Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2024 07:20
Behavioral task
behavioral1
Sample
61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9N.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
120 seconds
General
-
Target
61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9N.exe
-
Size
93KB
-
MD5
febd49fdcec4f6955a03e2c40a6419f0
-
SHA1
628d071abbc225da579a75c5f0eae225f2f5a099
-
SHA256
61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9
-
SHA512
69f80c5d421fa59159ea75faf817abedceab7d29889aa1659dfae9ef048e9a49b86225f156dce0f58179da7f126e076e3ab3a8102c84a65075a6457b6cdcd6e7
-
SSDEEP
1536:zhK9tqnBAMydDUgYgq8HLH7bk5U1DaYfMZRWuLsV+1J:9K9QnBbDg5q8rk5UgYfc0DV+1J
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Pmlmkn32.exeMbibfm32.exeKfanflne.exeMgbpdgap.exeGaamlecg.exeHjmodffo.exeHkmlnimb.exeFimodc32.exeAnmfbl32.exeCnhgjaml.exeGcjdam32.exeGckjlf32.exeNdmgnkja.exeQemhbj32.exeQobhkjdi.exeIhkjno32.exeNdpjnq32.exeGqkajk32.exeIciaqc32.exePpahmb32.exeHbihjifh.exeApggckbf.exeAmnebo32.exeOhpkmn32.exeDlkbjqgm.exeJlobkg32.exePlpjoe32.exePlbfdekd.exeLqkqhm32.exePcmeke32.exeAbbkcpma.exeCjnffjkl.exeHmnmgnoh.exeOodcdb32.exePokanf32.exeFdmjdkda.exePcpnhl32.exeLbebilli.exeNhdlao32.exeDlieda32.exeNmgjia32.exeLjeafb32.exeIajdgcab.exeOmalpc32.exeLmqiec32.exeDahfkimd.exeDckoia32.exeAojlaeei.exeHmechmip.exeOhmhmh32.exeQeodhjmo.exeEeelnp32.exeGmafajfi.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmlmkn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbibfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfanflne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbpdgap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaamlecg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmodffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkmlnimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimodc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anmfbl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnhgjaml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gckjlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndmgnkja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qemhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qobhkjdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkjno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndpjnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqkajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iciaqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppahmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apggckbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnebo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohpkmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlkbjqgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlobkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbfdekd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmeke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abbkcpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjnffjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmnmgnoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oodcdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdmjdkda.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbebilli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdlao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmgjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljeafb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iajdgcab.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omalpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmqiec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahfkimd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckoia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojlaeei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmechmip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmhmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeodhjmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeelnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmafajfi.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
