Analysis
-
max time kernel
96s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14/10/2024, 00:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
86008ff21010af44570f9ba9c559f43cd828d2ab8d7e836833693930843f2971N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
86008ff21010af44570f9ba9c559f43cd828d2ab8d7e836833693930843f2971N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
86008ff21010af44570f9ba9c559f43cd828d2ab8d7e836833693930843f2971N.exe
-
Size
245KB
-
MD5
7f2ed33127e656c4833add840a40ccf0
-
SHA1
802fff53e10819732c7005d6fd2e339d37c59276
-
SHA256
86008ff21010af44570f9ba9c559f43cd828d2ab8d7e836833693930843f2971
-
SHA512
ec9af4eb6994b7569823b3facfa93a6c98d0eaa0ab6c111182940d57693ef5dcf5a5d96ed723736fe9b39fdecf391a86e19e0310f4b797591ce0166816c52060
-
SSDEEP
1536:o9u0VNXaYbTkMs0foC/4cXeXvubKrFEwMEwKhbArEwKhQL4cXeXvubKr:o5VNqNMs0wCwago+bAr+Qka
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlofcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhegig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkqhm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdmfllhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noblkqca.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obnehj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmggingc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfpbpdo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdialdl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Madjhb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkdof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kiikpnmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momcpa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Manmoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmdbh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enopghee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adikdfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffcpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbpojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckebcg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlambk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hplicjok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffceip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fohfbpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iehmmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qikbaaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmoijje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qobhkjdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbenoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidben32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplfcf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maiccajf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhhpop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipbaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fboecfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoalgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gijmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 86008ff21010af44570f9ba9c559f43cd828d2ab8d7e836833693930843f2971N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaqbkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphiaffa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mebcop32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngjkfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cklhcfle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Finnef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkkgpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjpnlbd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkfcqb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjnifbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknlbhhe.exe -
Executes dropped EXE 64 IoCs
