Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 08:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a13c9bf69ecc6f90dfc9dc1ae6579649bd6b5ffc95f5e14737b324089bd4f3c1.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
a13c9bf69ecc6f90dfc9dc1ae6579649bd6b5ffc95f5e14737b324089bd4f3c1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
a13c9bf69ecc6f90dfc9dc1ae6579649bd6b5ffc95f5e14737b324089bd4f3c1.exe
-
Size
862KB
-
MD5
0a4ed4fdd1c86f56f6ce046a89a04751
-
SHA1
c0bba6585342983aa5b44ebac3fe9165b2180655
-
SHA256
a13c9bf69ecc6f90dfc9dc1ae6579649bd6b5ffc95f5e14737b324089bd4f3c1
-
SHA512
8475e14d434135ab3fcb6da42c285cf0303a40685d5d13b183b777e28809d01b31abfcc980a495bf63ac8980de0b5a9022ef3a3d5dffea8d277b85f8662e267b
-
SSDEEP
24576:Cxxn9mxxaxxn9mxxdql4G3Mkxxn9mxxaxxn9mxx2:axIxixIxy784xIxixIx2
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfkpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibjqaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadifclh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folaiqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Locbfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idghpmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnklbmj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhgiim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpjcdn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgbhfbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caqpkjcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhoqeibl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieliebnf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehcdfch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhefhha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ookoaokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqkgbcff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgcjddh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnjpfcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jocnlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmknaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llgcph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idghpmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahgoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckndeni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbngllob.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcadhgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciqnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodogdmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mepfiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoiqneg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoalgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbjoeojc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djdmffnn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbdhn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blnoga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiglnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncchae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haoimcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbiado32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnqfcbnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajhndkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqdoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nacmdf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoaojp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iipfmggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejefqaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lllcen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cikglnkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqndhcdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdhhdlid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflnfcgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqkhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbaclegm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opogbbig.