Processes:
Eplnpeol.exeEidbij32.exeEpokedmj.exeEjdocm32.exeEpagkd32.exeEjflhm32.exeEpcdqd32.exeEhjlaaig.exeFiliii32.exeFdamgb32.exeFineoi32.exeFdcjlb32.exeFipbdikp.exeFpjjac32.exeFgdbnmji.exeFibojhim.exeFdhcgaic.exeFkbkdkpp.exeFmqgpgoc.exeFdkpma32.exeGkdhjknm.exeGigheh32.exeGhhhcomg.exeGijekg32.exeGaamlecg.exeGdoihpbk.exeGgnedlao.exeGilapgqb.exeGnjjfegi.exeGgbook32.exeHgelek32.exeHjedffig.exeHdkidohn.exeHdmein32.exeHpdfnolo.exeHhknpmma.exeHnhghcki.exeIgqkqiai.exeIafonaao.exeIgchfiof.exeIjadbdoj.exeIgedlh32.exeIdieem32.exeIggaah32.exeIdkbkl32.exeIgjngh32.exeIkejgf32.exeJdnoplhh.exeJkhgmf32.exeJnhpoamf.exeJhpqaiji.exeKqnbkl32.exeKjhcjq32.exeKqbkfkal.exeKenggi32.exeKjkpoq32.exeKbbhqn32.exeKilpmh32.exeKjmmepfj.exeKbddfmgl.exeKinmcg32.exeKjpijpdg.exeLbgalmej.exeLeenhhdn.exepid Process 4324 Eplnpeol.exe 4572 Eidbij32.exe 3436 Epokedmj.exe 4880 Ejdocm32.exe 3064 Epagkd32.exe 1376 Ejflhm32.exe 1576 Epcdqd32.exe 4312 Ehjlaaig.exe 1772 Filiii32.exe 2728 Fdamgb32.exe 1112 Fineoi32.exe 2628 Fdcjlb32.exe 1712 Fipbdikp.exe 1248 Fpjjac32.exe 2508 Fgdbnmji.exe 2708 Fibojhim.exe 3832 Fdhcgaic.exe 2760 Fkbkdkpp.exe 3496 Fmqgpgoc.exe 1080 Fdkpma32.exe 2652 Gkdhjknm.exe 1448 Gigheh32.exe 1900 Ghhhcomg.exe 5052 Gijekg32.exe 3324 Gaamlecg.exe 3452 Gdoihpbk.exe 2356 Ggnedlao.exe 3044 Gilapgqb.exe 2560 Gnjjfegi.exe 2024 Ggbook32.exe 1736 Hgelek32.exe 4960 Hjedffig.exe 4740 Hdkidohn.exe 1632 Hdmein32.exe 1892 Hpdfnolo.exe 3240 Hhknpmma.exe 4536 Hnhghcki.exe 4360 Igqkqiai.exe 4108 Iafonaao.exe 4448 Igchfiof.exe 1368 Ijadbdoj.exe 2200 Igedlh32.exe 324 Idieem32.exe 804 Iggaah32.exe 3616 Idkbkl32.exe 4540 Igjngh32.exe 1668 Ikejgf32.exe 4376 Jdnoplhh.exe 1144 Jkhgmf32.exe 4024 Jnhpoamf.exe 4212 Jhpqaiji.exe 876 Kqnbkl32.exe 400 Kjhcjq32.exe 2756 Kqbkfkal.exe 4852 Kenggi32.exe 2208 Kjkpoq32.exe 852 Kbbhqn32.exe 1700 Kilpmh32.exe 3724 Kjmmepfj.exe 184 Kbddfmgl.exe 5016 Kinmcg32.exe 4680 Kjpijpdg.exe 2236 Lbgalmej.exe 3544 Leenhhdn.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ldfoad32.exeLhgkgijg.exeGnfooe32.exeFmkgkapm.exeApjkcadp.exeIciaqc32.exeGgccllai.exeJdalog32.exeEjflhm32.exeGgnedlao.exeGoglcahb.exeBacjdbch.exeEjdocm32.exeGdlfhj32.exeCdnelpod.exeEfhlhh32.exeHmbfbn32.exeLklbdm32.exeKemooo32.exeGpgind32.exeGaloohke.exeGpnmbl32.exeApgqie32.exeEqgmmk32.exeOfegni32.exeBmagch32.exeCimmggfl.exeCgnomg32.exeJjpode32.exeAkblfj32.exePilpfm32.exeBkmmaeap.exeMeepdp32.exeLdckan32.exeEcdbop32.exe61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9N.exeCfldelik.exeEippgckc.exeNbbeml32.exeGqbneq32.exeEqmlccdi.exedescription ioc Process File created C:\Windows\SysWOW64\Llngbabj.exe Ldfoad32.exe File created C:\Windows\SysWOW64\Onmahojj.exe File opened for modification C:\Windows\SysWOW64\Ggafgo32.exe File created C:\Windows\SysWOW64\Edcijq32.dll File opened for modification C:\Windows\SysWOW64\Loacdc32.exe Lhgkgijg.exe File created C:\Windows\SysWOW64\Pncmdhlq.dll Gnfooe32.exe File created C:\Windows\SysWOW64\Cmiogmig.dll Fmkgkapm.exe File created C:\Windows\SysWOW64\Agdcpkll.exe Apjkcadp.exe File created C:\Windows\SysWOW64\Ikpjbq32.exe Iciaqc32.exe File opened for modification C:\Windows\SysWOW64\Gbhhieao.exe Ggccllai.exe File created C:\Windows\SysWOW64\Jlidpe32.exe Jdalog32.exe File opened for modification C:\Windows\SysWOW64\Bbpeghpe.exe File opened for modification C:\Windows\SysWOW64\Cnpbgajc.exe File created C:\Windows\SysWOW64\Aochpj32.dll File opened for modification C:\Windows\SysWOW64\Epcdqd32.exe Ejflhm32.exe File created C:\Windows\SysWOW64\Laahglpp.dll Ggnedlao.exe File created C:\Windows\SysWOW64\Klkfenfk.dll Goglcahb.exe