pid Process 964 Fjjnifbl.exe 3556 Fmikeaap.exe 1044 Fpggamqc.exe 3576 Fbfcmhpg.exe 5004 Fipkjb32.exe 2976 Fmkgkapm.exe 3012 Fpjcgm32.exe 4792 Fbhpch32.exe 1392 Ffclcgfn.exe 4036 Fibhpbea.exe 1604 Fmndpq32.exe 2632 Flqdlnde.exe 3608 Fplpll32.exe 4816 Fdglmkeg.exe 4476 Fbjmhh32.exe 1852 Fffhifdk.exe 1448 Fjadje32.exe 4916 Fmpqfq32.exe 4232 Glcaambb.exe 968 Gpnmbl32.exe 2892 Gdjibj32.exe 2376 Gbmingjo.exe 4552 Gfheof32.exe 4384 Gjdaodja.exe 3068 Gmbmkpie.exe 3308 Glengm32.exe 1204 Gpqjglii.exe 2756 Gdlfhj32.exe 4320 Gbofcghl.exe 3448 Gfkbde32.exe 3120 Gjfnedho.exe 1796 Giinpa32.exe 812 Gmdjapgb.exe 2012 Glgjlm32.exe 1240 Gpcfmkff.exe 4508 Gdobnj32.exe 3136 Gbabigfj.exe 3832 Gkhkjd32.exe 2332 Gikkfqmf.exe 1252 Gmggfp32.exe 4340 Gljgbllj.exe 4672 Gpecbk32.exe 2312 Gdaociml.exe 1180 Gbdoof32.exe 3692 Gfokoelp.exe 4376 Gkkgpc32.exe 3352 Gmiclo32.exe 3456 Gmiclo32.exe 384 Glldgljg.exe 4976 Gphphj32.exe 3296 Gdcliikj.exe 1980 Ggahedjn.exe 4560 Gkmdecbg.exe 4556 Gkmdecbg.exe 3816 Gipdap32.exe 1368 Hmlpaoaj.exe 4400 Hloqml32.exe 4328 Hbhijepa.exe 1000 Hgdejd32.exe 3564 Hkpqkcpd.exe 4940 Hmnmgnoh.exe 1104 Hlambk32.exe 3060 Hplicjok.exe 1452 Hdhedh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fmkqpkla.exe Fiodpl32.exe File created C:\Windows\SysWOW64\Fnihkq32.dll Mgbefe32.exe File created C:\Windows\SysWOW64\Amhmnagf.dll Johggfha.exe File created C:\Windows\SysWOW64\Igkilc32.dll Noblkqca.exe File opened for modification C:\Windows\SysWOW64\Hbhijepa.exe Hloqml32.exe File opened for modification C:\Windows\SysWOW64\Fbgihaji.exe Fmkqpkla.exe File created C:\Windows\SysWOW64\Jiejjepo.dll Hidgai32.exe File created C:\Windows\SysWOW64\Hhlpmmgb.dll Kjjbjd32.exe File created C:\Windows\SysWOW64\Cdmfllhn.exe Caojpaij.exe File created C:\Windows\SysWOW64\Ehblpall.dll Ebfign32.exe File created C:\Windows\SysWOW64\Fndpmndl.exe Fkfcqb32.exe File created C:\Windows\SysWOW64\Dodfed32.dll Eqkondfl.exe File opened for modification C:\Windows\SysWOW64\Fbpchb32.exe Felbnn32.exe File opened for modification C:\Windows\SysWOW64\Cdpjlb32.exe Cocacl32.exe File created C:\Windows\SysWOW64\Doaneiop.exe Ddligq32.exe File created C:\Windows\SysWOW64\Bmhocd32.exe Bkibgh32.exe File opened for modification C:\Windows\SysWOW64\Kheekkjl.exe Kakmna32.exe File created C:\Windows\SysWOW64\Poimpapp.exe Pknqoc32.exe File created C:\Windows\SysWOW64\Gmbjqfjb.dll Nagiji32.exe File created C:\Windows\SysWOW64\Ljbnfleo.exe Lakfeodm.exe File opened for modification C:\Windows\SysWOW64\Fmhdkknd.exe Fbbpmb32.exe File created C:\Windows\SysWOW64\Anhejhfp.dll Jlgepanl.exe File created C:\Windows\SysWOW64\Jinboekc.exe Jgpfbjlo.exe File opened for modification C:\Windows\SysWOW64\Ebgpad32.exe Ekmhejao.exe File created C:\Windows\SysWOW64\Alpbecod.exe Adikdfna.exe File opened for modification C:\Windows\SysWOW64\Qjiipk32.exe Qdoacabq.exe File created C:\Windows\SysWOW64\Cpcpfg32.exe Cmedjl32.exe File created C:\Windows\SysWOW64\Ohmhmh32.exe Oeokal32.exe File created C:\Windows\SysWOW64\Eqkondfl.exe Ekngemhd.exe File opened for modification C:\Windows\SysWOW64\Affikdfn.exe Adgmoigj.exe File created C:\Windows\SysWOW64\Poigcbng.dll Dnpdegjp.exe File created C:\Windows\SysWOW64\Geohklaa.exe Gnepna32.exe File created C:\Windows\SysWOW64\Pmmanjof.dll Qaalblgi.exe File created C:\Windows\SysWOW64\Neqopnhb.exe Nmigoagp.exe File created C:\Windows\SysWOW64\Pdbeojmh.dll Mmmqhl32.exe File opened for modification C:\Windows\SysWOW64\Apmhiq32.exe Aokkahlo.exe File opened for modification C:\Windows\SysWOW64\Dkndie32.exe Dddllkbf.exe File created C:\Windows\SysWOW64\Nffaen32.dll Pcbkml32.exe File opened for modification C:\Windows\SysWOW64\Kjhloj32.exe Kmdlffhj.exe File created C:\Windows\SysWOW64\Jabdjc32.dll Jcgnbaeo.exe File created C:\Windows\SysWOW64\Gcedencn.dll Qdbdcg32.exe File created C:\Windows\SysWOW64\Ebmenh32.dll Doaneiop.exe File created C:\Windows\SysWOW64\Hohahelb.dll Hblkjo32.exe File created C:\Windows\SysWOW64\Kedlip32.exe Jbepme32.exe File created C:\Windows\SysWOW64\Mcfbkpab.exe Mlljnf32.exe File opened for modification C:\Windows\SysWOW64\Qiiflaoo.exe Qbonoghb.exe File created C:\Windows\SysWOW64\Hdhedh32.exe Hplicjok.exe File created C:\Windows\SysWOW64\Bcjfln32.dll Mfqlfb32.exe File opened for modification C:\Windows\SysWOW64\Mfchlbfd.exe Moipoh32.exe File opened for modification C:\Windows\SysWOW64\Pfandnla.exe Phonha32.exe File created C:\Windows\SysWOW64\Mnknop32.dll Jbagbebm.exe File created C:\Windows\SysWOW64\Qhjgbbnj.dll