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2212 Jmknaell.exe 4948 Jbhfjljd.exe 3656 Jpnchp32.exe 3220 Jfhlejnh.exe 1368 Jmbdbd32.exe 4636 Kimnbd32.exe 1968 Klljnp32.exe 4932 Kdcbom32.exe 1408 Kpjcdn32.exe 5068 Llcpoo32.exe 3056 Ldjhpl32.exe 3932 Lfhdlh32.exe 3176 Ligqhc32.exe 3192 Lpqiemge.exe 3960 Lboeaifi.exe 4836 Lenamdem.exe 4732 Lmdina32.exe 4944 Ldoaklml.exe 4776 Lgmngglp.exe 1796 Lepncd32.exe 4628 Lmgfda32.exe 448 Lpebpm32.exe 1640 Lbdolh32.exe 2380 Lgokmgjm.exe 4436 Lingibiq.exe 4840 Lllcen32.exe 3760 Mdckfk32.exe 4872 Mbfkbhpa.exe 920 Medgncoe.exe 1872 Mmlpoqpg.exe 3224 Mpjlklok.exe 1404 Mdehlk32.exe 2152 Mgddhf32.exe 688 Megdccmb.exe 4328 Mmnldp32.exe 972 Mlampmdo.exe 4012 Mdhdajea.exe 2684 Mgfqmfde.exe 1672 Miemjaci.exe 1364 Mmpijp32.exe 5048 Mdjagjco.exe 1240 Mcmabg32.exe 3244 Melnob32.exe 3896 Mmbfpp32.exe 2400 Mpablkhc.exe 3144 Mcpnhfhf.exe 1632 Mgkjhe32.exe 3152 Miifeq32.exe 2900 Mlhbal32.exe 4256 Npcoakfp.exe 4384 Ngmgne32.exe 4952 Nilcjp32.exe 4140 Nljofl32.exe 8 Ndaggimg.exe 60 Ngpccdlj.exe 4028 Nebdoa32.exe 3132 Nnjlpo32.exe 4056 Ndcdmikd.exe 2192 Neeqea32.exe 4004 Njqmepik.exe 1808 Npjebj32.exe 1000 Ncianepl.exe 3892 Nfgmjqop.exe 4276 Nnneknob.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eghkjdoa.exe Ebkbbmqj.exe File created C:\Windows\SysWOW64\Cnkplejl.exe Cfdhkhjj.exe File opened for modification C:\Windows\SysWOW64\Dhomfc32.exe Dmglcj32.exe File created C:\Windows\SysWOW64\Jeciaina.dll Dkahilkl.exe File created C:\Windows\SysWOW64\Aafemk32.exe Qklmpalf.exe File created C:\Windows\SysWOW64\Ajiqfi32.dll Hpfbcn32.exe File opened for modification C:\Windows\SysWOW64\Jnkldqkc.exe Jklphekp.exe File opened for modification C:\Windows\SysWOW64\Hmnmgnoh.exe Hbhijepa.exe File created C:\Windows\SysWOW64\Lmmolepp.exe Lgqfdnah.exe File created C:\Windows\SysWOW64\Nipekiep.exe Nlleaeff.exe File opened for modification C:\Windows\SysWOW64\Bjcmebie.exe Bgeaifia.exe File opened for modification C:\Windows\SysWOW64\Iklgah32.exe Hacbhb32.exe File created C:\Windows\SysWOW64\Gicbkkca.dll Kmfhkf32.exe File created C:\Windows\SysWOW64\Hehkga32.dll Nenbjo32.exe File opened for modification C:\Windows\SysWOW64\Ncianepl.exe Npjebj32.exe File created C:\Windows\SysWOW64\Ampkof32.exe Qffbbldm.exe File created C:\Windows\SysWOW64\Fnmnbf32.dll Dfnjafap.exe File created C:\Windows\SysWOW64\Iidphgcn.exe Iplkpa32.exe File opened for modification C:\Windows\SysWOW64\Aaldccip.exe Akblfj32.exe File created C:\Windows\SysWOW64\Agolng32.dll Oblhcj32.exe File created C:\Windows\SysWOW64\Ckmllpik.dll Cfbkeh32.exe File created C:\Windows\SysWOW64\Dipidh32.dll Gaogak32.exe File opened for modification C:\Windows\SysWOW64\Baadiiif.exe Akglloai.exe File created C:\Windows\SysWOW64\Biiobo32.exe Bfkbfd32.exe File opened for modification C:\Windows\SysWOW64\Binhnomg.exe Bfolacnc.exe File opened for modification C:\Windows\SysWOW64\Dkkaiphj.exe Cmgqpkip.exe File opened for modification C:\Windows\SysWOW64\Igcoqocb.exe Idebdcdo.exe File opened for modification C:\Windows\SysWOW64\Cmipblaq.exe Cjjcfabm.exe File opened for modification C:\Windows\SysWOW64\Akffafgg.exe Ajdjin32.exe File created C:\Windows\SysWOW64\Dognaofl.dll Kamjda32.exe File created C:\Windows\SysWOW64\Nimmifgo.exe Nqaiecjd.exe File created C:\Windows\SysWOW64\Fidafj32.dll Eoekia32.exe File created C:\Windows\SysWOW64\Ffkclmbd.dll Hjjnae32.exe File created C:\Windows\SysWOW64\Bhoqeibl.exe Bcahmb32.exe File created C:\Windows\SysWOW64\Keaebdpc.dll Ingpmmgm.exe File created C:\Windows\SysWOW64\Ogacbllg.dll Pknqoc32.exe File created C:\Windows\SysWOW64\Aafkfgeh.dll Jcoaglhk.exe File created C:\Windows\SysWOW64\Jkmmde32.dll Boihcf32.exe File created C:\Windows\SysWOW64\Nebdoa32.exe Ngpccdlj.exe File opened for modification C:\Windows\SysWOW64\Ifdonfka.exe Ibicnh32.exe File created C:\Windows\SysWOW64\Jnkldqkc.exe Jklphekp.exe File created C:\Windows\SysWOW64\Edopabqn.exe Epcdqd32.exe File created C:\Windows\SysWOW64\Lpmbai32.dll Aonoao32.exe File created C:\Windows\SysWOW64\Gfjkjo32.exe Gncchb32.exe File created C:\Windows\SysWOW64\Hmpcbhji.exe Hbjoeojc.exe File opened for modification C:\Windows\SysWOW64\Ibjqaf32.exe Iialhaad.exe File opened for modification C:\Windows\SysWOW64\Pqknig32.exe Pnlaml32.exe File created C:\Windows\SysWOW64\Dhkehk32.dll Idebdcdo.exe File created C:\Windows\SysWOW64\Pcpikkge.exe Pflibgil.exe File created C:\Windows\SysWOW64\Cihclh32.exe Cfigpm32.exe File created C:\Windows\SysWOW64\Hlmchoan.exe Hecjke32.exe File created C:\Windows\SysWOW64\Dogogcpo.exe Dkkcge32.exe File opened for modification C:\Windows\SysWOW64\Nlleaeff.exe Ngomin32.exe File opened for modification C:\Windows\SysWOW64\Oohgdhfn.exe Ohnohn32.exe File opened for modification C:\Windows\SysWOW64\Hoeieolb.exe Hemdlj32.exe File opened for modification C:\Windows\SysWOW64\Egnchd32.exe Eaakpm32.exe File opened for modification C:\Windows\SysWOW64\Hfpecg32.exe Hninbj32.exe File created C:\Windows\SysWOW64\Fdflahpe.dll Bokehc32.exe File opened for modification C:\Windows\SysWOW64\Egaejeej.exe Edbiniff.exe File created C:\Windows\SysWOW64\Jhifomdj.exe Jaonbc32.exe File created C:\Windows\SysWOW64\Calfpk32.exe Cbkfbcpb.exe File created C:\Windows\SysWOW64\Hnhghcki.exe Hhknpmma.exe File created C:\Windows\SysWOW64\Dahjdc32.dll Ajpqnneo.exe File created C:\Windows\SysWOW64\Ebaplnie.exe Dglkoeio.