Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 02:48
Behavioral task
behavioral1
Sample
ab420f47d29e9632734616205ee9c6ecfc88dc3630535d6ffc07c7e6b5eee007N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
ab420f47d29e9632734616205ee9c6ecfc88dc3630535d6ffc07c7e6b5eee007N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ab420f47d29e9632734616205ee9c6ecfc88dc3630535d6ffc07c7e6b5eee007N.exe
-
Size
163KB
-
MD5
37664a94acb000504320b1e13046f3f0
-
SHA1
a6aa928972d15b45bbf27d6eceea6fa0eca53965
-
SHA256
ab420f47d29e9632734616205ee9c6ecfc88dc3630535d6ffc07c7e6b5eee007
-
SHA512
2c8fd3a6b1bfc51f1853e76f9f54009b6daef42076cdd8791202e7ba33af6e737a0e7f0c317451ba8468ad80d8e14fa2d435c2698455212b1bf695bba152b301
-
SSDEEP
1536:Ptja1DHK82tfLcQYAFK1AGGGGGGaTnuqrN4lMlProNVU4qNVUrk/9QbfBr+7GwKn:o1bhOfLczLtG2ltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajmkbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjholemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abkjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkcme32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koggcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooalga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbgfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimlqp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llbnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmnnfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdmakbie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbpad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paoebbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abcgghde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daeibkpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mddbhfdb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldgkf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgonklmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omjfle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojnfei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffihe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiebhmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgjmcap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adiqjlcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelokl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkpncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofpgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afbmab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Femnbg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgmhpbbk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdfkkcom.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nollbldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afepahei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aflfag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfgjamg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpcgn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldmlgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhmacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejfhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfnlmp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboionhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klikgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbnmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflddl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aabkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpkjae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lamjpbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljiklonb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojnfei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klanlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbqlnp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cliafekj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fngbidhj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchdlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nchomqph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocpemp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmggnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgqgjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddlong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbmipmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlifja32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbhkhgei.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4484 Jlbefm32.exe 3216 Jopabhna.exe 4064 Khifln32.exe 912 Kldblmmk.exe 908 Kocnhhlo.exe 3320 Klgoalkh.exe 1340 Koeknh32.exe 2036 Kikokq32.exe 4656 Klikgl32.exe 1724 Koggcg32.exe 4460 Kimlqp32.exe 1072 Kojdig32.exe 4728 Kahpebej.exe 1368 Kiohfpfl.exe 2700 Klndbkep.exe 4736 Kpiqcj32.exe 2956 Lchmoe32.exe 756 Lajmkbcg.exe 2396 Liaelpdj.exe 1580 Llpahkcm.exe 336 Lplmhj32.exe 4932 Lcjide32.exe 4380 Lamjpbae.exe 2376 Lehfqqjn.exe 1976 Lidbao32.exe 2996 Llbnmk32.exe 4536 Lpnjniid.exe 2336 Lppgciga.exe 4384 Locgof32.exe 4324 Lcocpdfe.exe 2844 Laacka32.exe 2744 Lemolpei.exe 612 Ljiklonb.exe 3764 Lhkkhk32.exe 1668 Llgghjme.exe 3064 Lpbcii32.exe 4452 Lcaped32.exe 2696 Ladpaakm.exe 4552 Lfplap32.exe 1968 Ljkhbnlo.exe 3324 Mcclkd32.exe 3816 Mjmdgn32.exe 3892 Mllaci32.exe 2688 Mpgmdhai.exe 3176 Mcfipcpm.exe 4900 Mfdemopq.exe 844 Mhbaijod.exe 3624 Momjed32.exe 4816 Mfiogn32.exe 3856 Mhgkdj32.exe 2812 Mqnceg32.exe 1016 Mbppmoap.exe 4660 Mhihii32.exe 1744 Nqqpjgio.exe 3752 Nbblbo32.exe 1956 Nhldoifj.exe 2356 Ncailbfp.exe 1424 Nbdiho32.exe 3012 Nmjmeg32.exe 3444 Nohiacld.exe 2244 Nfbanm32.exe 3056 Nqhfkf32.exe 432 Ncfbga32.exe 4652 Nicjph32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Llagcdmo.exe Longjpoe.exe File created C:\Windows\SysWOW64\Lcjide32.exe Lplmhj32.exe File created C:\Windows\SysWOW64\Bjmlme32.exe Bbedlg32.exe File created C:\Windows\SysWOW64\Ennfdbjj.dll Ekddlo32.exe File opened for modification C:\Windows\SysWOW64\Klanlg32.exe Jbijcaea.exe File created C:\Windows\SysWOW64\Jjippjpl.dll Amlenlkl.exe File created C:\Windows\SysWOW64\Oihdkgll.exe Ockkbqne.exe File opened for modification C:\Windows\SysWOW64\Aahhia32.exe Ajoplgod.exe File created C:\Windows\SysWOW64\Pfcnkdee.dll Cbachf32.exe File created C:\Windows\SysWOW64\Llgbnicn.dll Cpcglj32.exe File created C:\Windows\SysWOW64\Fhajia32.dll Pooanidm.exe File opened for modification C:\Windows\SysWOW64\Peljfpbe.exe Pcjnoh32.exe File created C:\Windows\SysWOW64\Bblcbpio.exe Bdicgc32.exe File opened for modification C:\Windows\SysWOW64\Fnioncfg.exe Fgogai32.exe File opened for modification C:\Windows\SysWOW64\Kocnhhlo.exe Kldblmmk.exe File opened for modification C:\Windows\SysWOW64\Kpiqcj32.exe Klndbkep.exe File created C:\Windows\SysWOW64\Ladpaakm.exe Lcaped32.exe File opened for modification C:\Windows\SysWOW64\Qbbged32.exe Pmeomm32.exe File created C:\Windows\SysWOW64\Cmhmqhbl.exe Ceaeokaj.exe File created C:\Windows\SysWOW64\Mhbonq32.dll Egcgfk32.exe File created C:\Windows\SysWOW64\Iebdgklg.dll Fkpcgn32.exe File created C:\Windows\SysWOW64\Bafnoeel.dll Gdbkfb32.exe File created C:\Windows\SysWOW64\Pijbmnhk.exe Pfkfqcih.exe File opened for modification C:\Windows\SysWOW64\Hbhhef32.exe Gjapdh32.exe File opened for modification C:\Windows\SysWOW64\Pmeomm32.exe Pijbmnhk.exe File created C:\Windows\SysWOW64\Hhonal32.dll Qmjhhlmo.exe File created C:\Windows\SysWOW64\Npbiagmb.dll Khifln32.exe File opened for modification C:\Windows\SysWOW64\Mfdemopq.exe Mcfipcpm.exe File created C:\Windows\SysWOW64\Dkkaeq32.exe Dcdidc32.exe File created C:\Windows\SysWOW64\Mllaci32.exe Mjmdgn32.exe File opened for modification C:\Windows\SysWOW64\Cdpigbll.exe Cliafekj.exe File created C:\Windows\SysWOW64\Bijncf32.dll Cmagpihd.exe File opened for modification C:\Windows\SysWOW64\Fepkgfgg.exe Fdonpnai.exe File opened for modification C:\Windows\SysWOW64\Bpnnakmf.exe Bideda32.exe File opened for modification C:\Windows\SysWOW64\Mdikce32.exe Molckn32.exe File created C:\Windows\SysWOW64\Offdof32.exe Nollbldc.exe File created C:\Windows\SysWOW64\Ahnbmm32.dll Mddbhfdb.exe File created C:\Windows\SysWOW64\Qbhpfh32.dll Nqqpjgio.exe File created C:\Windows\SysWOW64\Pajkgc32.exe Pfegjjck.exe File created C:\Windows\SysWOW64\Ajoplgod.exe Qafkca32.exe File created C:\Windows\SysWOW64\Pipehk32.dll Pcjnoh32.exe File created C:\Windows\SysWOW64\Gaqpldng.dll Peljfpbe.exe File opened for modification C:\Windows\SysWOW64\Epioiaak.exe Emkcme32.exe File opened for modification C:\Windows\SysWOW64\Mfiogn32.exe Momjed32.exe File created C:\Windows\SysWOW64\Egdnpa32.exe Egbaka32.exe File opened for modification C:\Windows\SysWOW64\Longjpoe.exe Llojmdpb.exe File created C:\Windows\SysWOW64\Mdikce32.exe Molckn32.exe File created C:\Windows\SysWOW64\Jkiedn32.dll Kojdig32.exe File created C:\Windows\SysWOW64\Ljkhbnlo.exe Lfplap32.exe File created C:\Windows\SysWOW64\Khjlnb32.dll Qjjfag32.exe File created C:\Windows\SysWOW64\Hclacn32.exe Heiqgaoh.exe File created C:\Windows\SysWOW64\Jbpgmbml.exe Jjholemj.exe File created C:\Windows\SysWOW64\Bafdjoja.exe Bipliajo.exe File created C:\Windows\SysWOW64\Djdeeb32.dll Cpgqgjel.exe File opened for modification C:\Windows\SysWOW64\Fkpcgn32.exe Fgdggonq.exe File created C:\Windows\SysWOW64\Pbndekfm.exe Pamhmb32.exe File created C:\Windows\SysWOW64\Jfpipngh.dll Hbhhef32.exe File created C:\Windows\SysWOW64\Dbllin32.exe Dlbcmdco.exe File created