Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-10-2024 19:15
Behavioral task
behavioral1
Sample
197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b.exe
-
Size
337KB
-
MD5
391b6207f2e124005806c5e30a4a1f03
-
SHA1
0cb403080746af81ab0161abe7ad44891950482f
-
SHA256
197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b
-
SHA512
8ef6efe454d0823bf429477a5a6a93df576a65e46c917fc96659e2c4ad6172a97c9a005bf58fd8160f82a4f4397de409194514b5ef312f29b2c8182599996e84
-
SSDEEP
3072:SzxiQf0Pxxx/T9ivBgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:Cx506vB1+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niedqnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcbncfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqdefddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomdoof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgmeid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piqpkpml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciohqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlqmmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkffng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famope32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfhhjklc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqlebf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhemhpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqjdgmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbhlkkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldllgiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibejdjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglehp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aakjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqijljfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdoghdmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nameek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmadbjkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbfggdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihhcbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmagpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdfnehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacclpae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqalaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gneijien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emagacdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcachc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khabghdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbbjpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnjofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcbecl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbigpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klngkfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fggkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gceailog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbqmhnbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Golbnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlgimqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimbkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eldglp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlael32.exe -
Executes dropped EXE 64 IoCs
pid Process 2576 Elldgehk.exe 2692 Efdhpjok.exe 2808 Fqlicclo.exe 1144 Fcjeon32.exe 2836 Fmegncpp.exe 2724 Fdpkbf32.exe 2688 Fbdlkj32.exe 2328 Gjpqpl32.exe 2852 Gcheib32.exe 776 Gqlebf32.exe 2412 Gmbfggdo.exe 2044 Gghkdp32.exe 2700 Gildahhp.exe 2064 Gcahoqhf.exe 2364 Hnkion32.exe 1304 Hipmmg32.exe 1456 Hegnahjo.exe 1400 Hhejnc32.exe 1860 Hnpbjnpo.exe 2160 Hanogipc.exe 2308 Hjfcpo32.exe 1800 Hnbopmnm.exe 1744 Hdoghdmd.exe 1968 Hfmddp32.exe 2076 Iabhah32.exe 1572 Idadnd32.exe 2704 Iphecepe.exe 2764 Ifampo32.exe 1084 Ibhndp32.exe 1704 Iegjqk32.exe 2624 Ibkkjp32.exe 2732 Ieigfk32.exe 704 Ihhcbf32.exe 2680 Ioakoq32.exe 976 Jhjphfgi.exe 2860 Jbpdeogo.exe 376 Jkkija32.exe 1148 Jofejpmc.exe 2964 Jnkakl32.exe 2052 Jpjngh32.exe 2224 Jgdfdbhk.exe 1060 Jckgicnp.exe 656 Jkbojpna.exe 1528 Jlckbh32.exe 2312 Kcmcoblm.exe 764 Kfkpknkq.exe 3068 Kjglkm32.exe 2548 Knbhlkkc.exe 2932 Kpadhg32.exe 1076 Kcopdb32.exe 2760 Kfnmpn32.exe 2912 Klhemhpk.exe 1232 Kbdmeoob.exe 2188 Kjleflod.exe 484 Khoebi32.exe 536 Kohnoc32.exe 2896 Kfbfkmeh.exe 1492 Khabghdl.exe 2252 Kbigpn32.exe 1784 Kdhcli32.exe 2572 Kgfoie32.exe 1516 Lnpgeopa.exe 1688 Lqncaj32.exe 696 Lhelbh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2104 197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b.exe 2104 197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b.exe 2576 Elldgehk.exe 2576 Elldgehk.exe 2692 Efdhpjok.exe 2692 Efdhpjok.exe 2808 Fqlicclo.exe 2808 Fqlicclo.exe 1144 Fcjeon32.exe 1144 Fcjeon32.exe 2836 Fmegncpp.exe 2836 Fmegncpp.exe 2724 Fdpkbf32.exe 2724 Fdpkbf32.exe 2688 Fbdlkj32.exe 2688 Fbdlkj32.exe 2328 Gjpqpl32.exe 2328 Gjpqpl32.exe 2852 Gcheib32.exe 