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9416 10460 WerFault.exe 1094 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkcde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpikkge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmechmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koajmepf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnneknob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocnjidkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locbfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qclmck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npcoakfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecjke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommceclc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bganhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhflnpoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkibgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdbnmji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljgbllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmodajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacbhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflibgil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbiado32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckeoeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndflak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbnjdfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhdkknd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egened32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogiicl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhghcki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikdcmpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaejeej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modpib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnlaehj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcliikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camddhoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnpcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peahgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfjcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epcdqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqknkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjbcakl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjmba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggpfkjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqmeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblpgjha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fddqghpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkjhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqdoem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megdccmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naecop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhafeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcjkfij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobkhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accfbokl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kechmoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcniglmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjhpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaakpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acgolj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olaqbelh.dll" Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnkgo32.dll" Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll" Dpkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lebcnn32.dll" Omegjomb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jklbcn32.dll" Kijchhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmkbfeab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iknmmg32.dll" Mfchlbfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieneofbo.dll" Cobkhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnflfgji.dll" Conanfli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chfegk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Binhnomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcolk32.dll" Calfpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll" Pnmopk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jilkmnni.dll" Ofcmfodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffggf32.dll" Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iomcgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmdgikhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfpell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afhfaddk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgaigfg.dll" Ncianepl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pckppl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlgjal32.dll" Bebjdgmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhdbhifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ligqhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caebma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gklnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hponje32.dll" Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhpmpa.dll" Ncnofeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apjkcadp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjpjgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnicfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcbdhp32.dll" Deokon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnfhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmnagpbq.dll" Jkmgblok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gedapeof.dll" Knooej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfiildio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenahpha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehcfaboo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdamgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbicmh32.dll" Fibhpbea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll" Bmggingc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqdeld32.dll" Kimnbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oohnonij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cihclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjphcf32.dll" Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnmcjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oclkgccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpifjj32.dll" Mfpell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqmhqapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpkdjofm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehdpem.dll" Hhfpbpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefofm32.dll" a13c9bf69ecc6f90dfc9dc1ae6579649bd6b5ffc95f5e14737b324089bd4f3c1.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdckfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfhfan32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4336 wrote to memory of 2212 4336 a13c9bf69ecc6f90dfc9dc1ae6579649bd6b5ffc95f5e14737b324089bd4f3c1.exe 83 PID 4336 wrote to memory of 2212 4336 a13c9bf69ecc6f90dfc9dc1ae6579649bd6b5ffc95f5e14737b324089bd4f3c1.exe 83 PID 4336 wrote to memory of 2212 4336 a13c9bf69ecc6f90dfc9dc1ae6579649bd6b5ffc95f5e14737b324089bd4f3c1.exe 83 PID 2212 wrote to memory of 4948 2212 Jmknaell.exe 84 PID 2212 wrote to memory of 4948 2212 Jmknaell.exe 84 PID 2212 wrote to memory of 4948 2212 Jmknaell.exe 84 PID 4948 wrote to memory of 3656 4948 Jbhfjljd.exe 85 PID 4948 wrote to memory of 3656 4948 Jbhfjljd.exe 85 PID 4948 wrote to memory of 3656 4948 Jbhfjljd.exe 85 PID 3656 wrote to memory of 3220 3656 Jpnchp32.exe 86 PID 3656 wrote to memory of 3220 3656 Jpnchp32.exe 86 PID 3656 wrote to memory of 3220 3656 Jpnchp32.exe 86 PID 3220 wrote to memory of 1368 3220 Jfhlejnh.exe 87 PID 3220 wrote to memory of 1368 3220 Jfhlejnh.exe 87 PID 3220 wrote to memory of 1368 3220 Jfhlejnh.exe 87 PID 1368 wrote to memory of 4636 1368 Jmbdbd32.exe 88 PID 1368 wrote to memory of 4636 1368 Jmbdbd32.exe 88 PID 1368 wrote to memory of 4636 1368 Jmbdbd32.exe 88 PID 4636 wrote to memory of 1968 4636 Kimnbd32.exe 89 PID 4636 wrote to memory of 1968 4636 Kimnbd32.exe 89 PID 4636 wrote to memory of 1968 4636 Kimnbd32.exe 89 PID 1968 wrote to memory of 4932 1968 Klljnp32.exe 90 