Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07/12/2024, 23:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d588a4036c30e73a714fa6efe4e298af7880d03de96a3acf431c78195d9219dN.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
0d588a4036c30e73a714fa6efe4e298af7880d03de96a3acf431c78195d9219dN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
0d588a4036c30e73a714fa6efe4e298af7880d03de96a3acf431c78195d9219dN.exe
-
Size
427KB
-
MD5
148b064334d8e095d1a53283491bdde0
-
SHA1
a218a8f8d1f496716c8787bf4938c39d0c944cae
-
SHA256
0d588a4036c30e73a714fa6efe4e298af7880d03de96a3acf431c78195d9219d
-
SHA512
5ea9b0dbcffc69924c2e60c5c09f70adf71e870ca4ad37bf5252dd58323a788c3f78b9bfed39b3ebc66a59909f167d4e575815ff7e34735dc25c8c66974e37a6
-
SSDEEP
6144:PjJOMxSTYaT15f7o+STYaT15fAK8yfMx/D4LJZPlVcxqy1:LJOHTYapJoTYapz8ye49vWq
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqijmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfcqcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkeae32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flgahj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgnqjlmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgkmjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplaiqdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhpfcio.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehlno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfpfiqld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgfcogod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfpiid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgenea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfcbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjedia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cihcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnplla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nppkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjffglgm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcddfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmabjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijnqei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkboaimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feoogijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihgiffh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbgmlm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhlkeko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaklipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhfbacf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iqfcgjeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdjam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnmhbb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbobfid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjnmbgdi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcaoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjglheo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcbokd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnihhjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaabomfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnqjlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojophoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmjfe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmddma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miliga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjpiege.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppqcibf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpghdoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjlmlfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgbjekic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phaakb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighnho32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddmga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddmabgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibaik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkjcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cggnaabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckfpko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogcfgiod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhnbelkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekfagfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjkbe32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1720 