File created C:\Windows\SysWOW64\Bdagpnbk.exe Bacjdbch.exe File created C:\Windows\SysWOW64\Cdomkjem.dll File created C:\Windows\SysWOW64\Cngjjm32.dll File opened for modification C:\Windows\SysWOW64\Epagkd32.exe Ejdocm32.exe File created C:\Windows\SysWOW64\Gbofcghl.exe Gdlfhj32.exe File created C:\Windows\SysWOW64\Befogbik.dll Cdnelpod.exe File created C:\Windows\SysWOW64\Bgkaip32.exe File created C:\Windows\SysWOW64\Anhcpeon.exe File created C:\Windows\SysWOW64\Bgodjiio.exe File created C:\Windows\SysWOW64\Eifhdd32.exe Efhlhh32.exe File created C:\Windows\SysWOW64\Pmemlfol.dll Hmbfbn32.exe File opened for modification C:\Windows\SysWOW64\Lqikmc32.exe Lklbdm32.exe File opened for modification C:\Windows\SysWOW64\Klggli32.exe Kemooo32.exe File created C:\Windows\SysWOW64\Qpjjkc32.dll File opened for modification C:\Windows\SysWOW64\Gojiiafp.exe Gpgind32.exe File created C:\Windows\SysWOW64\Gebekb32.dll Galoohke.exe File created C:\Windows\SysWOW64\Glengm32.exe Gpnmbl32.exe File created C:\Windows\SysWOW64\Afqifo32.exe Apgqie32.exe File created C:\Windows\SysWOW64\Eohmkb32.exe Eqgmmk32.exe File created C:\Windows\SysWOW64\Mnjenfjo.dll Ofegni32.exe File opened for modification C:\Windows\SysWOW64\Bclppboi.exe Bmagch32.exe File opened for modification C:\Windows\SysWOW64\Imjgbb32.exe File created C:\Windows\SysWOW64\Cofecami.exe Cimmggfl.exe File created C:\Windows\SysWOW64\Cnhgjaml.exe Cgnomg32.exe File created C:\Windows\SysWOW64\Njgigo32.dll Jjpode32.exe File created C:\Windows\SysWOW64\Ieoigp32.dll Akblfj32.exe File opened for modification C:\Windows\SysWOW64\Piolkm32.exe Pilpfm32.exe File created C:\Windows\SysWOW64\Akhghk32.dll File opened for modification C:\Windows\SysWOW64\Fhnichde.exe File opened for modification C:\Windows\SysWOW64\Gipbck32.exe File opened for modification C:\Windows\SysWOW64\Bhamkipi.exe Bkmmaeap.exe File created C:\Windows\SysWOW64\Mjahlgpf.exe Meepdp32.exe File created C:\Windows\SysWOW64\Mqhali32.dll Ldckan32.exe File created C:\Windows\SysWOW64\Gedohfmp.exe File opened for modification C:\Windows\SysWOW64\Gpgind32.exe Goglcahb.exe File opened for modification C:\Windows\SysWOW64\Ekljpm32.exe Ecdbop32.exe File created C:\Windows\SysWOW64\Paocim32.exe File opened for modification C:\Windows\SysWOW64\Aeeomegd.exe File created C:\Windows\SysWOW64\Nalgbi32.exe File created C:\Windows\SysWOW64\Eplnpeol.exe 61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9N.exe File created C:\Windows\SysWOW64\Ibclmgdb.dll Cfldelik.exe File opened for modification C:\Windows\SysWOW64\Epjhcnbp.exe Eippgckc.exe File created C:\Windows\SysWOW64\Fcdpakhk.dll File created C:\Windows\SysWOW64\Lpjjiidd.dll File opened for modification C:\Windows\SysWOW64\Ncbafoge.exe Nbbeml32.exe File created C:\Windows\SysWOW64\Cdmfbplf.dll Gqbneq32.exe File created C:\Windows\SysWOW64\Fclhpo32.exe Eqmlccdi.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 5256 5608 1479 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Cmmbbejp.exeCponen32.exeDcphdqmj.exeNmgjia32.exeLhdggb32.exeFnglcqio.exePjkmomfn.exeAdcjop32.exeFdpnda32.exeFlaiho32.exeJmdqbg32.exeIcciccmd.exeGingkqkd.exeNjinmf32.exeQhkdof32.exeAamknj32.exeCepadh32.exeNaaqofgj.exeGejopl32.exeDmjmekgn.exeGcjdam32.exeHmnmgnoh.exeLoighj32.exeJidinqpb.exeHkcbnh32.exeHqkjaifk.exeHdhedh32.exeIdcepgmg.exeQpeahb32.exeAknbkjfh.exeIpmbjgpi.exeJlfpdh32.exeMcecjmkl.exeJjpode32.exeJmgmhgig.exeElpkep32.exeDmadco32.exeIbcaknbi.exeDolmodpi.exeOcknbglo.exeAkdilipp.exeGdknpp32.exeHjdedepg.exeJaqcnl32.exeGkdpbpih.exeKfdklllb.exeGbofcghl.