Afappe32.exe File created C:\Windows\SysWOW64\Lhaiafem.dll Ejlnfjbd.exe File opened for modification C:\Windows\SysWOW64\Ddligq32.exe Dbnmke32.exe File created C:\Windows\SysWOW64\Clddmhpl.dll Kcejco32.exe File opened for modification C:\Windows\SysWOW64\Lnjgfb32.exe Lfbped32.exe File created C:\Windows\SysWOW64\Dnajppda.exe Dkcndeen.exe File opened for modification C:\Windows\SysWOW64\Egohdegl.exe Edplhjhi.exe File created C:\Windows\SysWOW64\Hobbfhjl.dll Mhjhmhhd.exe File created C:\Windows\SysWOW64\Nfqnbjfi.exe Ncbafoge.exe File opened for modification C:\Windows\SysWOW64\Fjhmbihg.exe Fgiaemic.exe File opened for modification C:\Windows\SysWOW64\Jjafok32.exe Jcgnbaeo.exe File created C:\Windows\SysWOW64\Gadeee32.dll Fboecfii.exe File created C:\Windows\SysWOW64\Mnmdme32.exe Mkohaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15660 15836 WerFault.exe 881 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egohdegl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqlfhjig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijmad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljclki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekddhcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmhejao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipdndloi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqopnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaffnce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmnbfhal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbnajqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcgjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbponja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocgbend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmbegqjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbnnpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjnfkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdnngdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemkelcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ondljl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgdncplk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnalmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhmbihg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgaokl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfggkac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqbcbkab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpenfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncccnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknlbhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiekog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mebcop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdjeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Binhnomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmdfonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgeainn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panhbfep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geanfelc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjcgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjafok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnjbedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbhoeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khiofk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmojd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkondfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelolmnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkdibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiacacpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacmpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnfpcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpdegjp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mldjbclh.dll" Hnphoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fboecfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bejceb32.dll" Fbaahf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gggpfopn.dll" Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofkjd32.dll" Gjfnedho