Mlnpnh32.exe 4684 Mlqlch32.exe 1268 Nnpimkfl.exe 1104 Nghmfqmm.exe 2972 Ngkjlpkj.exe 2244 Ndoked32.exe 4408 Njlcmk32.exe 1664 Ngpcgp32.exe 2928 Ofeqhl32.exe 1596 Onlhii32.exe 4280 Olaejfag.exe 1420 Onqbdihj.exe 2008 Oflfhkee.exe 876 Olfoee32.exe 3264 Odmgfb32.exe 224 Ocpgbodo.exe 5092 Ofncnkcb.exe 712 Ojjooilk.exe 3800 Omhlkeko.exe 4844 Pqcgkc32.exe 4700 Pdoclbla.exe 4876 Pgnphnke.exe 3632 Pjlldiji.exe 4320 Pnghdh32.exe 3016 Pqfdac32.exe 4528 Pjnijihf.exe 1388 Pmmefd32.exe 2692 Pddmga32.exe 2632 Pfeiojnj.exe 5056 Pjqeoh32.exe 5032 Pmoakd32.exe 4816 Pqknlbmp.exe 2492 Pdfjla32.exe 1556 Pgdfim32.exe 1812 Pfgfdikg.exe 1040 Pnoneglj.exe 4880 Pmanaccd.exe 2440 Pdhfbacf.exe 3004 Pckfnn32.exe 3348 Pfjcji32.exe 1548 Pjeojhbn.exe 3656 Qmdkfcaa.exe 3812 Qqoggb32.exe 3120 Qcnccm32.exe 928 Qgiodlqh.exe 3852 Qncgqf32.exe 3976 Qmfhlcoo.exe 2700 Qdmpmp32.exe 2604 Qcppimfl.exe 4368 Qfolehep.exe 940 Qjjheg32.exe 4004 Amhdab32.exe 2012 Aqdqbaee.exe 2720 Acbmnmdi.exe 4980 Ajlekg32.exe 3076 Anhaledo.exe 3964 Aqfmhacc.exe 4116 Aebihpkl.exe 4632 Agpedkjp.exe 1344 Afcfph32.exe 4184 Anjnae32.exe 1232 Aqijmq32.exe 1156 Acgfil32.exe 3460 Afebeg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Glbadhmm.exe Gkadmp32.exe File created C:\Windows\SysWOW64\Oigkij32.dll Kgipfjbk.exe File opened for modification C:\Windows\SysWOW64\Bnaopf32.exe Blpbhnjo.exe File created C:\Windows\SysWOW64\Bkkihj32.dll Fjeeabal.exe File created C:\Windows\SysWOW64\Qjehpanb.exe Pckpcgge.exe File created C:\Windows\SysWOW64\Lehpif32.dll Efdjjkcf.exe File created C:\Windows\SysWOW64\Fmiabcpf.exe Fgpifi32.exe File created C:\Windows\SysWOW64\Oolgle32.exe Ohbookci.exe File opened for modification C:\Windows\SysWOW64\Gdjiefno.exe Glbadhmm.exe File created C:\Windows\SysWOW64\Knnhmoja.exe Kfgplajo.exe File created C:\Windows\SysWOW64\Jnpqggjd.dll Qncgqf32.exe File created C:\Windows\SysWOW64\Qcppimfl.exe Qdmpmp32.exe File created C:\Windows\SysWOW64\Njhibcga.dll Opjnko32.exe File created C:\Windows\SysWOW64\Adjclb32.dll Cciekclc.exe File created C:\Windows\SysWOW64\Omofjqmm.dll Dafhkf32.exe File created C:\Windows\SysWOW64\Docemdqc.dll Kjamlm32.exe File created C:\Windows\SysWOW64\Pmmefd32.exe Pjnijihf.exe File opened for modification C:\Windows\SysWOW64\Lnllhp32.exe Llmpld32.exe File opened for modification C:\Windows\SysWOW64\Cabopggg.exe Cflkbnga.exe File opened for modification C:\Windows\SysWOW64\Djqboedd.exe Dpknaldn.exe File opened for modification C:\Windows\SysWOW64\Olmdec32.exe Oljgpdji.exe File created C:\Windows\SysWOW64\Kgmjpf32.exe Jpcaclap.exe File created C:\Windows\SysWOW64\Mkaehfcf.dll Kfgplajo.exe File created C:\Windows\SysWOW64\Ambgha32.exe Anogldng.exe File opened for modification C:\Windows\SysWOW64\Kfgdno32.exe Kfehhohi.exe File created C:\Windows\SysWOW64\Jjhhbn32.dll Ljpimkob.exe File created C:\Windows\SysWOW64\Melckc32.exe Mbngog32.exe File opened for modification C:\Windows\SysWOW64\Akgchm32.exe Aaooog32.exe File created C:\Windows\SysWOW64\Dfmica32.exe Dkhefh32.exe File created C:\Windows\SysWOW64\Fcoigo32.dll Cmdmdo32.exe File created C:\Windows\SysWOW64\Jlocihjb.dll Bfmhff32.exe File created C:\Windows\SysWOW64\Jipino32.dll Fobofmal.exe File created C:\Windows\SysWOW64\Ohfhjj32.exe Oehlno32.exe File created C:\Windows\SysWOW64\Hpgpkf32.exe Hlldjgeb.exe File created C:\Windows\SysWOW64\Jdfahbfo.exe Jnlikhnb.exe File created C:\Windows\SysWOW64\Ipmaia32.dll Legcfmij.exe File opened for modification C:\Windows\SysWOW64\Phaakb32.exe Pmlmnj32.exe File created C:\Windows\SysWOW64\Bgplcjod.dll Qfolehep.exe File created C:\Windows\SysWOW64\Decmkehf.dll Eijbqjak.exe File opened for modification C:\Windows\SysWOW64\Hbjohj32.exe Hlpfkpna.exe File opened for modification