Analysis
-
max time kernel
62s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
16-12-2024 22:54
Behavioral task
behavioral1
Sample
60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368adN.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368adN.exe
-
Size
93KB
-
MD5
3cd36430ac46c70d1622a2cfef056bd0
-
SHA1
6d07dc33f36211f5424209144fe52ce6b5b4e4cd
-
SHA256
60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368ad
-
SHA512
b8d13fa1f2ce9466981d74da2be4f09f85c2f802cbc4945804b6ed007b2665f3b12f72b3c402df173ca3256c4c0d2e383d5b3d06f061a688ca4290af7aad38b3
-
SSDEEP
1536:TPAXCaOcLKLG/50E7+xt4BBUprqp/oQ+/81K1DaYfMZRWuLsV+1T:9aHX0E7+3prjb/sKgYfc0DV+1T
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aicfgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnlnpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhmpbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqddmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdeoccgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdidmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbblkaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ligfakaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jclnnmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbibb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpldcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdfgmnpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdmld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcmjpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfgdij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekcffem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fichqckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhfmqge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikgfdlcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmlfcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgqion32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngoleb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpmog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgiobadq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keappgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnlnaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjafkpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhaooec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkdbea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhadgakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffghjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icbkhnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkopndcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenffl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cggcofkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkchm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgbcofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjjafkpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilgjhena.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laackgka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nknnnoph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifgekbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjjfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiedfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbekojlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokhcodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhalngad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhdnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhdqma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbeqjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifgekbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqlfhjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egihcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geaofc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhalngad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nljhhi32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2876 Coladm32.exe 2112 Dlpbna32.exe 2804 Dboglhna.exe 2696 Dqddmd32.exe 396 Dgqion32.exe 1524 Empomd32.exe 2528 Eqngcc32.exe 2608 Ekghcq32.exe 2180 Elieipej.exe 3060 Fpgnoo32.exe 2584 Fnmjpk32.exe 1508 Fmbgageq.exe 1312 Fjhdpk32.exe 2128 Gjjafkpe.exe 1436 Gmkjgfmf.exe 2348 Gfcopl32.exe 564 Gkedjo32.exe 1660 Gkhaooec.exe 1156 Hgoadp32.exe 1732 Hdbbnd32.exe 1288 Hdeoccgn.exe 3024 Hkogpn32.exe 