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmgjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Effkpc32.dll" Cndeii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbofcghl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmfkhmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pegopgia.dll" Enfckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hehdfdek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gljgbllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpanan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchkcb32.dll" Dnmaea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcoccc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqmhqapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcejco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mebcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmiadaea.dll" Nncccnol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocjiehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chnbbqpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjnnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odcfhh32.dll" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amdcghbo.dll" Jepjhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmpjlk32.dll" Mqdcnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabcflhd.dll" Lindkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnlgh32.dll" Cpcpfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdlfhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oalipoiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhdkknd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddedlaq.dll" Lpfgmnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdkdibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiodpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfnoqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjiipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbobhb32.dll" Aaldccip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plopnh32.dll" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbepme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll" Kadpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faagecfk.dll" Cgmhcaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enigke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngjkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iialhaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnknop32.dll" Jbagbebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqindg32.dll" Bffcpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekcgkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddfbgelh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bepmoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fboqkn32.dll" Lgibpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpnmig32.dll" Jafdcbge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opbean32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfepi32.dll" Dcffnbee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fffhifdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qaqegecm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aagkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojehbail.dll" Fgcjfbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celhnb32.dll" Fgqgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjnifbl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 964 2072 86008ff21010af44570f9ba9c559f43cd828d2ab8d7e836833693930843f2971N.exe 83 PID 2072 wrote to memory of 964 2072 86008ff21010af44570f9ba9c559f43cd828d2ab8d7e836833693930843f2971N.exe 83 PID 2072 wrote to memory of 964 2072 86008ff21010af44570f9ba9c559f43cd828d2ab8d7e836833693930843f2971N.exe 83 PID 964 wrote to memory of 3556 964 Fjjnifbl.exe 84 PID 964 wrote to memory of 3556 964 Fjjnifbl.exe 84 PID 964 wrote to memory of 3556 964 Fjjnifbl.exe 84 PID 3556 wrote to memory of 1044 3556 Fmikeaap.exe 85 PID 3556 wrote to memory of 1044 3556 Fmikeaap.exe 85 PID 3556 wrote to memory of 1044 3556 Fmikeaap.exe 85 PID 1044 wrote to memory of 3576 1044 Fpggamqc.exe 86 PID 1044 wrote to memory of 3576 1044 Fpggamqc.exe 86 PID 1044 wrote to