PID 1968 wrote to memory of 4932 1968 Klljnp32.exe 90 PID 1968 wrote to memory of 4932 1968 Klljnp32.exe 90 PID 4932 wrote to memory of 1408 4932 Kdcbom32.exe 91 PID 4932 wrote to memory of 1408 4932 Kdcbom32.exe 91 PID 4932 wrote to memory of 1408 4932 Kdcbom32.exe 91 PID 1408 wrote to memory of 5068 1408 Kpjcdn32.exe 92 PID 1408 wrote to memory of 5068 1408 Kpjcdn32.exe 92 PID 1408 wrote to memory of 5068 1408 Kpjcdn32.exe 92 PID 5068 wrote to memory of 3056 5068 Llcpoo32.exe 93 PID 5068 wrote to memory of 3056 5068 Llcpoo32.exe 93 PID 5068 wrote to memory of 3056 5068 Llcpoo32.exe 93 PID 3056 wrote to memory of 3932 3056 Ldjhpl32.exe 94 PID 3056 wrote to memory of 3932 3056 Ldjhpl32.exe 94 PID 3056 wrote to memory of 3932 3056 Ldjhpl32.exe 94 PID 3932 wrote to memory of 3176 3932 Lfhdlh32.exe 95 PID 3932 wrote to memory of 3176 3932 Lfhdlh32.exe 95 PID 3932 wrote to memory of 3176 3932 Lfhdlh32.exe 95 PID 3176 wrote to memory of 3192 3176 Ligqhc32.exe 96 PID 3176 wrote to memory of 3192 3176 Ligqhc32.exe 96 PID 3176 wrote to memory of 3192 3176 Ligqhc32.exe 96 PID 3192 wrote to memory of 3960 3192 Lpqiemge.exe 97 PID 3192 wrote to memory of 3960 3192 Lpqiemge.exe 97 PID 3192 wrote to memory of 3960 3192 Lpqiemge.exe 97 PID 3960 wrote to memory of 4836 3960 Lboeaifi.exe 98 PID 3960 wrote to memory of 4836 3960 Lboeaifi.exe 98 PID 3960 wrote to memory of 4836 3960 Lboeaifi.exe 98 PID 4836 wrote to memory of 4732 4836 Lenamdem.exe 99 PID 4836 wrote to memory of 4732 4836 Lenamdem.exe 99 PID 4836 wrote to memory of 4732 4836 Lenamdem.exe 99 PID 4732 wrote to memory of 4944 4732 Lmdina32.exe 100 PID 4732 wrote to memory of 4944 4732 Lmdina32.exe 100 PID 4732 wrote to memory of 4944 4732 Lmdina32.exe 100 PID 4944 wrote to memory of 4776 4944 Ldoaklml.exe 101 PID 4944 wrote to memory of 4776 4944 Ldoaklml.exe 101 PID 4944 wrote to memory of 4776 4944 Ldoaklml.exe 101 PID 4776 wrote to memory of 1796 4776 Lgmngglp.exe 102 PID 4776 wrote to memory of 1796 4776 Lgmngglp.exe 102 PID 4776 wrote to memory of 1796 4776 Lgmngglp.exe 102 PID 1796 wrote to memory of 4628 1796 Lepncd32.exe 103 PID 1796 wrote to memory of 4628 1796 Lepncd32.exe 103 PID 1796 wrote to memory of 4628 1796 Lepncd32.exe 103 PID 4628 wrote to memory of 448 4628 Lmgfda32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\a13c9bf69ecc6f90dfc9dc1ae6579649bd6b5ffc95f5e14737b324089bd4f3c1.exe"C:\Users\Admin\AppData\Local\Temp\a13c9bf69ecc6f90dfc9dc1ae6579649bd6b5ffc95f5e14737b324089bd4f3c1.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Jmknaell.exeC:\Windows\system32\Jmknaell.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Jbhfjljd.exeC:\Windows\system32\Jbhfjljd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\Jpnchp32.exeC:\Windows\system32\Jpnchp32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\Jfhlejnh.exeC:\Windows\system32\Jfhlejnh.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3220 -
C:\Windows\SysWOW64\Jmbdbd32.exeC:\Windows\system32\Jmbdbd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Windows\SysWOW64\Kimnbd32.exeC:\Windows\system32\Kimnbd32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Windows\SysWOW64\Klljnp32.exeC:\Windows\system32\Klljnp32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Kdcbom32.exeC:\Windows\system32\Kdcbom32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\SysWOW64\Kpjcdn32.exeC:\Windows\system32\Kpjcdn32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\Llcpoo32.exeC:\Windows\system32\Llcpoo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\Ldjhpl32.exeC:\Windows\system32\Ldjhpl32.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Lfhdlh32.exeC:\Windows\system32\Lfhdlh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Ligqhc32.exeC:\Windows\system32\Ligqhc32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\Lpqiemge.exeC:\Windows\system32\Lpqiemge.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Windows\SysWOW64\Lboeaifi.exeC:\Windows\system32\Lboeaifi.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3960 -
C:\Windows\SysWOW64\Lenamdem.exeC:\Windows\system32\Lenamdem.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Lmdina32.exeC:\Windows\system32\Lmdina32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Ldoaklml.exeC:\Windows\system32\Ldoaklml.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Lgmngglp.exeC:\Windows\system32\Lgmngglp.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4776 -