C:\Windows\SysWOW64\Aafoajmm.dll Ijfbfe32.exe File created C:\Windows\SysWOW64\Iimchq32.dll Kelokl32.exe File created C:\Windows\SysWOW64\Cldgkf32.exe Cmagpihd.exe File created C:\Windows\SysWOW64\Hadjbb32.dll Llgghjme.exe File opened for modification C:\Windows\SysWOW64\Fggdmo32.exe Fnopci32.exe File opened for modification C:\Windows\SysWOW64\Gedgla32.exe Gbfkpf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9816 9384 WerFault.exe 491 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgmdhai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlpcdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepkgfgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbebihbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peljfpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmjhhlmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocnhhlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahhia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaidd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnioncfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhgkdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncailbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekbgfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjodj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhkndbcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchomqph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdbkfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhmqhbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccpnefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgmhpbbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pooanidm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klikgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbppmoap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhldoifj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockkbqne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbmab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldhblgop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llojmdpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdppdop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laacka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lemolpei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladpaakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijfbfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alabohod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eghaajdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nohiacld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciioopad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kacppmfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeopcmbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjjlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbnjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjklaejg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oleffo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdedfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbbged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhihii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaeca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leoegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooeohjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgonklmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epioiaak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbmidii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amlenlkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdicgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgghjme.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpiqcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckendmcg.dll" Hclacn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkgaielm.dll" Hadkgapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koimoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbgfbied.dll" Pjemfhgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilaeeijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlopioeh.dll" Llagcdmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekeok32.dll" Mknjep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkjlniel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pifeookm.dll" Aeopcmbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mllaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lknqij32.dll" Amaeca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hindde32.dll" Eanlhihd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pabeknmk.dll" Fgdggonq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnagaffp.dll" Hbakld