memory of 3576 1044 Fpggamqc.exe 86 PID 3576 wrote to memory of 5004 3576 Fbfcmhpg.exe 88 PID 3576 wrote to memory of 5004 3576 Fbfcmhpg.exe 88 PID 3576 wrote to memory of 5004 3576 Fbfcmhpg.exe 88 PID 5004 wrote to memory of 2976 5004 Fipkjb32.exe 89 PID 5004 wrote to memory of 2976 5004 Fipkjb32.exe 89 PID 5004 wrote to memory of 2976 5004 Fipkjb32.exe 89 PID 2976 wrote to memory of 3012 2976 Fmkgkapm.exe 90 PID 2976 wrote to memory of 3012 2976 Fmkgkapm.exe 90 PID 2976 wrote to memory of 3012 2976 Fmkgkapm.exe 90 PID 3012 wrote to memory of 4792 3012 Fpjcgm32.exe 92 PID 3012 wrote to memory of 4792 3012 Fpjcgm32.exe 92 PID 3012 wrote to memory of 4792 3012 Fpjcgm32.exe 92 PID 4792 wrote to memory of 1392 4792 Fbhpch32.exe 93 PID 4792 wrote to memory of 1392 4792 Fbhpch32.exe 93 PID 4792 wrote to memory of 1392 4792 Fbhpch32.exe 93 PID 1392 wrote to memory of 4036 1392 Ffclcgfn.exe 94 PID 1392 wrote to memory of 4036 1392 Ffclcgfn.exe 94 PID 1392 wrote to memory of 4036 1392 Ffclcgfn.exe 94 PID 4036 wrote to memory of 1604 4036 Fibhpbea.exe 95 PID 4036 wrote to memory of 1604 4036 Fibhpbea.exe 95 PID 4036 wrote to memory of 1604 4036 Fibhpbea.exe 95 PID 1604 wrote to memory of 2632 1604 Fmndpq32.exe 96 PID 1604 wrote to memory of 2632 1604 Fmndpq32.exe 96 PID 1604 wrote to memory of 2632 1604 Fmndpq32.exe 96 PID 2632 wrote to memory of 3608 2632 Flqdlnde.exe 97 PID 2632 wrote to memory of 3608 2632 Flqdlnde.exe 97 PID 2632 wrote to memory of 3608 2632 Flqdlnde.exe 97 PID 3608 wrote to memory of 4816 3608 Fplpll32.exe 98 PID 3608 wrote to memory of 4816 3608 Fplpll32.exe 98 PID 3608 wrote to memory of 4816 3608 Fplpll32.exe 98 PID 4816 wrote to memory of 4476 4816 Fdglmkeg.exe 99 PID 4816 wrote to memory of 4476 4816 Fdglmkeg.exe 99 PID 4816 wrote to memory of 4476 4816 Fdglmkeg.exe 99 PID 4476 wrote to memory of 1852 4476 Fbjmhh32.exe 100 PID 4476 wrote to memory of 1852 4476 Fbjmhh32.exe 100 PID 4476 wrote to memory of 1852 4476 Fbjmhh32.exe 100 PID 1852 wrote to memory of 1448 1852 Fffhifdk.exe 101 PID 1852 wrote to memory of 1448 1852 Fffhifdk.exe 101 PID 1852 wrote to memory of 1448 1852 Fffhifdk.exe 101 PID 1448 wrote to memory of 4916 1448 Fjadje32.exe 102 PID 1448 wrote to memory of 4916 1448 Fjadje32.exe 102 PID 1448 wrote to memory of 4916 1448 Fjadje32.exe 102 PID 4916 wrote to memory of 4232 4916 Fmpqfq32.exe 103 PID 4916 wrote to memory of 4232 4916 Fmpqfq32.exe 103 PID 4916 wrote to memory of 4232 4916 Fmpqfq32.exe 103 PID 4232 wrote to memory of 968 4232 Glcaambb.exe 104 PID 4232 wrote to memory of 968 4232 Glcaambb.exe 104 PID 4232 wrote to memory of 968 4232 Glcaambb.exe 104 PID 968 wrote to memory of 2892 968 Gpnmbl32.exe 105 PID 968 wrote to memory of 2892 968 Gpnmbl32.exe 105 PID 968 wrote to memory of 2892 968 Gpnmbl32.exe 105 PID 2892 wrote to memory of 2376 2892 Gdjibj32.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\86008ff21010af44570f9ba9c559f43cd828d2ab8d7e836833693930843f2971N.exe"C:\Users\Admin\AppData\Local\Temp\86008ff21010af44570f9ba9c559f43cd828d2ab8d7e836833693930843f2971N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Fmikeaap.exeC:\Windows\system32\Fmikeaap.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Fbhpch32.exeC:\Windows\system32\Fbhpch32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4792 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\Fmndpq32.exeC:\Windows\system32\Fmndpq32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3608 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4916 -
C:\Windows\SysWOW64\Glcaambb.exeC:\Windows\system32\Glcaambb.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\SysWOW64\Gdjibj32.exeC:\Windows\system32\Gdjibj32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe23⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe24⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\Gjdaodja.exeC:\Windows\system32\Gjdaodja.exe25⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Gmbmkpie.exeC:\Windows\system32\Gmbmkpie.exe26⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe27⤵
- Executes dropped EXE
PID:3308 -