2852 Gcheib32.exe 776 Gqlebf32.exe 776 Gqlebf32.exe 2412 Gmbfggdo.exe 2412 Gmbfggdo.exe 2044 Gghkdp32.exe 2044 Gghkdp32.exe 2700 Gildahhp.exe 2700 Gildahhp.exe 2064 Gcahoqhf.exe 2064 Gcahoqhf.exe 2364 Hnkion32.exe 2364 Hnkion32.exe 1304 Hipmmg32.exe 1304 Hipmmg32.exe 1456 Hegnahjo.exe 1456 Hegnahjo.exe 1400 Hhejnc32.exe 1400 Hhejnc32.exe 1860 Hnpbjnpo.exe 1860 Hnpbjnpo.exe 2160 Hanogipc.exe 2160 Hanogipc.exe 2308 Hjfcpo32.exe 2308 Hjfcpo32.exe 1800 Hnbopmnm.exe 1800 Hnbopmnm.exe 1744 Hdoghdmd.exe 1744 Hdoghdmd.exe 1968 Hfmddp32.exe 1968 Hfmddp32.exe 2076 Iabhah32.exe 2076 Iabhah32.exe 1572 Idadnd32.exe 1572 Idadnd32.exe 2704 Iphecepe.exe 2704 Iphecepe.exe 2764 Ifampo32.exe 2764 Ifampo32.exe 1084 Ibhndp32.exe 1084 Ibhndp32.exe 1704 Iegjqk32.exe 1704 Iegjqk32.exe 2624 Ibkkjp32.exe 2624 Ibkkjp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pdmjki32.dll Eaheeecg.exe File created C:\Windows\SysWOW64\Gcgnnlle.exe Golbnm32.exe File opened for modification C:\Windows\SysWOW64\Kgqocoin.exe Kadfkhkf.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Kjahej32.exe File created C:\Windows\SysWOW64\Apqcdckf.dll Pkmlmbcd.exe File created C:\Windows\SysWOW64\Ppcbgkka.exe Okgjodmi.exe File opened for modification C:\Windows\SysWOW64\Pecgea32.exe Pcdkif32.exe File created C:\Windows\SysWOW64\Dldkmlhl.exe Dhiomn32.exe File created C:\Windows\SysWOW64\Mdhpmg32.dll Paiaplin.exe File created C:\Windows\SysWOW64\Qkfocaki.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Ckmcef32.dll Qndkpmkm.exe File opened for modification C:\Windows\SysWOW64\Abpcooea.exe Andgop32.exe File opened for modification C:\Windows\SysWOW64\Hdoghdmd.exe Hnbopmnm.exe File created C:\Windows\SysWOW64\Ojmpooah.exe Ohncbdbd.exe File opened for modification C:\Windows\SysWOW64\Pgcmbcih.exe Phqmgg32.exe File created C:\Windows\SysWOW64\Kongke32.dll Nibqqh32.exe File opened for modification C:\Windows\SysWOW64\Bdcifi32.exe Bmlael32.exe File created C:\Windows\SysWOW64\Lmkcam32.dll Qdojgmfe.exe File created C:\Windows\SysWOW64\Ncehag32.dll Ajgbkbjp.exe File created C:\Windows\SysWOW64\Chdndgcj.dll Locjhqpa.exe File created C:\Windows\SysWOW64\Pfapejnp.dll Pomhcg32.exe File created C:\Windows\SysWOW64\Cacclpae.exe Cjjkpe32.exe File opened for modification C:\Windows\SysWOW64\Nhgnaehm.exe Nameek32.exe File opened for modification C:\Windows\SysWOW64\Ljkaeo32.exe Lgmeid32.exe File created C:\Windows\SysWOW64\Aaogad32.dll Ndkhngdd.exe File created C:\Windows\SysWOW64\Nnoiph32.dll Okpcoe32.exe File created C:\Windows\SysWOW64\Aihfap32.exe Afjjed32.exe File created C:\Windows\SysWOW64\Dajjmhne.dll Baojapfj.exe File opened for modification C:\Windows\SysWOW64\Cfpldf32.exe Ccbphk32.exe File created C:\Windows\SysWOW64\Jdpkmjnb.dll Bqijljfd.exe File opened for modification C:\Windows\SysWOW64\Niebgj32.dll Cnmfdb32.exe File created C:\Windows\SysWOW64\Hdoghdmd.exe Hnbopmnm.exe File created C:\Windows\SysWOW64\Kjnmgq32.dll Lkdhoc32.exe File created C:\Windows\SysWOW64\Acnckp32.dll Aqhhanig.exe File created C:\Windows\SysWOW64\Andgop32.exe Agjobffl.exe File created C:\Windows\SysWOW64\Ibfmbhnd.dll Jnkakl32.exe File created C:\Windows\SysWOW64\Ogiaif32.exe Odjdmjgo.exe File opened for modification C:\Windows\SysWOW64\Mqbbagjo.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Bglbcj32.dll Gifclb32.exe File opened for modification C:\Windows\SysWOW64\Gqahqd32.exe Gncldi32.exe File created C:\Windows\SysWOW64\Jefpeh32.exe Jlnklcej.exe File created C:\Windows\SysWOW64\Abpcooea.exe Andgop32.exe File opened for modification C:\Windows\SysWOW64\Cnimiblo.exe Cgoelh32.exe File created C:\Windows\SysWOW64\Jinafidh.dll Nbbbdcgi.exe File opened for modification C:\Windows\SysWOW64\Ohhmcinf.exe Omcifpnp.exe File created C:\Windows\SysWOW64\Palkkl32.dll Anjlebjc.exe File opened for modification C:\Windows\SysWOW64\Omnipjni.exe Ojomdoof.exe File opened for modification C:\Windows\SysWOW64\Pgfjhcge.exe Pdgmlhha.exe File created C:\Windows\SysWOW64\Hbocphim.dll Cnkjnb32.exe File created C:\Windows\SysWOW64\Noafdi32.dll Khoebi32.exe File opened for modification C:\Windows\SysWOW64\Fdkklp32.exe Famope32.exe File created C:\Windows\SysWOW64\Locjhqpa.exe Lldmleam.exe File opened for modification C:\Windows\SysWOW64\Fcphnm32.exe Fqalaa32.exe File created C:\Windows\SysWOW64\Olnldn32.dll Hemqpf32.exe File created C:\Windows\SysWOW64\Ijqoilii.exe Idgglb32.exe File created C:\Windows\SysWOW64\Ompefj32.exe Oeindm32.exe File opened for modification C:\Windows\SysWOW64\Qjklenpa.exe Qcachc32.exe File opened for modification C:\Windows\SysWOW64\Lfbbjpgd.exe Lcdfnehp.exe File created C:\Windows\SysWOW64\Eemngplg.dll Ohcdhi32.exe File opened for modification C:\Windows\SysWOW64\Fqalaa32.exe Fncpef32.exe File created C:\Windows\SysWOW64\Mcjdhh32.dll Fkecij32.exe File created C:\Windows\SysWOW64\Cpqhdl32.dll Hgpjhn32.exe File created C:\Windows\SysWOW64\Hcenjk32.dll Jpgjgboe.exe File opened for modification C:\Windows\SysWOW64\Mqklqhpg.exe Mnmpdlac.