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cponen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcphdqmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmgjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnglcqio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkmomfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcjop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flaiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdqbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icciccmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gingkqkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njinmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkdof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamknj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepadh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naaqofgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejopl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjmekgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjdam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnmgnoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loighj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidinqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkcbnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkjaifk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcepgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpeahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmbjgpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfpdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcecjmkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjpode32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmgmhgig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmadco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcaknbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolmodpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocknbglo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdilipp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdknpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdedepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaqcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkdpbpih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfdklllb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe -
Modifies registry class 64 IoCs
Processes:
Anmfbl32.exeJadgnb32.exeKadpdp32.exeIinqbn32.exeQemhbj32.exePmeoqlpl.exeNaaqofgj.exeFpbmfn32.exeDhclmp32.exeOfegni32.exeIcnphd32.exeNhhdnf32.exeKdhbpf32.exeEmmdom32.exeIepaaico.exeKflide32.exeBdagpnbk.exeAabkbono.exeGaamlecg.exeKodnmkap.exeDcphdqmj.exeOljoen32.exeGhhhcomg.exeLndham32.exeAdfnofpd.exeEqgmmk32.exeEjjaqk32.exeJfoaam32.exeFmqgpgoc.exeEpjhcnbp.exeQiiflaoo.exeBfoegm32.exeIcciccmd.exeJqhafffk.exeMglfplgk.exeHffken32.exeNbbnbemf.exeKjhcjq32.exeCplckbmc.exeKjmmepfj.exeDcigeooj.exeIacngdgj.exeAflpkpjm.exeIgqkqiai.exeJnhidk32.exeKnnhjcog.exeAplaoj32.exeObkahddl.exeKhfdlnab.exeLacbpccn.exeNgnppfgb.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkpnbd32.dll" Anmfbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jadgnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foniaq32.dll" Kadpdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinqbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qemhbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmeoqlpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naaqofgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbmfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhclmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnjenfjo.dll" Ofegni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fanmld32.dll" Nhhdnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdhbpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daaioh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmophg32.dll" Iepaaico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bljlpjaf.dll" Bdagpnbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aabkbono.