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe28⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Gdlfhj32.exeC:\Windows\system32\Gdlfhj32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe30⤵
- Executes dropped EXE
- Modifies registry class
PID:4320 -
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3448 -
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe32⤵
- Executes dropped EXE
- Modifies registry class
PID:3120 -
C:\Windows\SysWOW64\Giinpa32.exeC:\Windows\system32\Giinpa32.exe33⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:812 -
C:\Windows\SysWOW64\Glgjlm32.exeC:\Windows\system32\Glgjlm32.exe35⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe36⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Gdobnj32.exeC:\Windows\system32\Gdobnj32.exe37⤵
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe38⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Gkhkjd32.exeC:\Windows\system32\Gkhkjd32.exe39⤵
- Executes dropped EXE
PID:3832 -
C:\Windows\SysWOW64\Gikkfqmf.exeC:\Windows\system32\Gikkfqmf.exe40⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe41⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Gljgbllj.exeC:\Windows\system32\Gljgbllj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:4340 -
C:\Windows\SysWOW64\Gpecbk32.exeC:\Windows\system32\Gpecbk32.exe43⤵
- Executes dropped EXE
PID:4672 -
C:\Windows\SysWOW64\Gdaociml.exeC:\Windows\system32\Gdaociml.exe44⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Gfokoelp.exeC:\Windows\system32\Gfokoelp.exe46⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Gkkgpc32.exeC:\Windows\system32\Gkkgpc32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe48⤵
- Executes dropped EXE
PID:3352 -
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe49⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Glldgljg.exeC:\Windows\system32\Glldgljg.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:384 -
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe51⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Gdcliikj.exeC:\Windows\system32\Gdcliikj.exe52⤵
- Executes dropped EXE
PID:3296 -
C:\Windows\SysWOW64\Ggahedjn.exeC:\Windows\system32\Ggahedjn.exe53⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe54⤵
- Executes dropped EXE
PID:4560 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe55⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Gipdap32.exeC:\Windows\system32\Gipdap32.exe56⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Hmlpaoaj.exeC:\Windows\system32\Hmlpaoaj.exe57⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4400 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe59⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Hgdejd32.exeC:\Windows\system32\Hgdejd32.exe60⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Hkpqkcpd.exeC:\Windows\system32\Hkpqkcpd.exe61⤵
- Executes dropped EXE
PID:3564 -
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe62⤵
- Executes dropped EXE
PID:4940 -
C:\Windows\SysWOW64\Hlambk32.exeC:\Windows\system32\Hlambk32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Hplicjok.exeC:\Windows\system32\Hplicjok.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe65⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Hckeoeno.exeC:\Windows\system32\Hckeoeno.exe66⤵PID:2000
-
C:\Windows\SysWOW64\Hmpjmn32.exeC:\Windows\system32\Hmpjmn32.exe67⤵PID:1708
-
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe68⤵PID:2508
-
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe69⤵
- System Location Discovery: System Language Discovery
PID:5096 -
C:\Windows\SysWOW64\Igbalblk.exeC:\Windows\system32\Igbalblk.exe70⤵PID:980
-
C:\Windows\SysWOW64\Inqbclob.exeC:\Windows\system32\Inqbclob.exe71⤵PID:2776
-
C:\Windows\SysWOW64\Idkkpf32.exeC:\Windows\system32\Idkkpf32.exe72⤵PID:4928
-
C:\Windows\SysWOW64\Ikdcmpnl.exeC:\Windows\system32\Ikdcmpnl.exe73⤵PID:1612
-
C:\Windows\SysWOW64\Jlfpdh32.exeC:\Windows\system32\Jlfpdh32.exe74⤵PID:2600
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:228 -
C:\Windows\SysWOW64\Jkimho32.exeC:\Windows\system32\Jkimho32.exe76⤵PID:4360
-
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe77⤵PID:3244
-
C:\Windows\SysWOW64\Jnjejjgh.exeC:\Windows\system32\Jnjejjgh.exe78⤵PID:1008