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5864 5800 WerFault.exe 526 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjnak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgibnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblfdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcppidk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbnpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkija32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kohnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhelbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilfpqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalhqohl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palepb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deollamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflfjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqlicclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmbfbgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omklkkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apedah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfphcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahifbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhgpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcjdkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmhnkfpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjglkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicnkdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcigco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jampjian.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpcooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boogmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlebf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqjdgmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdjkhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbnhmjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcphnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paknelgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpjba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdhpjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegnahjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkhhjei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphmloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgjaeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqoflfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpjnkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemgplgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbojpna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmahg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niebgj32.dll" Cnmfdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dicnkdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfkbadh.dll" Llgjaeoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefhcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgoelh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnpbjnpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhelbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmcmbma.dll" Ljieppcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnbpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amaelomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amfognic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpmbfbgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgohil32.dll" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefqie32.dll" Dicnkdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmmbqegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obokcqhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boljgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmblckok.dll" Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcbecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhomkcoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkiolmdc.dll" Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfcgie32.dll" Bgllgedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkjphcff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjpqpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaiioe32.dll" Eclbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpeqncja.dll" Hebnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnkion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciajik32.dll" Hanogipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qppkfhlc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcdkif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdecggq.dll" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmdcjbei.dll" Fdkklp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kddomchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdndgcj.dll" Locjhqpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiapeffl.dll" Oadkej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbdmeoob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oimeai32.dll" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpomfdnk.dll" Jlckbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfghdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codfplej.dll" Jikeeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagina32.dll" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfblih32.dll" Opnbbe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2576 