C:\Windows\SysWOW64\Bdkgmqgj.exe Bnaopf32.exe File opened for modification C:\Windows\SysWOW64\Ocopgiac.exe Olehko32.exe File opened for modification C:\Windows\SysWOW64\Plnkan32.exe Pgabig32.exe File created C:\Windows\SysWOW64\Ojlcgglk.dll Kgenea32.exe File created C:\Windows\SysWOW64\Dmjepa32.exe Dfpmcgpp.exe File created C:\Windows\SysWOW64\Hkdenoik.dll Ffepedmh.exe File created C:\Windows\SysWOW64\Gdlekell.exe Glenjhkj.exe File created C:\Windows\SysWOW64\Jpdikffd.exe Jkhnjg32.exe File created C:\Windows\SysWOW64\Oedjmfha.exe Oojaql32.exe File created C:\Windows\SysWOW64\Pigckepb.dll Efjpiege.exe File opened for modification C:\Windows\SysWOW64\Kfimaahl.exe Koodeg32.exe File opened for modification C:\Windows\SysWOW64\Bjjalepf.exe Bfoelf32.exe File created C:\Windows\SysWOW64\Olheph32.dll Beklnn32.exe File created C:\Windows\SysWOW64\Cmghpaan.dll Dmbiem32.exe File created C:\Windows\SysWOW64\Ieojkcfl.dll Nijehoad.exe File opened for modification C:\Windows\SysWOW64\Gplpoghi.exe Gibhbm32.exe File created C:\Windows\SysWOW64\Ncnelion.dll Gkadmp32.exe File created C:\Windows\SysWOW64\Fnpmopgg.exe Flaacdhd.exe File opened for modification C:\Windows\SysWOW64\Gejobh32.exe Gopffnie.exe File created C:\Windows\SysWOW64\Bmpjpg32.dll Aqijmq32.exe File created C:\Windows\SysWOW64\Lnapigob.dll Cjagmd32.exe File created C:\Windows\SysWOW64\Cjhmnc32.exe Chjaag32.exe File created C:\Windows\SysWOW64\Hccbkfjj.dll Dalhqlbh.exe File created C:\Windows\SysWOW64\Nnagqeap.dll Ddmabgpi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6096 6148 WerFault.exe 1000 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emniakno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfehhohi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niaimf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgnmjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpggdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlikhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cameeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efqfjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gffhlaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalicjdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkckhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemcmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmldbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjeojhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggdkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djpcnbmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efdjjkcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddnipio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmqihgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojgegoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmpoldhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhdaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgofeegj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnqhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdicno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmomoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdehaddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdhgdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amodhkci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljpleib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phjkkchc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnokadcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnphnke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgackeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhokgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgcdfjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohbnee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcnljkjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licmkhij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olehko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didjeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjommjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnhmoja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fobofmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelaokko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkboaimf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjaag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idlobcnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpfgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelijl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfodhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqfodh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lepdpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnmbgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heohngll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglgma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoelnkam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdggho32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljjgilcl.dll" Hfodhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miomggom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llofgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfhdppgd.dll" Dbgnhhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkmmkh32.dll" Hkkgco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ighnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olcceo32.dll" Inecki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdpaioep.dll" Hbqlalmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhddjq32.dll" Jjfnpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eilgccnl.dll" Kghjkahi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbmib32.dll" Cihcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkiqfh32.dll" Mkchhgod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkedbmg.dll" Mekmam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmjfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjddbcgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnbdkaq.dll" Kbgoba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmlnbdoi.dll" Dadlefed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onadoaac.dll" Dfgcdfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjclndga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekfagfba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkiaheeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfnggjpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfmica32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfehhohi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfbjdpin.dll" Lpfogcfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnfdijlh.dll" Galcdqbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdmnpg32.dll" Hjedia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgcapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbgefekb.dll" Pcepnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcgopjba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfhaea32.dll" Ocmcbice.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Menpabgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkcabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjdgpcgl.dll" Addala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkncme32.dll" Gbgikmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifiigp32.dll" Ilbcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dofnlf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iicknm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgakeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnomap32.dll" Cggnaabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fangbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfpmcgpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdlekell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peokdggl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fobofmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcnegoj.dll" Lbekcoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljlfme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oloqkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beeodm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfhhbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cndinalo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfiqoad.dll" Pcdjbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdkdjocg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oalicjdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfbjif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebcmdfkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffhlkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdehaddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feadfaab.dll" Jdhnnacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paojhpbm.dll" Ekjkbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekjkbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljcdici.dll" Canlon32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 416 wrote to memory of 1720 416 0d588a4036c30e73a714fa6efe4e298af7880d03de96a3acf431c78195d9219dN.exe 81 PID 416 wrote to memory of 1720 416 0d588a4036c30e73a714fa6efe4e298af7880d03de96a3acf431c78195d9219dN.exe 81 PID 416 wrote to memory of 1720 416 0d588a4036c30e73a714fa6efe4e298af7880d03de96a3acf431c78195d9219dN.exe 81 PID 1720 wrote to memory of 4684 1720 Mlnpnh32.exe 82 PID 1720 wrote to memory of 4684 1720 Mlnpnh32.exe 82 PID 1720 wrote to memory of 4684 1720 Mlnpnh32.exe 82 PID 4684 wrote to memory of 1268 4684 Mlqlch32.exe 83 PID 4684 wrote to memory of 1268 4684 Mlqlch32.exe 83 PID 4684 wrote to memory of 1268 4684 Mlqlch32.exe 83 PID 1268 wrote to memory of 1104 1268 Nnpimkfl.exe 84 PID 1268 wrote to memory of 1104 1268 Nnpimkfl.exe 84 PID 1268 wrote to memory of 1104 1268 Nnpimkfl.exe 84 PID 1104 wrote to memory of 2972 1104 Nghmfqmm.exe 85 PID 1104 wrote to memory of 2972 1104 Nghmfqmm.exe 85 PID 1104 wrote to memory of 2972 1104 Nghmfqmm.exe 85 PID 2972 wrote to memory of 2244 2972 Ngkjlpkj.exe 86 PID 2972 wrote to memory of 2244 2972 Ngkjlpkj.exe 86 PID 2972 wrote to memory of 2244 2972 Ngkjlpkj.exe 86 PID 2244 wrote to memory of 4408 2244 Ndoked32.exe 87 PID 2244 wrote to memory of 4408 2244 Ndoked32.exe 87 PID 2244 wrote to memory of 4408 2244 Ndoked32.exe 87 PID 4408 wrote to memory of 1664 4408 Njlcmk32.exe 88 PID 4408 wrote to memory of 1664 4408 Njlcmk32.exe 88 PID 4408 wrote to memory of 1664 4408 Njlcmk32.exe 88 PID 1664 wrote to memory of 2928 1664 Ngpcgp32.exe 89 PID 1664 wrote to memory of 2928 1664 Ngpcgp32.exe 89 PID 1664 wrote to memory of 2928 1664 Ngpcgp32.exe 89 PID 2928 wrote to memory of 1596 2928 Ofeqhl32.exe 90 PID 2928 wrote to memory of 1596 2928 Ofeqhl32.exe 90 PID 2928 wrote to memory of 1596 2928 Ofeqhl32.exe 90 PID 1596 wrote to memory of 4280 1596 Onlhii32.exe 91 PID 1596 wrote to memory of 4280 1596 Onlhii32.exe 91 PID 1596 wrote to memory of 4280 1596 Onlhii32.exe 91 PID 4280 wrote to memory of 1420 4280 Olaejfag.exe 92 PID 4280 wrote to memory of 1420 4280 Olaejfag.exe 92 PID 4280 wrote to memory of 1420 4280 Olaejfag.exe 92 PID 1420 wrote to memory of 2008 1420 Onqbdihj.exe 93 PID 1420 wrote to memory of 2008 1420 Onqbdihj.exe 93 PID 1420 wrote to memory of 2008 1420 Onqbdihj.exe 93 PID 2008 wrote to memory of 876 2008 Oflfhkee.exe 94 PID 2008 wrote to memory of 876 2008 Oflfhkee.exe 94 PID 2008 wrote to memory of 876 2008 Oflfhkee.exe 94 PID 876 wrote to memory of 3264 876 Olfoee32.exe 95 PID 876 wrote to memory of 3264 876 Olfoee32.exe 95 PID 876 wrote to memory of 3264 876 Olfoee32.exe 95 PID 3264 wrote to memory of 224 3264 Odmgfb32.exe 96 PID 3264 wrote to memory of 224 3264 Odmgfb32.exe 96 PID 3264 wrote to memory of 224 3264 Odmgfb32.exe 96 PID 224 wrote to memory of 5092 224 Ocpgbodo.exe 97 PID 224 wrote to memory of 5092 224 Ocpgbodo.exe 97 PID 224 wrote to memory of 5092 224 Ocpgbodo.exe 97 PID 5092 wrote to memory of 712 5092 Ofncnkcb.exe 98 PID 5092 wrote to memory of 712 5092 Ofncnkcb.exe 98 PID 5092 wrote to memory of 712 5092 Ofncnkcb.exe 98 PID 712 wrote to memory of 3800 712 Ojjooilk.exe 99 PID 712 wrote to memory of 3800 712 Ojjooilk.exe 99 PID 712 wrote to memory of 3800 712 Ojjooilk.exe 99 PID 3800 wrote to memory of 4844 3800 Omhlkeko.exe 100 PID 3800 wrote to memory of 4844 3800 Omhlkeko.exe 100 PID 3800 wrote to memory of 4844 3800 Omhlkeko.exe 100 PID 4844 wrote to memory of 4700 4844 Pqcgkc32.exe 101 PID 4844 wrote to memory of 4700 4844 Pqcgkc32.exe 101 PID 4844 wrote to memory of 4700 4844 Pqcgkc32.exe 101 PID 4700 wrote to memory of 4876 4700 Pdoclbla.