-
C:\Windows\SysWOW64\Jcgnbaeo.exeC:\Windows\system32\Jcgnbaeo.exe79⤵
- Drops file in System32 directory
PID:4632 -
C:\Windows\SysWOW64\Jjafok32.exeC:\Windows\system32\Jjafok32.exe80⤵
- System Location Discovery: System Language Discovery
PID:4172 -
C:\Windows\SysWOW64\Kkpbin32.exeC:\Windows\system32\Kkpbin32.exe81⤵PID:3200
-
C:\Windows\SysWOW64\Knooej32.exeC:\Windows\system32\Knooej32.exe82⤵
- System Location Discovery: System Language Discovery
PID:4484 -
C:\Windows\SysWOW64\Kmdlffhj.exeC:\Windows\system32\Kmdlffhj.exe83⤵
- Drops file in System32 directory
PID:4152 -
C:\Windows\SysWOW64\Kjhloj32.exeC:\Windows\system32\Kjhloj32.exe84⤵PID:4868
-
C:\Windows\SysWOW64\Kcpahpmd.exeC:\Windows\system32\Kcpahpmd.exe85⤵PID:2364
-
C:\Windows\SysWOW64\Kkgiimng.exeC:\Windows\system32\Kkgiimng.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3600 -
C:\Windows\SysWOW64\Knfeeimj.exeC:\Windows\system32\Knfeeimj.exe87⤵PID:4108
-
C:\Windows\SysWOW64\Kcbnnpka.exeC:\Windows\system32\Kcbnnpka.exe88⤵
- System Location Discovery: System Language Discovery
PID:460 -
C:\Windows\SysWOW64\Kcejco32.exeC:\Windows\system32\Kcejco32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:1116 -
C:\Windows\SysWOW64\Lcggio32.exeC:\Windows\system32\Lcggio32.exe90⤵PID:3284
-
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe91⤵PID:2540
-
C:\Windows\SysWOW64\Ljclki32.exeC:\Windows\system32\Ljclki32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Ldipha32.exeC:\Windows\system32\Ldipha32.exe93⤵PID:4460
-
C:\Windows\SysWOW64\Lclpdncg.exeC:\Windows\system32\Lclpdncg.exe94⤵PID:5060
-
C:\Windows\SysWOW64\Ljfhqh32.exeC:\Windows\system32\Ljfhqh32.exe95⤵PID:1332
-
C:\Windows\SysWOW64\Lekmnajj.exeC:\Windows\system32\Lekmnajj.exe96⤵PID:1004
-
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe97⤵PID:2060
-
C:\Windows\SysWOW64\Mcqjon32.exeC:\Windows\system32\Mcqjon32.exe98⤵PID:4268
-
C:\Windows\SysWOW64\Mkhapk32.exeC:\Windows\system32\Mkhapk32.exe99⤵PID:2796
-
C:\Windows\SysWOW64\Madjhb32.exeC:\Windows\system32\Madjhb32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2240 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe101⤵
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Mebcop32.exeC:\Windows\system32\Mebcop32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Mgaokl32.exeC:\Windows\system32\Mgaokl32.exe103⤵
- System Location Discovery: System Language Discovery
PID:4700 -
C:\Windows\SysWOW64\Mjokgg32.exeC:\Windows\system32\Mjokgg32.exe104⤵PID:1364
-
C:\Windows\SysWOW64\Maiccajf.exeC:\Windows\system32\Maiccajf.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2492 -
C:\Windows\SysWOW64\Mchppmij.exeC:\Windows\system32\Mchppmij.exe106⤵PID:2004
-
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe107⤵
- Drops file in System32 directory
PID:5140 -
C:\Windows\SysWOW64\Mnmdme32.exeC:\Windows\system32\Mnmdme32.exe108⤵PID:5196
-
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5236 -
C:\Windows\SysWOW64\Manmoq32.exeC:\Windows\system32\Manmoq32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5284 -
C:\Windows\SysWOW64\Nnbnhedj.exeC:\Windows\system32\Nnbnhedj.exe111⤵PID:5324
-
C:\Windows\SysWOW64\Napjdpcn.exeC:\Windows\system32\Napjdpcn.exe112⤵PID:5364
-
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe113⤵PID:5432
-
C:\Windows\SysWOW64\Nmgjia32.exeC:\Windows\system32\Nmgjia32.exe114⤵
- Modifies registry class
PID:5472 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe115⤵PID:5512
-
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe116⤵
- Drops file in System32 directory
PID:5552 -
C:\Windows\SysWOW64\Neqopnhb.exeC:\Windows\system32\Neqopnhb.exe117⤵
- System Location Discovery: System Language Discovery
PID:5584 -
C:\Windows\SysWOW64\Nccokk32.exeC:\Windows\system32\Nccokk32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5624 -
C:\Windows\SysWOW64\Nagpeo32.exeC:\Windows\system32\Nagpeo32.exe119⤵PID:5684
-
C:\Windows\SysWOW64\Nlmdbh32.exeC:\Windows\system32\Nlmdbh32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5728 -
C:\Windows\SysWOW64\Nmnqjp32.exeC:\Windows\system32\Nmnqjp32.exe121⤵PID:5788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-