2104 197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b.exe 30 PID 2104 wrote to memory of 2576 2104 197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b.exe 30 PID 2104 wrote to memory of 2576 2104 197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b.exe 30 PID 2104 wrote to memory of 2576 2104 197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b.exe 30 PID 2576 wrote to memory of 2692 2576 Elldgehk.exe 31 PID 2576 wrote to memory of 2692 2576 Elldgehk.exe 31 PID 2576 wrote to memory of 2692 2576 Elldgehk.exe 31 PID 2576 wrote to memory of 2692 2576 Elldgehk.exe 31 PID 2692 wrote to memory of 2808 2692 Efdhpjok.exe 32 PID 2692 wrote to memory of 2808 2692 Efdhpjok.exe 32 PID 2692 wrote to memory of 2808 2692 Efdhpjok.exe 32 PID 2692 wrote to memory of 2808 2692 Efdhpjok.exe 32 PID 2808 wrote to memory of 1144 2808 Fqlicclo.exe 33 PID 2808 wrote to memory of 1144 2808 Fqlicclo.exe 33 PID 2808 wrote to memory of 1144 2808 Fqlicclo.exe 33 PID 2808 wrote to memory of 1144 2808 Fqlicclo.exe 33 PID 1144 wrote to memory of 2836 1144 Fcjeon32.exe 34 PID 1144 wrote to memory of 2836 1144 Fcjeon32.exe 34 PID 1144 wrote to memory of 2836 1144 Fcjeon32.exe 34 PID 1144 wrote to memory of 2836 1144 Fcjeon32.exe 34 PID 2836 wrote to memory of 2724 2836 Fmegncpp.exe 35 PID 2836 wrote to memory of 2724 2836 Fmegncpp.exe 35 PID 2836 wrote to memory of 2724 2836 Fmegncpp.exe 35 PID 2836 wrote to memory of 2724 2836 Fmegncpp.exe 35 PID 2724 wrote to memory of 2688 2724 Fdpkbf32.exe 36 PID 2724 wrote to memory of 2688 2724 Fdpkbf32.exe 36 PID 2724 wrote to memory of 2688 2724 Fdpkbf32.exe 36 PID 2724 wrote to memory of 2688 2724 Fdpkbf32.exe 36 PID 2688 wrote to memory of 2328 2688 Fbdlkj32.exe 37 PID 2688 wrote to memory of 2328 2688 Fbdlkj32.exe 37 PID 2688 wrote to memory of 2328 2688 Fbdlkj32.exe 37 PID 2688 wrote to memory of 2328 2688 Fbdlkj32.exe 37 PID 2328 wrote to memory of 2852 2328 Gjpqpl32.exe 38 PID 2328 wrote to memory of 2852 2328 Gjpqpl32.exe 38 PID 2328 wrote to memory of 2852 2328 Gjpqpl32.exe 38 PID 2328 wrote to memory of 2852 2328 Gjpqpl32.exe 38 PID 2852 wrote to memory of 776 2852 Gcheib32.exe 39 PID 2852 wrote to memory of 776 2852 Gcheib32.exe 39 PID 2852 wrote to memory of 776 2852 Gcheib32.exe 39 PID 2852 wrote to memory of 776 2852 Gcheib32.exe 39 PID 776 wrote to memory of 2412 776 Gqlebf32.exe 40 PID 776 wrote to memory of 2412 776 Gqlebf32.exe 40 PID 776 wrote to memory of 2412 776 Gqlebf32.exe 40 PID 776 wrote to memory of 2412 776 Gqlebf32.exe 40 PID 2412 wrote to memory of 2044 2412 Gmbfggdo.exe 41 PID 2412 wrote to memory of 2044 2412 Gmbfggdo.exe 41 PID 2412 wrote to memory of 2044 2412 Gmbfggdo.exe 41 PID 2412 wrote to memory of 2044 2412 Gmbfggdo.exe 41 PID 2044 wrote to memory of 2700 2044 Gghkdp32.exe 42 PID 2044 wrote to memory of 2700 2044 Gghkdp32.exe 42 PID 2044 wrote to memory of 2700 2044 Gghkdp32.exe 42 PID 2044 wrote to memory of 2700 2044 Gghkdp32.exe 42 PID 2700 wrote to memory of 2064 2700 Gildahhp.exe 43 PID 2700 wrote to memory of 2064 2700 Gildahhp.exe 43 PID 2700 wrote to memory of 2064 2700 Gildahhp.exe 43 PID 2700 wrote to memory of 2064 2700 Gildahhp.exe 43 PID 2064 wrote to memory of 2364 2064 Gcahoqhf.exe 44 PID 2064 wrote to memory of 2364 2064 Gcahoqhf.exe 44 PID 2064 wrote to memory of 2364 2064 Gcahoqhf.exe 44 PID 2064 wrote to memory of 2364 2064 Gcahoqhf.exe 44 PID 2364 wrote to memory of 1304 2364 Hnkion32.exe 45 PID 2364 wrote to memory of 1304 2364 Hnkion32.exe 45 PID 2364 wrote to memory of 1304 2364 Hnkion32.exe 45 PID 2364 wrote to memory of 1304 2364 Hnkion32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b.exe"C:\Users\Admin\AppData\Local\Temp\197714bd3ebdcad1b8ac29df3dd7560ce5e3c33605e28ea169741a26321fb70b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Gghkdp32.exeC:\Windows\system32\Gghkdp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Hjfcpo32.exeC:\Windows\system32\Hjfcpo32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe35⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe36⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe37⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:376 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe39⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe41⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe42⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe43⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:656 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe46⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe47⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe50⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe51⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Kfnmpn32.exeC:\Windows\system32\Kfnmpn32.exe52⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Kbdmeoob.exeC:\Windows\system32\Kbdmeoob.