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaamlecg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbhfhgch.dll" Kodnmkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbhcl32.dll" Dcphdqmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oljoen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhfmom32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoacg32.dll" Adfnofpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncelonn.dll" Eqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndmojj32.dll" Ejjaqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkihaj32.dll" Jfoaam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqfkck32.dll" Fmqgpgoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epjhcnbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfhldel.dll" Qiiflaoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdfmgqph.dll" Bfoegm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecipbeq.dll" Icciccmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqhafffk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglfplgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hffken32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flekgd32.dll" Nbbnbemf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhcjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cplckbmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmmepfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcigeooj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iacngdgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aflpkpjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lccahg32.dll" Jnhidk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knnhjcog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfakpfj.dll" Aplaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obkahddl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khfdlnab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lacbpccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ploloqjj.dll" Ngnppfgb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9N.exeEplnpeol.exeEidbij32.exeEpokedmj.exeEjdocm32.exeEpagkd32.exeEjflhm32.exeEpcdqd32.exeEhjlaaig.exeFiliii32.exeFdamgb32.exeFineoi32.exeFdcjlb32.exeFipbdikp.exeFpjjac32.exeFgdbnmji.exeFibojhim.exeFdhcgaic.exeFkbkdkpp.exeFmqgpgoc.exeFdkpma32.exeGkdhjknm.exedescription pid Process procid_target PID 2404 wrote to memory of 4324 2404 61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9N.exe 82 PID 2404 wrote to memory of 4324 2404 61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9N.exe 82 PID 2404 wrote to memory of 4324 2404 61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9N.exe 82 PID 4324 wrote to memory of 4572 4324 Eplnpeol.exe 83 PID 4324 wrote to memory of 4572 4324 Eplnpeol.exe 83 PID 4324 wrote to memory of 4572 4324 Eplnpeol.exe 83 PID 4572 wrote to memory of 3436 4572 Eidbij32.exe 84 PID 4572 wrote to memory of 3436 4572 Eidbij32.exe 84 PID 4572 wrote to memory of 3436 4572 Eidbij32.exe 84 PID 3436 wrote to memory of 4880 3436 Epokedmj.exe 85 PID 3436 wrote to memory of 4880 3436 Epokedmj.exe 85 PID 3436 wrote to memory of 4880 3436 Epokedmj.exe 85 PID 4880 wrote to memory of 3064 4880 Ejdocm32.exe 86 PID 4880 wrote to memory of 3064 4880 Ejdocm32.exe 86 PID 4880 wrote to memory of 3064 4880 Ejdocm32.exe 86 PID 3064 wrote to memory of 1376 3064 Epagkd32.exe 87 PID 3064 wrote to memory of 1376 3064 Epagkd32.exe 87 PID 3064 wrote to memory of 1376 3064 Epagkd32.exe 87 PID 1376 wrote to memory of 1576 1376 Ejflhm32.exe 88 PID 1376 wrote to memory of 1576 1376 Ejflhm32.exe 88 PID 1376 wrote to memory of 1576 1376 Ejflhm32.exe 88 PID 1576 wrote to memory of 4312 1576 Epcdqd32.exe 89 PID 1576 wrote to memory of 4312 1576 Epcdqd32.exe 89 PID 1576 wrote to memory of 4312 1576 Epcdqd32.exe 89 PID 4312 wrote to memory of 1772 4312 Ehjlaaig.exe 90 PID 4312 wrote to memory of 1772 4312 Ehjlaaig.exe 90 PID 4312 wrote to memory of 