C:\Windows\SysWOW64\Lepncd32.exeC:\Windows\system32\Lepncd32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Lmgfda32.exeC:\Windows\system32\Lmgfda32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\Lpebpm32.exeC:\Windows\system32\Lpebpm32.exe23⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Lbdolh32.exeC:\Windows\system32\Lbdolh32.exe24⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Lgokmgjm.exeC:\Windows\system32\Lgokmgjm.exe25⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Lingibiq.exeC:\Windows\system32\Lingibiq.exe26⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Lllcen32.exeC:\Windows\system32\Lllcen32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Mdckfk32.exeC:\Windows\system32\Mdckfk32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Mbfkbhpa.exeC:\Windows\system32\Mbfkbhpa.exe29⤵
- Executes dropped EXE
PID:4872 -
C:\Windows\SysWOW64\Medgncoe.exeC:\Windows\system32\Medgncoe.exe30⤵
- Executes dropped EXE
PID:920 -
C:\Windows\SysWOW64\Mmlpoqpg.exeC:\Windows\system32\Mmlpoqpg.exe31⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Mpjlklok.exeC:\Windows\system32\Mpjlklok.exe32⤵
- Executes dropped EXE
PID:3224 -
C:\Windows\SysWOW64\Mdehlk32.exeC:\Windows\system32\Mdehlk32.exe33⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Mgddhf32.exeC:\Windows\system32\Mgddhf32.exe34⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Megdccmb.exeC:\Windows\system32\Megdccmb.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Mmnldp32.exeC:\Windows\system32\Mmnldp32.exe36⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe37⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\Mdhdajea.exeC:\Windows\system32\Mdhdajea.exe38⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe39⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Miemjaci.exeC:\Windows\system32\Miemjaci.exe40⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Mmpijp32.exeC:\Windows\system32\Mmpijp32.exe41⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Mdjagjco.exeC:\Windows\system32\Mdjagjco.exe42⤵
- Executes dropped EXE
PID:5048 -
C:\Windows\SysWOW64\Mcmabg32.exeC:\Windows\system32\Mcmabg32.exe43⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Melnob32.exeC:\Windows\system32\Melnob32.exe44⤵
- Executes dropped EXE
PID:3244 -
C:\Windows\SysWOW64\Mmbfpp32.exeC:\Windows\system32\Mmbfpp32.exe45⤵
- Executes dropped EXE
PID:3896 -
C:\Windows\SysWOW64\Mpablkhc.exeC:\Windows\system32\Mpablkhc.exe46⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Mcpnhfhf.exeC:\Windows\system32\Mcpnhfhf.exe47⤵
- Executes dropped EXE
PID:3144 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Miifeq32.exeC:\Windows\system32\Miifeq32.exe49⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Mlhbal32.exeC:\Windows\system32\Mlhbal32.exe50⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Npcoakfp.exeC:\Windows\system32\Npcoakfp.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4256 -
C:\Windows\SysWOW64\Ngmgne32.exeC:\Windows\system32\Ngmgne32.exe52⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Nilcjp32.exeC:\Windows\system32\Nilcjp32.exe53⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Nljofl32.exeC:\Windows\system32\Nljofl32.exe54⤵
- Executes dropped EXE
PID:4140 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe55⤵
- Executes dropped EXE
PID:8 -
C:\Windows\SysWOW64\Ngpccdlj.exeC:\Windows\system32\Ngpccdlj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60 -
C:\Windows\SysWOW64\Nebdoa32.exeC:\Windows\system32\Nebdoa32.exe57⤵
- Executes dropped EXE
PID:4028 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe58⤵
- Executes dropped EXE
PID:3132 -
C:\Windows\SysWOW64\Ndcdmikd.exeC:\Windows\system32\Ndcdmikd.exe59⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Neeqea32.exeC:\Windows\system32\Neeqea32.exe60⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Njqmepik.exeC:\Windows\system32\Njqmepik.exe61⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Npjebj32.exeC:\Windows\system32\Npjebj32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1808 -
C:\Windows\SysWOW64\Ncianepl.exeC:\Windows\system32\Ncianepl.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:3892 -
C:\Windows\SysWOW64\Nnneknob.exeC:\Windows\system32\Nnneknob.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4276 -
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe66⤵PID:3980
-