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpgqgjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dghodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiqimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mloebebk.dll" Aijlcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eglljf32.dll" Fnlcni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkpncb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Femnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjhpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdfkkcom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaqpldng.dll" Peljfpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glljgajm.dll" Blkdeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqackl32.dll" Dekhei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pijjgdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhnqclo.dll" Bmikdq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daeibkpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhkkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjippjpl.dll" Amlenlkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abkjlb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kikokq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aikbnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpqjfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmkgkk32.dll" Jdempjoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejfno32.dll" Ohgmpaiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpcglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdclgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heiqgaoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ophpkbee.dll" Hbmaqema.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjbmidii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpifbcom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oflddl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opibhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfplpm32.dll" Ejbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcgmopbl.dll" Fngicjke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhkndbcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifnhdo32.dll" Cmhmqhbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eginhm32.dll" Lpnjniid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inhkqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cldgkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbnphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fngbidhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amohnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apibhl32.dll" Aihfhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgaidd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnlcni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbfkpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcgbcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leoegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfakcfpe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2964 wrote to memory of 4484 2964 ab420f47d29e9632734616205ee9c6ecfc88dc3630535d6ffc07c7e6b5eee007N.exe 83 PID 2964 wrote to memory of 4484 2964 ab420f47d29e9632734616205ee9c6ecfc88dc3630535d6ffc07c7e6b5eee007N.exe 83 PID 2964 wrote to memory of 4484 2964 ab420f47d29e9632734616205ee9c6ecfc88dc3630535d6ffc07c7e6b5eee007N.exe 83 PID 4484 wrote to memory of 3216 4484 Jlbefm32.exe 84 PID 4484 wrote to memory of 3216 4484 Jlbefm32.exe 84 PID 4484 wrote to memory of 3216 4484 Jlbefm32.exe 84 PID 3216 wrote to memory of 4064 3216 Jopabhna.exe 85 PID 3216 wrote to memory of 4064 3216 Jopabhna.exe 85 PID 3216 wrote to memory of 4064 3216 Jopabhna.exe 85 PID 4064 wrote to memory of 912 4064 Khifln32.exe 86 PID 4064 wrote to memory of 912 4064 Khifln32.exe 86 PID 4064 wrote to memory of 912 4064 Khifln32.exe 86 PID 912 wrote to memory of 908 912 Kldblmmk.exe 87 PID 912 wrote to memory of 908 912 Kldblmmk.exe 87 PID 912 wrote to memory of 908 912 Kldblmmk.exe 87 PID 908 wrote to memory of 3320 908 Kocnhhlo.exe 88 PID 908 wrote to memory of 3320 908 Kocnhhlo.exe 88 PID 908 wrote to memory of 3320 908 Kocnhhlo.exe 88 PID 3320 wrote to memory of 1340 3320 Klgoalkh.exe 90 PID 3320 wrote to memory of 1340 3320 Klgoalkh.exe 90 PID 3320 wrote to memory of 1340 3320 Klgoalkh.exe 90 PID 1340 wrote to memory of 2036 1340 Koeknh32.exe 92 PID 1340 wrote to memory of 2036 1340 Koeknh32.exe 92 PID 1340 wrote to memory of 2036 1340 Koeknh32.exe 92 PID 2036 wrote to memory of 4656 2036 Kikokq32.exe 93 PID 2036 wrote to memory of 4656 2036 Kikokq32.exe 93 PID 2036 wrote to memory of 4656 2036 Kikokq32.exe 93 PID 4656 wrote to memory