1772 4312 Ehjlaaig.exe 90 PID 1772 wrote to memory of 2728 1772 Filiii32.exe 91 PID 1772 wrote to memory of 2728 1772 Filiii32.exe 91 PID 1772 wrote to memory of 2728 1772 Filiii32.exe 91 PID 2728 wrote to memory of 1112 2728 Fdamgb32.exe 92 PID 2728 wrote to memory of 1112 2728 Fdamgb32.exe 92 PID 2728 wrote to memory of 1112 2728 Fdamgb32.exe 92 PID 1112 wrote to memory of 2628 1112 Fineoi32.exe 93 PID 1112 wrote to memory of 2628 1112 Fineoi32.exe 93 PID 1112 wrote to memory of 2628 1112 Fineoi32.exe 93 PID 2628 wrote to memory of 1712 2628 Fdcjlb32.exe 94 PID 2628 wrote to memory of 1712 2628 Fdcjlb32.exe 94 PID 2628 wrote to memory of 1712 2628 Fdcjlb32.exe 94 PID 1712 wrote to memory of 1248 1712 Fipbdikp.exe 95 PID 1712 wrote to memory of 1248 1712 Fipbdikp.exe 95 PID 1712 wrote to memory of 1248 1712 Fipbdikp.exe 95 PID 1248 wrote to memory of 2508 1248 Fpjjac32.exe 96 PID 1248 wrote to memory of 2508 1248 Fpjjac32.exe 96 PID 1248 wrote to memory of 2508 1248 Fpjjac32.exe 96 PID 2508 wrote to memory of 2708 2508 Fgdbnmji.exe 97 PID 2508 wrote to memory of 2708 2508 Fgdbnmji.exe 97 PID 2508 wrote to memory of 2708 2508 Fgdbnmji.exe 97 PID 2708 wrote to memory of 3832 2708 Fibojhim.exe 98 PID 2708 wrote to memory of 3832 2708 Fibojhim.exe 98 PID 2708 wrote to memory of 3832 2708 Fibojhim.exe 98 PID 3832 wrote to memory of 2760 3832 Fdhcgaic.exe 99 PID 3832 wrote to memory of 2760 3832 Fdhcgaic.exe 99 PID 3832 wrote to memory of 2760 3832 Fdhcgaic.exe 99 PID 2760 wrote to memory of 3496 2760 Fkbkdkpp.exe 100 PID 2760 wrote to memory of 3496 2760 Fkbkdkpp.exe 100 PID 2760 wrote to memory of 3496 2760 Fkbkdkpp.exe 100 PID 3496 wrote to memory of 1080 3496 Fmqgpgoc.exe 101 PID 3496 wrote to memory of 1080 3496 Fmqgpgoc.exe 101 PID 3496 wrote to memory of 1080 3496 Fmqgpgoc.exe 101 PID 1080 wrote to memory of 2652 1080 Fdkpma32.exe 102 PID 1080 wrote to memory of 2652 1080 Fdkpma32.exe 102 PID 1080 wrote to memory of 2652 1080 Fdkpma32.exe 102 PID 2652 wrote to memory of 1448 2652 Gkdhjknm.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9N.exe"C:\Users\Admin\AppData\Local\Temp\61679c3c26e877cee414a595e85be66eb7a7942ce74ca944ed0b40866bb0a9f9N.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Eplnpeol.exeC:\Windows\system32\Eplnpeol.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\Eidbij32.exeC:\Windows\system32\Eidbij32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4572 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3436 -
C:\Windows\SysWOW64\Ejdocm32.exeC:\Windows\system32\Ejdocm32.exe5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Ejflhm32.exeC:\Windows\system32\Ejflhm32.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Epcdqd32.exeC:\Windows\system32\Epcdqd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Fpjjac32.exeC:\Windows\system32\Fpjjac32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Fgdbnmji.exeC:\Windows\system32\Fgdbnmji.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Fdhcgaic.exeC:\Windows\system32\Fdhcgaic.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3832 -
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Fmqgpgoc.exeC:\Windows\system32\Fmqgpgoc.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe23⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Ghhhcomg.exeC:\Windows\system32\Ghhhcomg.exe24⤵
- Executes dropped EXE
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Gijekg32.exeC:\Windows\system32\Gijekg32.exe25⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Gaamlecg.exeC:\Windows\system32\Gaamlecg.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3324 -
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe27⤵
- Executes dropped EXE
PID:3452 -