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d588a4036c30e73a714fa6efe4e298af7880d03de96a3acf431c78195d9219dN.exe"C:\Users\Admin\AppData\Local\Temp\0d588a4036c30e73a714fa6efe4e298af7880d03de96a3acf431c78195d9219dN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Mlnpnh32.exeC:\Windows\system32\Mlnpnh32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Mlqlch32.exeC:\Windows\system32\Mlqlch32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4684 -
C:\Windows\SysWOW64\Nnpimkfl.exeC:\Windows\system32\Nnpimkfl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\Nghmfqmm.exeC:\Windows\system32\Nghmfqmm.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Ngkjlpkj.exeC:\Windows\system32\Ngkjlpkj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ndoked32.exeC:\Windows\system32\Ndoked32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Njlcmk32.exeC:\Windows\system32\Njlcmk32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Windows\SysWOW64\Ngpcgp32.exeC:\Windows\system32\Ngpcgp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Ofeqhl32.exeC:\Windows\system32\Ofeqhl32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Onlhii32.exeC:\Windows\system32\Onlhii32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Olaejfag.exeC:\Windows\system32\Olaejfag.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Onqbdihj.exeC:\Windows\system32\Onqbdihj.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Oflfhkee.exeC:\Windows\system32\Oflfhkee.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Olfoee32.exeC:\Windows\system32\Olfoee32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Odmgfb32.exeC:\Windows\system32\Odmgfb32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\Ocpgbodo.exeC:\Windows\system32\Ocpgbodo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\SysWOW64\Ofncnkcb.exeC:\Windows\system32\Ofncnkcb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5092 -
C:\Windows\SysWOW64\Ojjooilk.exeC:\Windows\system32\Ojjooilk.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Omhlkeko.exeC:\Windows\system32\Omhlkeko.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\Pqcgkc32.exeC:\Windows\system32\Pqcgkc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Pdoclbla.exeC:\Windows\system32\Pdoclbla.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\Pgnphnke.exeC:\Windows\system32\Pgnphnke.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4876 -
C:\Windows\SysWOW64\Pjlldiji.exeC:\Windows\system32\Pjlldiji.exe24⤵
- Executes dropped EXE
PID:3632 -
C:\Windows\SysWOW64\Pnghdh32.exeC:\Windows\system32\Pnghdh32.exe25⤵
- Executes dropped EXE
PID:4320 -
C:\Windows\SysWOW64\Pqfdac32.exeC:\Windows\system32\Pqfdac32.exe26⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Pjnijihf.exeC:\Windows\system32\Pjnijihf.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4528 -
C:\Windows\SysWOW64\Pmmefd32.exeC:\Windows\system32\Pmmefd32.exe28⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Pddmga32.exeC:\Windows\system32\Pddmga32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Pfeiojnj.exeC:\Windows\system32\Pfeiojnj.exe30⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Pjqeoh32.exeC:\Windows\system32\Pjqeoh32.exe31⤵
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Pmoakd32.exeC:\Windows\system32\Pmoakd32.exe32⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Pqknlbmp.exeC:\Windows\system32\Pqknlbmp.exe33⤵
- Executes dropped EXE
PID:4816 -
