd917080f4ec1f6e3d0dbb07f0b8c11d8f139d.exe 83 PID 4748 wrote to memory of 2724 4748 2daded13a8e1fb836447bfd182fd917080f4ec1f6e3d0dbb07f0b8c11d8f139d.exe 83 PID 2724 wrote to memory of 2832 2724 Gaamlecg.exe 84 PID 2724 wrote to memory of 2832 2724 Gaamlecg.exe 84 PID 2724 wrote to memory of 2832 2724 Gaamlecg.exe 84 PID 2832 wrote to memory of 216 2832 Gdoihpbk.exe 85 PID 2832 wrote to memory of 216 2832 Gdoihpbk.exe 85 PID 2832 wrote to memory of 216 2832 Gdoihpbk.exe 85 PID 216 wrote to memory of 2548 216 Gkiaej32.exe 86 PID 216 wrote to memory of 2548 216 Gkiaej32.exe 86 PID 216 wrote to memory of 2548 216 Gkiaej32.exe 86 PID 2548 wrote to memory of 3816 2548 Gacjadad.exe 87 PID 2548 wrote to memory of 3816 2548 Gacjadad.exe 87 PID 2548 wrote to memory of 3816 2548 Gacjadad.exe 87 PID 3816 wrote to memory of 2384 3816 Gdafnpqh.exe 89 PID 3816 wrote to memory of 2384 3816 Gdafnpqh.exe 89 PID 3816 wrote to memory of 2384 3816 Gdafnpqh.exe 89 PID 2384 wrote to memory of 3132 2384 Ggpbjkpl.exe 90 PID 2384 wrote to memory of 3132 2384 Ggpbjkpl.exe 90 PID 2384 wrote to memory of 3132 2384 Ggpbjkpl.exe 90 PID 3132 wrote to memory of 1812 3132 Ginnfgop.exe 91 PID 3132 wrote to memory of 1812 3132 Ginnfgop.exe 91 PID 3132 wrote to memory of 1812 3132 Ginnfgop.exe 91 PID 1812 wrote to memory of 5036 1812 Gphgbafl.exe 92 PID 1812 wrote to memory of 5036 1812 Gphgbafl.exe 92 PID 1812 wrote to memory of 5036 1812 Gphgbafl.exe 92 PID 5036 wrote to memory of 312 5036 Ggbook32.exe 93 PID 5036 wrote to memory of 312 5036 Ggbook32.exe 93 PID 5036 wrote to memory of 312 5036 Ggbook32.exe 93 PID 312 wrote to memory of 3556 312 Gnlgleef.exe 94 PID 312 wrote to memory of 3556 312 Gnlgleef.exe 94 PID 312 wrote to memory of 3556 312 Gnlgleef.exe 94 PID 3556 wrote to memory of 2332 3556 Gdfoio32.exe 96 PID 3556 wrote to memory of 2332 3556 Gdfoio32.exe 96 PID 3556 wrote to memory of 2332 3556 Gdfoio32.exe 96 PID 2332 wrote to memory of 3384 2332 Hkpheidp.exe 97 PID 2332 wrote to memory of 3384 2332 Hkpheidp.exe 97 PID 2332 wrote to memory of 3384 2332 Hkpheidp.exe 97 PID 3384 wrote to memory of 1736 3384 Hnodaecc.exe 98 PID 3384 wrote to memory of 1736 3384 Hnodaecc.exe 98 PID 3384 wrote to memory of 1736 3384 Hnodaecc.exe 98 PID 1736 wrote to memory of 2692 1736 Hdilnojp.exe 99 PID 1736 wrote to memory of 2692 1736 Hdilnojp.exe 99 PID 1736 wrote to memory of 2692 1736 Hdilnojp.exe 99 PID 2692 wrote to memory of 4956 2692 Hgghjjid.exe 101 PID 2692 wrote to memory of 4956 2692 Hgghjjid.exe 101 PID 2692 wrote to memory of 4956 2692 Hgghjjid.exe 101 PID 4956 wrote to memory of 3568 4956 Hammhcij.exe 102 PID 4956 wrote to memory of 3568 4956 Hammhcij.exe 102 PID 4956 wrote to memory of 3568 4956 Hammhcij.exe 102 PID 3568 wrote to memory of 3320 3568 Hdkidohn.exe 103 PID 3568 wrote to memory of 3320 3568 Hdkidohn.exe 103 PID 3568 wrote to memory of 3320 3568 Hdkidohn.exe 103 PID 3320 wrote to memory of 5016 3320 Hjhalefe.exe 104 PID 3320 wrote to memory of 5016 3320 Hjhalefe.exe 104 PID 3320 wrote to memory of 5016 3320 Hjhalefe.exe 104 PID 5016 wrote to memory of 1300 5016 Haoimcgg.exe 105 PID 5016 wrote to memory of 1300 5016 Haoimcgg.exe 105 PID 5016 wrote to memory of 1300 5016 Haoimcgg.exe 105 PID 1300 wrote to memory of 1020 1300 Hhiajmod.exe 106 PID 1300 wrote to memory of 1020 1300 Hhiajmod.exe 106 PID 1300 wrote to memory of 1020 1300 Hhiajmod.exe 106 PID 1020 wrote to memory of 1632 1020 Hjjnae32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\2daded13a8e1fb836447bfd182fd917080f4ec1f6e3d0dbb07f0b8c11d8f139d.exe"C:\Users\Admin\AppData\Local\Temp\2daded13a8e1fb836447bfd182fd917080f4ec1f6e3d0dbb07f0b8c11d8f139d.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Gdafnpqh.exeC:\Windows\system32\Gdafnpqh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3816 -
C:\Windows\SysWOW64\Ggpbjkpl.exeC:\Windows\system32\Ggpbjkpl.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3132 -
C:\Windows\SysWOW64\Gphgbafl.exeC:\Windows\system32\Gphgbafl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\SysWOW64\Gnlgleef.exeC:\Windows\system32\Gnlgleef.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:312 -