of 1724 4656 Klikgl32.exe 94 PID 4656 wrote to memory of 1724 4656 Klikgl32.exe 94 PID 4656 wrote to memory of 1724 4656 Klikgl32.exe 94 PID 1724 wrote to memory of 4460 1724 Koggcg32.exe 95 PID 1724 wrote to memory of 4460 1724 Koggcg32.exe 95 PID 1724 wrote to memory of 4460 1724 Koggcg32.exe 95 PID 4460 wrote to memory of 1072 4460 Kimlqp32.exe 96 PID 4460 wrote to memory of 1072 4460 Kimlqp32.exe 96 PID 4460 wrote to memory of 1072 4460 Kimlqp32.exe 96 PID 1072 wrote to memory of 4728 1072 Kojdig32.exe 97 PID 1072 wrote to memory of 4728 1072 Kojdig32.exe 97 PID 1072 wrote to memory of 4728 1072 Kojdig32.exe 97 PID 4728 wrote to memory of 1368 4728 Kahpebej.exe 98 PID 4728 wrote to memory of 1368 4728 Kahpebej.exe 98 PID 4728 wrote to memory of 1368 4728 Kahpebej.exe 98 PID 1368 wrote to memory of 2700 1368 Kiohfpfl.exe 100 PID 1368 wrote to memory of 2700 1368 Kiohfpfl.exe 100 PID 1368 wrote to memory of 2700 1368 Kiohfpfl.exe 100 PID 2700 wrote to memory of 4736 2700 Klndbkep.exe 101 PID 2700 wrote to memory of 4736 2700 Klndbkep.exe 101 PID 2700 wrote to memory of 4736 2700 Klndbkep.exe 101 PID 4736 wrote to memory of 2956 4736 Kpiqcj32.exe 102 PID 4736 wrote to memory of 2956 4736 Kpiqcj32.exe 102 PID 4736 wrote to memory of 2956 4736 Kpiqcj32.exe 102 PID 2956 wrote to memory of 756 2956 Lchmoe32.exe 103 PID 2956 wrote to memory of 756 2956 Lchmoe32.exe 103 PID 2956 wrote to memory of 756 2956 Lchmoe32.exe 103 PID 756 wrote to memory of 2396 756 Lajmkbcg.exe 104 PID 756 wrote to memory of 2396 756 Lajmkbcg.exe 104 PID 756 wrote to memory of 2396 756 Lajmkbcg.exe 104 PID 2396 wrote to memory of 1580 2396 Liaelpdj.exe 105 PID 2396 wrote to memory of 1580 2396 Liaelpdj.exe 105 PID 2396 wrote to memory of 1580 2396 Liaelpdj.exe 105 PID 1580 wrote to memory of 336 1580 Llpahkcm.exe 106 PID 1580 wrote to memory of 336 1580 Llpahkcm.exe 106 PID 1580 wrote to memory of 336 1580 Llpahkcm.exe 106 PID 336 wrote to memory of 4932 336 Lplmhj32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab420f47d29e9632734616205ee9c6ecfc88dc3630535d6ffc07c7e6b5eee007N.exe"C:\Users\Admin\AppData\Local\Temp\ab420f47d29e9632734616205ee9c6ecfc88dc3630535d6ffc07c7e6b5eee007N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Jlbefm32.exeC:\Windows\system32\Jlbefm32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Jopabhna.exeC:\Windows\system32\Jopabhna.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\SysWOW64\Khifln32.exeC:\Windows\system32\Khifln32.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Kldblmmk.exeC:\Windows\system32\Kldblmmk.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Kocnhhlo.exeC:\Windows\system32\Kocnhhlo.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\Klgoalkh.exeC:\Windows\system32\Klgoalkh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\SysWOW64\Koeknh32.exeC:\Windows\system32\Koeknh32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Kikokq32.exeC:\Windows\system32\Kikokq32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Klikgl32.exeC:\Windows\system32\Klikgl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4656 -
C:\Windows\SysWOW64\Koggcg32.exeC:\Windows\system32\Koggcg32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Kimlqp32.exeC:\Windows\system32\Kimlqp32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\Kojdig32.exeC:\Windows\system32\Kojdig32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Kahpebej.exeC:\Windows\system32\Kahpebej.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\Kiohfpfl.exeC:\Windows\system32\Kiohfpfl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Klndbkep.exeC:\Windows\system32\Klndbkep.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Kpiqcj32.exeC:\Windows\system32\Kpiqcj32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\Lchmoe32.exeC:\Windows\system32\Lchmoe32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Lajmkbcg.exeC:\Windows\system32\Lajmkbcg.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Liaelpdj.exeC:\Windows\system32\Liaelpdj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Llpahkcm.exeC:\Windows\system32\Llpahkcm.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Lplmhj32.exeC:\Windows\system32\Lplmhj32.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Lcjide32.exeC:\Windows\system32\Lcjide32.exe23⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Lamjpbae.exeC:\Windows\system32\Lamjpbae.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Lehfqqjn.exeC:\Windows\system32\Lehfqqjn.exe25⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Lidbao32.exeC:\Windows\system32\Lidbao32.exe26⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Llbnmk32.exeC:\Windows\system32\Llbnmk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Lpnjniid.exeC:\Windows\system32\Lpnjniid.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:4536 -