C:\Windows\SysWOW64\Pdfjla32.exeC:\Windows\system32\Pdfjla32.exe34⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Pgdfim32.exeC:\Windows\system32\Pgdfim32.exe35⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Pfgfdikg.exeC:\Windows\system32\Pfgfdikg.exe36⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Pnoneglj.exeC:\Windows\system32\Pnoneglj.exe37⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Pmanaccd.exeC:\Windows\system32\Pmanaccd.exe38⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Pdhfbacf.exeC:\Windows\system32\Pdhfbacf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Pckfnn32.exeC:\Windows\system32\Pckfnn32.exe40⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Pfjcji32.exeC:\Windows\system32\Pfjcji32.exe41⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Pjeojhbn.exeC:\Windows\system32\Pjeojhbn.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Qmdkfcaa.exeC:\Windows\system32\Qmdkfcaa.exe43⤵
- Executes dropped EXE
PID:3656 -
C:\Windows\SysWOW64\Qqoggb32.exeC:\Windows\system32\Qqoggb32.exe44⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Qcnccm32.exeC:\Windows\system32\Qcnccm32.exe45⤵
- Executes dropped EXE
PID:3120 -
C:\Windows\SysWOW64\Qgiodlqh.exeC:\Windows\system32\Qgiodlqh.exe46⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Qncgqf32.exeC:\Windows\system32\Qncgqf32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3852 -
C:\Windows\SysWOW64\Qmfhlcoo.exeC:\Windows\system32\Qmfhlcoo.exe48⤵
- Executes dropped EXE
PID:3976 -
C:\Windows\SysWOW64\Qdmpmp32.exeC:\Windows\system32\Qdmpmp32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Qcppimfl.exeC:\Windows\system32\Qcppimfl.exe50⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Qfolehep.exeC:\Windows\system32\Qfolehep.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4368 -
C:\Windows\SysWOW64\Qjjheg32.exeC:\Windows\system32\Qjjheg32.exe52⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Amhdab32.exeC:\Windows\system32\Amhdab32.exe53⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Aqdqbaee.exeC:\Windows\system32\Aqdqbaee.exe54⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Acbmnmdi.exeC:\Windows\system32\Acbmnmdi.exe55⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ajlekg32.exeC:\Windows\system32\Ajlekg32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Windows\SysWOW64\Anhaledo.exeC:\Windows\system32\Anhaledo.exe57⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Aqfmhacc.exeC:\Windows\system32\Aqfmhacc.exe58⤵
- Executes dropped EXE
PID:3964 -
C:\Windows\SysWOW64\Aebihpkl.exeC:\Windows\system32\Aebihpkl.exe59⤵
- Executes dropped EXE
PID:4116 -
C:\Windows\SysWOW64\Agpedkjp.exeC:\Windows\system32\Agpedkjp.exe60⤵
- Executes dropped EXE
PID:4632 -
C:\Windows\SysWOW64\Afcfph32.exeC:\Windows\system32\Afcfph32.exe61⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Anjnae32.exeC:\Windows\system32\Anjnae32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4184 -
C:\Windows\SysWOW64\Aqijmq32.exeC:\Windows\system32\Aqijmq32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1232 -
C:\Windows\SysWOW64\Acgfil32.exeC:\Windows\system32\Acgfil32.exe64⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Afebeg32.exeC:\Windows\system32\Afebeg32.exe65⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Ajanffhq.exeC:\Windows\system32\Ajanffhq.exe66⤵PID:4584
-
C:\Windows\SysWOW64\Anmjfe32.exeC:\Windows\system32\Anmjfe32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3392 -
C:\Windows\SysWOW64\Aakfcp32.exeC:\Windows\system32\Aakfcp32.exe68⤵PID:1572
-
C:\Windows\SysWOW64\Aefbcogf.exeC:\Windows\system32\Aefbcogf.exe69⤵PID:3364
-
C:\Windows\SysWOW64\Ageopj32.exeC:\Windows\system32\Ageopj32.exe70⤵PID:2544
-
C:\Windows\SysWOW64\Afhokgme.exeC:\Windows\system32\Afhokgme.exe71⤵
- System Location Discovery: System Language Discovery
PID:3240 -
C:\Windows\SysWOW64\Anogldng.exeC:\Windows\system32\Anogldng.exe72⤵
- Drops file in System32 directory
PID:736 -
C:\Windows\SysWOW64\Ambgha32.exeC:\Windows\system32\Ambgha32.exe73⤵PID:1468
-
C:\Windows\SysWOW64\Aamchpmk.exeC:\Windows\system32\Aamchpmk.exe74⤵PID:4576
-
C:\Windows\SysWOW64\Aclpdklo.exeC:\Windows\system32\Aclpdklo.exe75⤵PID:2160
-
C:\Windows\SysWOW64\Agglej32.exeC:\Windows\system32\Agglej32.exe76⤵PID:2648
-
C:\Windows\SysWOW64\Bjfhae32.exeC:\Windows\system32\Bjfhae32.exe77⤵PID:4020