C:\Windows\SysWOW64\Gdfoio32.exeC:\Windows\system32\Gdfoio32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Hnodaecc.exeC:\Windows\system32\Hnodaecc.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\Hdilnojp.exeC:\Windows\system32\Hdilnojp.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Hammhcij.exeC:\Windows\system32\Hammhcij.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Haoimcgg.exeC:\Windows\system32\Haoimcgg.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Hhiajmod.exeC:\Windows\system32\Hhiajmod.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Hjjnae32.exeC:\Windows\system32\Hjjnae32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe23⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe25⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Hpfcdojl.exeC:\Windows\system32\Hpfcdojl.exe26⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Ihnkel32.exeC:\Windows\system32\Ihnkel32.exe27⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Ijogmdqm.exeC:\Windows\system32\Ijogmdqm.exe28⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Injcmc32.exeC:\Windows\system32\Injcmc32.exe29⤵
- Executes dropped EXE
PID:4876 -
C:\Windows\SysWOW64\Iqipio32.exeC:\Windows\system32\Iqipio32.exe30⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Ihphkl32.exeC:\Windows\system32\Ihphkl32.exe31⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe32⤵
- Executes dropped EXE
PID:3788 -
C:\Windows\SysWOW64\Inmpcc32.exeC:\Windows\system32\Inmpcc32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4868 -
C:\Windows\SysWOW64\Ihbdplfi.exeC:\Windows\system32\Ihbdplfi.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe35⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Ijcahd32.exeC:\Windows\system32\Ijcahd32.exe36⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Iakiia32.exeC:\Windows\system32\Iakiia32.exe37⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe38⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe39⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Ijfnmc32.exeC:\Windows\system32\Ijfnmc32.exe40⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe41⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe42⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Ijhjcchb.exeC:\Windows\system32\Ijhjcchb.exe43⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Iqbbpm32.exeC:\Windows\system32\Iqbbpm32.exe44⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:748 -
C:\Windows\SysWOW64\Jbaojpgb.exeC:\Windows\system32\Jbaojpgb.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Jjmcnbdm.exeC:\Windows\system32\Jjmcnbdm.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Windows\SysWOW64\Jbdlop32.exeC:\Windows\system32\Jbdlop32.exe49⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Jgadgf32.exeC:\Windows\system32\Jgadgf32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\Jnkldqkc.exeC:\Windows\system32\Jnkldqkc.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Jdedak32.exeC:\Windows\system32\Jdedak32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3360 -
C:\Windows\SysWOW64\Jkomneim.exeC:\Windows\system32\Jkomneim.exe53⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Jjamia32.exeC:\Windows\system32\Jjamia32.exe54⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Jbiejoaj.exeC:\Windows\system32\Jbiejoaj.exe55⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Jqlefl32.exeC:\Windows\system32\Jqlefl32.exe56⤵
- Executes dropped EXE
PID:4372 -
C:\Windows\SysWOW64\Jibmgi32.exeC:\Windows\system32\Jibmgi32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Jjdjoane.exeC:\Windows\system32\Jjdjoane.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Jbkbpoog.exeC:\Windows\system32\Jbkbpoog.exe59⤵
- Executes dropped EXE
PID:4440 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe60⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Kdinljnk.exeC:\Windows\system32\Kdinljnk.exe61⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Kkcfid32.exeC:\Windows\system32\Kkcfid32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3500 -
C:\Windows\SysWOW64\Knbbep32.exeC:\Windows\system32\Knbbep32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Kiggbhda.exeC:\Windows\system32\Kiggbhda.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3884 -
C:\Windows\SysWOW64\Kkfcndce.exeC:\Windows\system32\Kkfcndce.exe65⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Kbpkkn32.exeC:\Windows\system32\Kbpkkn32.exe66⤵