C:\Windows\SysWOW64\Lppgciga.exeC:\Windows\system32\Lppgciga.exe29⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Locgof32.exeC:\Windows\system32\Locgof32.exe30⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Lcocpdfe.exeC:\Windows\system32\Lcocpdfe.exe31⤵
- Executes dropped EXE
PID:4324 -
C:\Windows\SysWOW64\Laacka32.exeC:\Windows\system32\Laacka32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Lemolpei.exeC:\Windows\system32\Lemolpei.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Ljiklonb.exeC:\Windows\system32\Ljiklonb.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Lhkkhk32.exeC:\Windows\system32\Lhkkhk32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:3764 -
C:\Windows\SysWOW64\Llgghjme.exeC:\Windows\system32\Llgghjme.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Lpbcii32.exeC:\Windows\system32\Lpbcii32.exe37⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Lcaped32.exeC:\Windows\system32\Lcaped32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4452 -
C:\Windows\SysWOW64\Ladpaakm.exeC:\Windows\system32\Ladpaakm.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Lfplap32.exeC:\Windows\system32\Lfplap32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4552 -
C:\Windows\SysWOW64\Ljkhbnlo.exeC:\Windows\system32\Ljkhbnlo.exe41⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Mcclkd32.exeC:\Windows\system32\Mcclkd32.exe42⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Mjmdgn32.exeC:\Windows\system32\Mjmdgn32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3816 -
C:\Windows\SysWOW64\Mllaci32.exeC:\Windows\system32\Mllaci32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Mpgmdhai.exeC:\Windows\system32\Mpgmdhai.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Mcfipcpm.exeC:\Windows\system32\Mcfipcpm.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3176 -
C:\Windows\SysWOW64\Mfdemopq.exeC:\Windows\system32\Mfdemopq.exe47⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\Mhbaijod.exeC:\Windows\system32\Mhbaijod.exe48⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Momjed32.exeC:\Windows\system32\Momjed32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Mfiogn32.exeC:\Windows\system32\Mfiogn32.exe50⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Mhgkdj32.exeC:\Windows\system32\Mhgkdj32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3856 -
C:\Windows\SysWOW64\Mqnceg32.exeC:\Windows\system32\Mqnceg32.exe52⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Mbppmoap.exeC:\Windows\system32\Mbppmoap.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\Mhihii32.exeC:\Windows\system32\Mhihii32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\Nqqpjgio.exeC:\Windows\system32\Nqqpjgio.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Nbblbo32.exeC:\Windows\system32\Nbblbo32.exe56⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Nhldoifj.exeC:\Windows\system32\Nhldoifj.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Ncailbfp.exeC:\Windows\system32\Ncailbfp.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Nbdiho32.exeC:\Windows\system32\Nbdiho32.exe59⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Nmjmeg32.exeC:\Windows\system32\Nmjmeg32.exe60⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Nohiacld.exeC:\Windows\system32\Nohiacld.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3444 -
C:\Windows\SysWOW64\Nfbanm32.exeC:\Windows\system32\Nfbanm32.exe62⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Nqhfkf32.exeC:\Windows\system32\Nqhfkf32.exe63⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Ncfbga32.exeC:\Windows\system32\Ncfbga32.exe64⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Nicjph32.exeC:\Windows\system32\Nicjph32.exe65⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Nqjbqe32.exeC:\Windows\system32\Nqjbqe32.exe66⤵PID:1780
-
C:\Windows\SysWOW64\Nchomqph.exeC:\Windows\system32\Nchomqph.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:320 -
C:\Windows\SysWOW64\Njbgik32.exeC:\Windows\system32\Njbgik32.exe68⤵PID:4752
-
C:\Windows\SysWOW64\Omacef32.exeC:\Windows\system32\Omacef32.exe69⤵PID:4444
-
C:\Windows\SysWOW64\Ockkbqne.exeC:\Windows\system32\Ockkbqne.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\Oihdkgll.exeC:\Windows\system32\Oihdkgll.exe71⤵PID:5004
-
C:\Windows\SysWOW64\Ooalga32.exeC:\Windows\system32\Ooalga32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1044 -
C:\Windows\SysWOW64\Oflddl32.exeC:\Windows\system32\Oflddl32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:408 -