C:\Windows\SysWOW64\Nckndeni.exeC:\Windows\system32\Nckndeni.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5092 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe68⤵PID:3448
-
C:\Windows\SysWOW64\Nnqbanmo.exeC:\Windows\system32\Nnqbanmo.exe69⤵PID:4892
-
C:\Windows\SysWOW64\Oponmilc.exeC:\Windows\system32\Oponmilc.exe70⤵PID:5152
-
C:\Windows\SysWOW64\Ocnjidkf.exeC:\Windows\system32\Ocnjidkf.exe71⤵
- System Location Discovery: System Language Discovery
PID:5188 -
C:\Windows\SysWOW64\Oflgep32.exeC:\Windows\system32\Oflgep32.exe72⤵PID:5228
-
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe73⤵PID:5268
-
C:\Windows\SysWOW64\Opakbi32.exeC:\Windows\system32\Opakbi32.exe74⤵PID:5308
-
C:\Windows\SysWOW64\Ocpgod32.exeC:\Windows\system32\Ocpgod32.exe75⤵PID:5352
-
C:\Windows\SysWOW64\Ofnckp32.exeC:\Windows\system32\Ofnckp32.exe76⤵PID:5388
-
C:\Windows\SysWOW64\Oneklm32.exeC:\Windows\system32\Oneklm32.exe77⤵PID:5428
-
C:\Windows\SysWOW64\Opdghh32.exeC:\Windows\system32\Opdghh32.exe78⤵PID:5472
-
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe79⤵PID:5516
-
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe80⤵PID:5548
-
C:\Windows\SysWOW64\Ocdqjceo.exeC:\Windows\system32\Ocdqjceo.exe81⤵PID:5588
-
C:\Windows\SysWOW64\Ofcmfodb.exeC:\Windows\system32\Ofcmfodb.exe82⤵
- Modifies registry class
PID:5632 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe83⤵PID:5672
-
C:\Windows\SysWOW64\Oddmdf32.exeC:\Windows\system32\Oddmdf32.exe84⤵PID:5716
-
C:\Windows\SysWOW64\Ocgmpccl.exeC:\Windows\system32\Ocgmpccl.exe85⤵PID:5760
-
C:\Windows\SysWOW64\Ofeilobp.exeC:\Windows\system32\Ofeilobp.exe86⤵PID:5804
-
C:\Windows\SysWOW64\Pnlaml32.exeC:\Windows\system32\Pnlaml32.exe87⤵
- Drops file in System32 directory
PID:5848 -
C:\Windows\SysWOW64\Pqknig32.exeC:\Windows\system32\Pqknig32.exe88⤵PID:5892
-
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe89⤵PID:5936
-
C:\Windows\SysWOW64\Pfhfan32.exeC:\Windows\system32\Pfhfan32.exe90⤵
- Modifies registry class
PID:5976 -
C:\Windows\SysWOW64\Pnonbk32.exeC:\Windows\system32\Pnonbk32.exe91⤵PID:6016
-
C:\Windows\SysWOW64\Pmannhhj.exeC:\Windows\system32\Pmannhhj.exe92⤵PID:6060
-
C:\Windows\SysWOW64\Pdifoehl.exeC:\Windows\system32\Pdifoehl.exe93⤵PID:6104
-
C:\Windows\SysWOW64\Pggbkagp.exeC:\Windows\system32\Pggbkagp.exe94⤵PID:3804
-
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe95⤵PID:2836
-
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe96⤵PID:1420
-
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe97⤵
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Windows\SysWOW64\Pgioqq32.exeC:\Windows\system32\Pgioqq32.exe98⤵PID:2588
-
C:\Windows\SysWOW64\Pflplnlg.exeC:\Windows\system32\Pflplnlg.exe99⤵PID:5100
-
C:\Windows\SysWOW64\Pncgmkmj.exeC:\Windows\system32\Pncgmkmj.exe100⤵PID:3744
-
C:\Windows\SysWOW64\Pqbdjfln.exeC:\Windows\system32\Pqbdjfln.exe101⤵PID:612
-
C:\Windows\SysWOW64\Pcppfaka.exeC:\Windows\system32\Pcppfaka.exe102⤵PID:5172
-
C:\Windows\SysWOW64\Pfolbmje.exeC:\Windows\system32\Pfolbmje.exe103⤵PID:3572
-
C:\Windows\SysWOW64\Pnfdcjkg.exeC:\Windows\system32\Pnfdcjkg.exe104⤵PID:1220
-
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe105⤵PID:5380
-
C:\Windows\SysWOW64\Pdpmpdbd.exeC:\Windows\system32\Pdpmpdbd.exe106⤵PID:5452
-
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe107⤵PID:5492
-
C:\Windows\SysWOW64\Pjmehkqk.exeC:\Windows\system32\Pjmehkqk.exe108⤵PID:5572
-
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe109⤵PID:4100
-
C:\Windows\SysWOW64\Qqfmde32.exeC:\Windows\system32\Qqfmde32.exe110⤵
- Modifies registry class
PID:5712 -
C:\Windows\SysWOW64\Qceiaa32.exeC:\Windows\system32\Qceiaa32.exe111⤵PID:5792
-
C:\Windows\SysWOW64\Qgqeappe.exeC:\Windows\system32\Qgqeappe.exe112⤵PID:5880
-
C:\Windows\SysWOW64\Qjoankoi.exeC:\Windows\system32\Qjoankoi.exe113⤵PID:5944
-
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe114⤵PID:6008
-
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe115⤵PID:6072
-
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe116⤵PID:4060
-
C:\Windows\SysWOW64\Qffbbldm.exeC:\Windows\system32\Qffbbldm.exe117⤵
- Drops file in System32 directory
PID:4420 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe118⤵PID:2556
-
C:\Windows\SysWOW64\Adgbpc32.exeC:\Windows\system32\Adgbpc32.exe119⤵PID:1328
-
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe120⤵PID:668
-
C:\Windows\SysWOW64\Afhohlbj.exeC:\Windows\system32\Afhohlbj.exe121⤵PID:4640
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-