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3164 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe68⤵PID:5028
-
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Keqdmihc.exeC:\Windows\system32\Keqdmihc.exe70⤵PID:3628
-
C:\Windows\SysWOW64\Kgopidgf.exeC:\Windows\system32\Kgopidgf.exe71⤵
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Kniieo32.exeC:\Windows\system32\Kniieo32.exe72⤵PID:2052
-
C:\Windows\SysWOW64\Kecabifp.exeC:\Windows\system32\Kecabifp.exe73⤵
- Modifies registry class
PID:3272 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe74⤵PID:4796
-
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe75⤵PID:4116
-
C:\Windows\SysWOW64\Ljbfpo32.exeC:\Windows\system32\Ljbfpo32.exe76⤵PID:3916
-
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe77⤵PID:4456
-
C:\Windows\SysWOW64\Lalnmiia.exeC:\Windows\system32\Lalnmiia.exe78⤵PID:1548
-
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe79⤵
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe80⤵PID:3260
-
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe81⤵PID:2696
-
C:\Windows\SysWOW64\Ljgpkonp.exeC:\Windows\system32\Ljgpkonp.exe82⤵PID:2112
-
C:\Windows\SysWOW64\Lihpif32.exeC:\Windows\system32\Lihpif32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Lbpdblmo.exeC:\Windows\system32\Lbpdblmo.exe84⤵PID:4400
-
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe85⤵PID:2288
-
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:412 -
C:\Windows\SysWOW64\Meamcg32.exeC:\Windows\system32\Meamcg32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:404 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe88⤵PID:1364
-
C:\Windows\SysWOW64\Mlmbfqoj.exeC:\Windows\system32\Mlmbfqoj.exe89⤵PID:3652
-
C:\Windows\SysWOW64\Majjng32.exeC:\Windows\system32\Majjng32.exe90⤵PID:4108
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe91⤵PID:4668
-
C:\Windows\SysWOW64\Mbighjdd.exeC:\Windows\system32\Mbighjdd.exe92⤵
- System Location Discovery: System Language Discovery
PID:5000 -
C:\Windows\SysWOW64\Malgcg32.exeC:\Windows\system32\Malgcg32.exe93⤵PID:4160
-
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe94⤵PID:4292
-
C:\Windows\SysWOW64\Mnphmkji.exeC:\Windows\system32\Mnphmkji.exe95⤵PID:1980
-
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe96⤵PID:3052
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe97⤵
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe98⤵PID:1832
-
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe99⤵PID:2128
-
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe100⤵PID:4888
-
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe101⤵
- Drops file in System32 directory
PID:636 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe102⤵PID:5092
-
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe103⤵PID:4676
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe104⤵PID:2504
-
C:\Windows\SysWOW64\Nahgoe32.exeC:\Windows\system32\Nahgoe32.exe105⤵PID:1464
-
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe106⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Nkqkhk32.exeC:\Windows\system32\Nkqkhk32.exe107⤵PID:5184
-
C:\Windows\SysWOW64\Nefped32.exeC:\Windows\system32\Nefped32.exe108⤵PID:5228
-
C:\Windows\SysWOW64\Niakfbpa.exeC:\Windows\system32\Niakfbpa.exe109⤵
- Drops file in System32 directory
PID:5272 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe110⤵PID:5316
-
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe111⤵PID:5356
-
C:\Windows\SysWOW64\Oaompd32.exeC:\Windows\system32\Oaompd32.exe112⤵
- Drops file in System32 directory
PID:5400 -
C:\Windows\SysWOW64\Ohiemobf.exeC:\Windows\system32\Ohiemobf.exe113⤵PID:5444
-
C:\Windows\SysWOW64\Okgaijaj.exeC:\Windows\system32\Okgaijaj.exe114⤵PID:5488
-
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe115⤵PID:5536
-
C:\Windows\SysWOW64\Ooejohhq.exeC:\Windows\system32\Ooejohhq.exe116⤵
- Drops file in System32 directory
PID:5580 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe117⤵PID:5624
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe118⤵PID:5664
-
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe119⤵PID:5708
-
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe120⤵PID:5752
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe121⤵PID:5796
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-