C:\Windows\SysWOW64\Omemqfbc.exeC:\Windows\system32\Omemqfbc.exe74⤵PID:1520
-
C:\Windows\SysWOW64\Ocpemp32.exeC:\Windows\system32\Ocpemp32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4436 -
C:\Windows\SysWOW64\Ofnajk32.exeC:\Windows\system32\Ofnajk32.exe76⤵PID:2260
-
C:\Windows\SysWOW64\Oqcegd32.exeC:\Windows\system32\Oqcegd32.exe77⤵PID:4972
-
C:\Windows\SysWOW64\Omjfle32.exeC:\Windows\system32\Omjfle32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5032 -
C:\Windows\SysWOW64\Opibhq32.exeC:\Windows\system32\Opibhq32.exe79⤵
- Modifies registry class
PID:4908 -
C:\Windows\SysWOW64\Ojnfei32.exeC:\Windows\system32\Ojnfei32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5020 -
C:\Windows\SysWOW64\Pqhobced.exeC:\Windows\system32\Pqhobced.exe81⤵PID:2024
-
C:\Windows\SysWOW64\Pfegjjck.exeC:\Windows\system32\Pfegjjck.exe82⤵
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Pajkgc32.exeC:\Windows\system32\Pajkgc32.exe83⤵
- System Location Discovery: System Language Discovery
PID:4344 -
C:\Windows\SysWOW64\Pfgdpj32.exeC:\Windows\system32\Pfgdpj32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5112 -
C:\Windows\SysWOW64\Pjcpphib.exeC:\Windows\system32\Pjcpphib.exe85⤵PID:1208
-
C:\Windows\SysWOW64\Pamhmb32.exeC:\Windows\system32\Pamhmb32.exe86⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4704 -
C:\Windows\SysWOW64\Pbndekfm.exeC:\Windows\system32\Pbndekfm.exe87⤵PID:4028
-
C:\Windows\SysWOW64\Pjemfhgo.exeC:\Windows\system32\Pjemfhgo.exe88⤵
- Modifies registry class
PID:372 -
C:\Windows\SysWOW64\Paoebbol.exeC:\Windows\system32\Paoebbol.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4308 -
C:\Windows\SysWOW64\Pflmkimc.exeC:\Windows\system32\Pflmkimc.exe90⤵PID:3844
-
C:\Windows\SysWOW64\Pijjgdlg.exeC:\Windows\system32\Pijjgdlg.exe91⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Pbbnpj32.exeC:\Windows\system32\Pbbnpj32.exe92⤵PID:4252
-
C:\Windows\SysWOW64\Qjjfag32.exeC:\Windows\system32\Qjjfag32.exe93⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Qcbjjm32.exeC:\Windows\system32\Qcbjjm32.exe94⤵PID:4852
-
C:\Windows\SysWOW64\Qbekejqe.exeC:\Windows\system32\Qbekejqe.exe95⤵PID:3988
-
C:\Windows\SysWOW64\Qafkca32.exeC:\Windows\system32\Qafkca32.exe96⤵
- Drops file in System32 directory
PID:4548 -
C:\Windows\SysWOW64\Ajoplgod.exeC:\Windows\system32\Ajoplgod.exe97⤵
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Aahhia32.exeC:\Windows\system32\Aahhia32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Apkhdn32.exeC:\Windows\system32\Apkhdn32.exe99⤵PID:1392
-
C:\Windows\SysWOW64\Afepahei.exeC:\Windows\system32\Afepahei.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1056 -
C:\Windows\SysWOW64\Ajalaf32.exeC:\Windows\system32\Ajalaf32.exe101⤵PID:2664
-
C:\Windows\SysWOW64\Amohnb32.exeC:\Windows\system32\Amohnb32.exe102⤵
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Aakdnqdo.exeC:\Windows\system32\Aakdnqdo.exe103⤵PID:3236
-
C:\Windows\SysWOW64\Adiqjlcb.exeC:\Windows\system32\Adiqjlcb.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Afhmggcf.exeC:\Windows\system32\Afhmggcf.exe105⤵PID:5100
-
C:\Windows\SysWOW64\Aificcbj.exeC:\Windows\system32\Aificcbj.exe106⤵PID:5136
-
C:\Windows\SysWOW64\Amaeca32.exeC:\Windows\system32\Amaeca32.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5176 -
C:\Windows\SysWOW64\Appapm32.exeC:\Windows\system32\Appapm32.exe108⤵PID:5220
-
C:\Windows\SysWOW64\Abnnlhhj.exeC:\Windows\system32\Abnnlhhj.exe109⤵PID:5264
-
C:\Windows\SysWOW64\Afjjlg32.exeC:\Windows\system32\Afjjlg32.exe110⤵
- System Location Discovery: System Language Discovery
PID:5308 -
C:\Windows\SysWOW64\Aihfhb32.exeC:\Windows\system32\Aihfhb32.exe111⤵
- Modifies registry class
PID:5368 -
C:\Windows\SysWOW64\Aapnip32.exeC:\Windows\system32\Aapnip32.exe112⤵PID:5404
-
C:\Windows\SysWOW64\Adnjek32.exeC:\Windows\system32\Adnjek32.exe113⤵PID:5484
-
C:\Windows\SysWOW64\Aflfag32.exeC:\Windows\system32\Aflfag32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5548 -
C:\Windows\SysWOW64\Aikbnb32.exeC:\Windows\system32\Aikbnb32.exe115⤵
- Modifies registry class
PID:5596 -
C:\Windows\SysWOW64\Aabkop32.exeC:\Windows\system32\Aabkop32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5640 -
C:\Windows\SysWOW64\Adpgkk32.exeC:\Windows\system32\Adpgkk32.exe117⤵PID:5688
-
C:\Windows\SysWOW64\Abcgghde.exeC:\Windows\system32\Abcgghde.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5752 -
C:\Windows\SysWOW64\Bjjohe32.exeC:\Windows\system32\Bjjohe32.exe119⤵PID:5800
-
C:\Windows\SysWOW64\Bmikdq32.exeC:\Windows\system32\Bmikdq32.exe120⤵
- Modifies registry class
PID:5888 -
C:\Windows\SysWOW64\Badgdold.exeC:\Windows\system32\Badgdold.exe121⤵PID:5948
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-