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Kjleflod.exeC:\Windows\system32\Kjleflod.exe55⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:484 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:536 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe58⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Kbigpn32.exeC:\Windows\system32\Kbigpn32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Kdhcli32.exeC:\Windows\system32\Kdhcli32.exe61⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe63⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Lqncaj32.exeC:\Windows\system32\Lqncaj32.exe64⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Lhelbh32.exeC:\Windows\system32\Lhelbh32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Lkdhoc32.exeC:\Windows\system32\Lkdhoc32.exe66⤵
- Drops file in System32 directory
PID:1640 -
C:\Windows\SysWOW64\Lbnpkmfg.exeC:\Windows\system32\Lbnpkmfg.exe67⤵PID:2380
-
C:\Windows\SysWOW64\Ldllgiek.exeC:\Windows\system32\Ldllgiek.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe69⤵PID:2756
-
C:\Windows\SysWOW64\Ljieppcb.exeC:\Windows\system32\Ljieppcb.exe70⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe71⤵PID:2996
-
C:\Windows\SysWOW64\Lgmeid32.exeC:\Windows\system32\Lgmeid32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe73⤵PID:2172
-
C:\Windows\SysWOW64\Lmjnak32.exeC:\Windows\system32\Lmjnak32.exe74⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Lcdfnehp.exeC:\Windows\system32\Lcdfnehp.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1692 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe77⤵
- System Location Discovery: System Language Discovery
PID:1628 -
C:\Windows\SysWOW64\Lokgcf32.exeC:\Windows\system32\Lokgcf32.exe78⤵PID:2992
-
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe79⤵PID:3048
-
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe80⤵PID:1328
-
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe81⤵PID:2320
-
C:\Windows\SysWOW64\Mbkpeake.exeC:\Windows\system32\Mbkpeake.exe82⤵PID:396
-
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe83⤵PID:2300
-
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2180 -
C:\Windows\SysWOW64\Mnbpjb32.exeC:\Windows\system32\Mnbpjb32.exe85⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Mihdgkpp.exeC:\Windows\system32\Mihdgkpp.exe86⤵PID:2608
-
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe87⤵PID:1140
-
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe88⤵PID:2016
-
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe90⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe91⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Mjnjjbbh.exeC:\Windows\system32\Mjnjjbbh.exe92⤵
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Nagbgl32.exeC:\Windows\system32\Nagbgl32.exe93⤵PID:1920
-
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe94⤵PID:2128
-
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe95⤵PID:1764
-
C:\Windows\SysWOW64\Npmphinm.exeC:\Windows\system32\Npmphinm.exe96⤵PID:2392
-
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe97⤵PID:3060
-
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe98⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe100⤵PID:1664
-
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe101⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe102⤵PID:556
-
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe103⤵PID:1484
-
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe104⤵PID:2236
-
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe106⤵PID:988
-
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe107⤵PID:1344
-
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe108⤵
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe109⤵PID:2368
-
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe110⤵PID:2156
-
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe111⤵PID:2296
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe112⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe113⤵PID:2668
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe114⤵PID:584
-
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe115⤵
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe116⤵PID:1872
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe117⤵
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe120⤵PID:2716
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe121⤵
- Drops file in System32 directory
PID:2656
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-