C:\Windows\SysWOW64\Ggnedlao.exeC:\Windows\system32\Ggnedlao.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Gilapgqb.exeC:\Windows\system32\Gilapgqb.exe29⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Gnjjfegi.exeC:\Windows\system32\Gnjjfegi.exe30⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe31⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Hgelek32.exeC:\Windows\system32\Hgelek32.exe32⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Hjedffig.exeC:\Windows\system32\Hjedffig.exe33⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Hdkidohn.exeC:\Windows\system32\Hdkidohn.exe34⤵
- Executes dropped EXE
PID:4740 -
C:\Windows\SysWOW64\Hdmein32.exeC:\Windows\system32\Hdmein32.exe35⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe36⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Hhknpmma.exeC:\Windows\system32\Hhknpmma.exe37⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Hnhghcki.exeC:\Windows\system32\Hnhghcki.exe38⤵
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4360 -
C:\Windows\SysWOW64\Iafonaao.exeC:\Windows\system32\Iafonaao.exe40⤵
- Executes dropped EXE
PID:4108 -
C:\Windows\SysWOW64\Igchfiof.exeC:\Windows\system32\Igchfiof.exe41⤵
- Executes dropped EXE
PID:4448 -
C:\Windows\SysWOW64\Ijadbdoj.exeC:\Windows\system32\Ijadbdoj.exe42⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Igedlh32.exeC:\Windows\system32\Igedlh32.exe43⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Idieem32.exeC:\Windows\system32\Idieem32.exe44⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Iggaah32.exeC:\Windows\system32\Iggaah32.exe45⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Idkbkl32.exeC:\Windows\system32\Idkbkl32.exe46⤵
- Executes dropped EXE
PID:3616 -
C:\Windows\SysWOW64\Igjngh32.exeC:\Windows\system32\Igjngh32.exe47⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Ikejgf32.exeC:\Windows\system32\Ikejgf32.exe48⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Jdnoplhh.exeC:\Windows\system32\Jdnoplhh.exe49⤵
- Executes dropped EXE
PID:4376 -
C:\Windows\SysWOW64\Jkhgmf32.exeC:\Windows\system32\Jkhgmf32.exe50⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Jnhpoamf.exeC:\Windows\system32\Jnhpoamf.exe51⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Jhpqaiji.exeC:\Windows\system32\Jhpqaiji.exe52⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Kqnbkl32.exeC:\Windows\system32\Kqnbkl32.exe53⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Kjhcjq32.exeC:\Windows\system32\Kjhcjq32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Kqbkfkal.exeC:\Windows\system32\Kqbkfkal.exe55⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Kenggi32.exeC:\Windows\system32\Kenggi32.exe56⤵
- Executes dropped EXE
PID:4852 -
C:\Windows\SysWOW64\Kjkpoq32.exeC:\Windows\system32\Kjkpoq32.exe57⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Kbbhqn32.exeC:\Windows\system32\Kbbhqn32.exe58⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe59⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3724 -
C:\Windows\SysWOW64\Kbddfmgl.exeC:\Windows\system32\Kbddfmgl.exe61⤵
- Executes dropped EXE
PID:184 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe62⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe63⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\Lbgalmej.exeC:\Windows\system32\Lbgalmej.exe64⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Leenhhdn.exeC:\Windows\system32\Leenhhdn.exe65⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe66⤵PID:4788
-
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe67⤵PID:5076
-
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe68⤵PID:4452
-
C:\Windows\SysWOW64\Lkabjbih.exeC:\Windows\system32\Lkabjbih.exe69⤵PID:3136
-
C:\Windows\SysWOW64\Lnpofnhk.exeC:\Windows\system32\Lnpofnhk.exe70⤵PID:544
-
C:\Windows\SysWOW64\Lghcocol.exeC:\Windows\system32\Lghcocol.exe71⤵PID:824
-
C:\Windows\SysWOW64\Lbngllob.exeC:\Windows\system32\Lbngllob.exe72⤵PID:1428
-
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe73⤵