-
C:\Windows\SysWOW64\Bnadadld.exeC:\Windows\system32\Bnadadld.exe78⤵PID:2192
-
C:\Windows\SysWOW64\Bmddma32.exeC:\Windows\system32\Bmddma32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4620 -
C:\Windows\SysWOW64\Beklnn32.exeC:\Windows\system32\Beklnn32.exe80⤵
- Drops file in System32 directory
PID:5004 -
C:\Windows\SysWOW64\Bcnljkjl.exeC:\Windows\system32\Bcnljkjl.exe81⤵
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Bfmhff32.exeC:\Windows\system32\Bfmhff32.exe82⤵
- Drops file in System32 directory
PID:4036 -
C:\Windows\SysWOW64\Bjhdgeai.exeC:\Windows\system32\Bjhdgeai.exe83⤵PID:5148
-
C:\Windows\SysWOW64\Bmfqcqql.exeC:\Windows\system32\Bmfqcqql.exe84⤵PID:5188
-
C:\Windows\SysWOW64\Babmco32.exeC:\Windows\system32\Babmco32.exe85⤵PID:5220
-
C:\Windows\SysWOW64\Benidnao.exeC:\Windows\system32\Benidnao.exe86⤵PID:5268
-
C:\Windows\SysWOW64\Bglepipb.exeC:\Windows\system32\Bglepipb.exe87⤵PID:5308
-
C:\Windows\SysWOW64\Bfoelf32.exeC:\Windows\system32\Bfoelf32.exe88⤵
- Drops file in System32 directory
PID:5340 -
C:\Windows\SysWOW64\Bjjalepf.exeC:\Windows\system32\Bjjalepf.exe89⤵PID:5388
-
C:\Windows\SysWOW64\Bmimhpoj.exeC:\Windows\system32\Bmimhpoj.exe90⤵PID:5428
-
C:\Windows\SysWOW64\Badiio32.exeC:\Windows\system32\Badiio32.exe91⤵PID:5460
-
C:\Windows\SysWOW64\Bepeinol.exeC:\Windows\system32\Bepeinol.exe92⤵PID:5508
-
C:\Windows\SysWOW64\Bgnafinp.exeC:\Windows\system32\Bgnafinp.exe93⤵PID:5540
-
C:\Windows\SysWOW64\Bfabaf32.exeC:\Windows\system32\Bfabaf32.exe94⤵PID:5588
-
C:\Windows\SysWOW64\Bjmnbd32.exeC:\Windows\system32\Bjmnbd32.exe95⤵
- System Location Discovery: System Language Discovery
PID:5628 -
C:\Windows\SysWOW64\Bmkjnp32.exeC:\Windows\system32\Bmkjnp32.exe96⤵PID:5668
-
C:\Windows\SysWOW64\Bagfooep.exeC:\Windows\system32\Bagfooep.exe97⤵PID:5700
-
C:\Windows\SysWOW64\Bcebkjdd.exeC:\Windows\system32\Bcebkjdd.exe98⤵PID:5748
-
C:\Windows\SysWOW64\Bfcogecg.exeC:\Windows\system32\Bfcogecg.exe99⤵PID:5788
-
C:\Windows\SysWOW64\Bnkfhcdj.exeC:\Windows\system32\Bnkfhcdj.exe100⤵PID:5820
-
C:\Windows\SysWOW64\Bmngcp32.exeC:\Windows\system32\Bmngcp32.exe101⤵PID:5868
-
C:\Windows\SysWOW64\Beeodm32.exeC:\Windows\system32\Beeodm32.exe102⤵
- Modifies registry class
PID:5900 -
C:\Windows\SysWOW64\Bcgopjba.exeC:\Windows\system32\Bcgopjba.exe103⤵
- Modifies registry class
PID:5948 -
C:\Windows\SysWOW64\Bhckqh32.exeC:\Windows\system32\Bhckqh32.exe104⤵PID:5984
-
C:\Windows\SysWOW64\Cjagmd32.exeC:\Windows\system32\Cjagmd32.exe105⤵
- Drops file in System32 directory
PID:6020 -
C:\Windows\SysWOW64\Cmpcioha.exeC:\Windows\system32\Cmpcioha.exe106⤵PID:6068
-
C:\Windows\SysWOW64\Cegljmid.exeC:\Windows\system32\Cegljmid.exe107⤵PID:6108
-
C:\Windows\SysWOW64\Ccjlfi32.exeC:\Windows\system32\Ccjlfi32.exe108⤵PID:3928
-
C:\Windows\SysWOW64\Cfhhbe32.exeC:\Windows\system32\Cfhhbe32.exe109⤵
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Cjddbcgk.exeC:\Windows\system32\Cjddbcgk.exe110⤵
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Cmbpoofo.exeC:\Windows\system32\Cmbpoofo.exe111⤵PID:924
-
C:\Windows\SysWOW64\Canlon32.exeC:\Windows\system32\Canlon32.exe112⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Cdlhki32.exeC:\Windows\system32\Cdlhki32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5028 -
C:\Windows\SysWOW64\Cmdmdo32.exeC:\Windows\system32\Cmdmdo32.exe114⤵
- Drops file in System32 directory
PID:3104 -
C:\Windows\SysWOW64\Chjaag32.exeC:\Windows\system32\Chjaag32.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Windows\SysWOW64\Cjhmnc32.exeC:\Windows\system32\Cjhmnc32.exe116⤵PID:4072
-
C:\Windows\SysWOW64\Cndinalo.exeC:\Windows\system32\Cndinalo.exe117⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Cabfjmkc.exeC:\Windows\system32\Cabfjmkc.exe118⤵PID:5124
-
C:\Windows\SysWOW64\Chlngg32.exeC:\Windows\system32\Chlngg32.exe119⤵PID:5196
-
C:\Windows\SysWOW64\Cjkjcb32.exeC:\Windows\system32\Cjkjcb32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5244 -
C:\Windows\SysWOW64\Caebpm32.exeC:\Windows\system32\Caebpm32.exe121⤵PID:5324
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-