- Modifies registry class
PID:4356 -
C:\Windows\SysWOW64\Llhikacp.exeC:\Windows\system32\Llhikacp.exe74⤵PID:4444
-
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe75⤵PID:2192
-
C:\Windows\SysWOW64\Mlpokp32.exeC:\Windows\system32\Mlpokp32.exe76⤵PID:3032
-
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe77⤵PID:2892
-
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe78⤵PID:4280
-
C:\Windows\SysWOW64\Mejpje32.exeC:\Windows\system32\Mejpje32.exe79⤵PID:2852
-
C:\Windows\SysWOW64\Mhilfa32.exeC:\Windows\system32\Mhilfa32.exe80⤵PID:3704
-
C:\Windows\SysWOW64\Naaqofgj.exeC:\Windows\system32\Naaqofgj.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3856 -
C:\Windows\SysWOW64\Noeahkfc.exeC:\Windows\system32\Noeahkfc.exe82⤵PID:2552
-
C:\Windows\SysWOW64\Nliaao32.exeC:\Windows\system32\Nliaao32.exe83⤵PID:3548
-
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe84⤵PID:4464
-
C:\Windows\SysWOW64\Nknobkje.exeC:\Windows\system32\Nknobkje.exe85⤵PID:4160
-
C:\Windows\SysWOW64\Nbefdijg.exeC:\Windows\system32\Nbefdijg.exe86⤵PID:3404
-
C:\Windows\SysWOW64\Nolgijpk.exeC:\Windows\system32\Nolgijpk.exe87⤵PID:4392
-
C:\Windows\SysWOW64\Nhdlao32.exeC:\Windows\system32\Nhdlao32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3700 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe89⤵PID:4720
-
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe90⤵PID:3896
-
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe91⤵PID:4900
-
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe92⤵PID:616
-
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe93⤵PID:3812
-
C:\Windows\SysWOW64\Olgncmim.exeC:\Windows\system32\Olgncmim.exe94⤵PID:1860
-
C:\Windows\SysWOW64\Oeoblb32.exeC:\Windows\system32\Oeoblb32.exe95⤵PID:3196
-
C:\Windows\SysWOW64\Oklkdi32.exeC:\Windows\system32\Oklkdi32.exe96⤵PID:4712
-
C:\Windows\SysWOW64\Obcceg32.exeC:\Windows\system32\Obcceg32.exe97⤵PID:3392
-
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe98⤵PID:4456
-
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4556 -
C:\Windows\SysWOW64\Pcepkfld.exeC:\Windows\system32\Pcepkfld.exe100⤵PID:4784
-
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe101⤵PID:4840
-
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe102⤵PID:3628
-
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe103⤵PID:2624
-
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe104⤵PID:4036
-
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe105⤵PID:212
-
C:\Windows\SysWOW64\Plbmokop.exeC:\Windows\system32\Plbmokop.exe106⤵PID:312
-
C:\Windows\SysWOW64\Pcmeke32.exeC:\Windows\system32\Pcmeke32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5172 -
C:\Windows\SysWOW64\Pekbga32.exeC:\Windows\system32\Pekbga32.exe108⤵PID:5232
-
C:\Windows\SysWOW64\Plejdkmm.exeC:\Windows\system32\Plejdkmm.exe109⤵PID:5276
-
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe110⤵PID:5320
-
C:\Windows\SysWOW64\Piijno32.exeC:\Windows\system32\Piijno32.exe111⤵PID:5364
-
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe112⤵PID:5408
-
C:\Windows\SysWOW64\Qofcff32.exeC:\Windows\system32\Qofcff32.exe113⤵PID:5452
-
C:\Windows\SysWOW64\Qkmdkgob.exeC:\Windows\system32\Qkmdkgob.exe114⤵PID:5496
-
C:\Windows\SysWOW64\Allpejfe.exeC:\Windows\system32\Allpejfe.exe115⤵PID:5540
-
C:\Windows\SysWOW64\Aojlaeei.exeC:\Windows\system32\Aojlaeei.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5584 -
C:\Windows\SysWOW64\Aeddnp32.exeC:\Windows\system32\Aeddnp32.exe117⤵PID:5628
-
C:\Windows\SysWOW64\Ahcajk32.exeC:\Windows\system32\Ahcajk32.exe118⤵PID:5672
-
C:\Windows\SysWOW64\Aakebqbj.exeC:\Windows\system32\Aakebqbj.exe119⤵PID:5716
-
C:\Windows\SysWOW64\Alqjpi32.exeC:\Windows\system32\Alqjpi32.exe120⤵PID:5760
-
C:\Windows\SysWOW64\Ackbmcjl.exeC:\Windows\system32\Ackbmcjl.exe121⤵PID:5804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-