1696 Hdgkicek.exe 1016 Hlbpme32.exe 2136 Hoalia32.exe 2952 Iaaekl32.exe 1604 Ilgjhena.exe 2800 Igcgnbim.exe 2840 Igeddb32.exe 2732 Jdidmf32.exe 2532 Jkcmjpma.exe 2424 Jgjmoace.exe 2844 Jinfli32.exe 2368 Jkopndcb.exe 2176 Kolhdbjh.exe 2228 Keiqlihp.exe 2860 Knaeeo32.exe 568 Kjhfjpdd.exe 520 Lpldcfmd.exe 1148 Lpoaheja.exe 696 Ligfakaa.exe 1652 Lenffl32.exe 1788 Lepclldc.exe 856 Mbdcepcm.exe 2432 Mhalngad.exe 808 Mokdja32.exe 2604 Meemgk32.exe 2272 Mgfiocfl.exe 2492 Mpnngi32.exe 1028 Mkdbea32.exe 2948 Manjaldo.exe 2920 Mgkbjb32.exe 2104 Mdoccg32.exe 2664 Nljhhi32.exe 2408 Ngoleb32.exe 896 Nphpng32.exe 2156 Naimepkp.exe 2444 Nakikpin.exe 2200 Nkdndeon.exe 3068 Nhhominh.exe 944 Noagjc32.exe 1440 Okhgod32.exe 2552 Occlcg32.exe 1540 Odcimipf.exe -
Loads dropped DLL 64 IoCs
pid Process 2880 60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368adN.exe 2880 60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368adN.exe 2876 Coladm32.exe 2876 Coladm32.exe 2112 Dlpbna32.exe 2112 Dlpbna32.exe 2804 Dboglhna.exe 2804 Dboglhna.exe 2696 Dqddmd32.exe 2696 Dqddmd32.exe 396 Dgqion32.exe 396 Dgqion32.exe 1524 Empomd32.exe 1524 Empomd32.exe 2528 Eqngcc32.exe 2528 Eqngcc32.exe 2608 Ekghcq32.exe 2608 Ekghcq32.exe 2180 Elieipej.exe 2180 Elieipej.exe 3060 Fpgnoo32.exe 3060 Fpgnoo32.exe 2584 Fnmjpk32.exe 2584 Fnmjpk32.exe 1508 Fmbgageq.exe 1508 Fmbgageq.exe 1312 Fjhdpk32.exe 1312 Fjhdpk32.exe 2128 Gjjafkpe.exe 2128 Gjjafkpe.exe 1436 Gmkjgfmf.exe 1436 Gmkjgfmf.exe 2348 Gfcopl32.exe 2348 Gfcopl32.exe 564 Gkedjo32.exe 564 Gkedjo32.exe 1660 Gkhaooec.exe 1660 Gkhaooec.exe 1156 Hgoadp32.exe 1156 Hgoadp32.exe 1732 Hdbbnd32.exe 1732 Hdbbnd32.exe 1288 Hdeoccgn.exe 1288 Hdeoccgn.exe 3024 Hkogpn32.exe 3024 Hkogpn32.exe 1696 Hdgkicek.exe 1696 Hdgkicek.exe 1016 Hlbpme32.exe 1016 Hlbpme32.exe 2136 Hoalia32.exe 2136 Hoalia32.exe 2952 Iaaekl32.exe 2952 Iaaekl32.exe 1604 Ilgjhena.exe 1604 Ilgjhena.exe 2800 Igcgnbim.exe 2800 Igcgnbim.exe 2840 Igeddb32.exe 2840 Igeddb32.exe 2732 Jdidmf32.exe 2732 Jdidmf32.exe 2532 Jkcmjpma.exe 2532 Jkcmjpma.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kjcedj32.exe Jnlepioj.exe File opened for modification C:\Windows\SysWOW64\Mjlejl32.exe Ljjhdm32.exe File created C:\Windows\SysWOW64\Hkbmil32.exe Hhdqma32.exe File opened for modification C:\Windows\SysWOW64\Qmcclolh.exe Qfikod32.exe File opened for modification C:\Windows\SysWOW64\Bhjpnj32.exe Aicfgn32.exe File opened for modification C:\Windows\SysWOW64\Ehclbpic.exe Ebicee32.exe File created C:\Windows\SysWOW64\Kikokf32.exe Kfjfik32.exe File created C:\Windows\SysWOW64\Ahmjfimi.dll Ncnlnaim.exe File created C:\Windows\SysWOW64\Igeddb32.exe Igcgnbim.exe File created C:\Windows\SysWOW64\Pnimpcke.exe Pildgl32.exe File opened for modification C:\Windows\SysWOW64\Amjiln32.exe Apfici32.exe File created C:\Windows\SysWOW64\Bhjpnj32.exe Aicfgn32.exe File created C:\Windows\SysWOW64\Ckiiiine.exe Capdpcge.exe File created C:\Windows\SysWOW64\Jaamhjgm.dll Kfjfik32.exe File created C:\Windows\SysWOW64\Dclcqbcj.dll Noagjc32.exe File created C:\Windows\SysWOW64\Joekimld.exe Jbakpi32.exe File created C:\Windows\SysWOW64\Kjhhabcc.dll Ljcbcngi.exe File created C:\Windows\SysWOW64\Lekcffem.exe Lggbmbfc.exe File created C:\Windows\SysWOW64\Fcphaglh.dll Dlpbna32.exe File opened for modification C:\Windows\SysWOW64\Bgdfjfmi.exe Biqfpb32.exe File created C:\Windows\SysWOW64\Hjgdaoen.dll Gpoibp32.exe File created C:\Windows\SysWOW64\Holldk32.exe Hhadgakg.exe File opened for modification C:\Windows\SysWOW64\Ipfkabpg.exe Icbkhnan.exe File opened for modification C:\Windows\SysWOW64\Nifgekbm.exe Ncjbba32.exe File created C:\Windows\SysWOW64\Gkhaooec.exe Gkedjo32.exe File created C:\Windows\SysWOW64\Gkedjo32.exe Gfcopl32.exe File created C:\Windows\SysWOW64\Amjiln32.exe Apfici32.exe File created C:\Windows\SysWOW64\Kdgfnh32.dll Afbnec32.exe File opened for modification C:\Windows\SysWOW64\Iokhcodo.exe Ilmlfcel.exe File created C:\Windows\SysWOW64\Mqpfnk32.dll Pajeanhf.exe File opened for modification C:\Windows\SysWOW64\Aicfgn32.exe Apkbnibq.exe File created C:\Windows\SysWOW64\Hfggne32.dll Fpkchm32.exe File opened for modification C:\Windows\SysWOW64\Gpoibp32.exe Gmamfddp.exe File opened for modification C:\Windows\SysWOW64\Mgkbjb32.exe Manjaldo.exe File created C:\Windows\SysWOW64\Hgoadp32.exe Gkhaooec.exe File opened for modification C:\Windows\SysWOW64\Keiqlihp.exe Kolhdbjh.exe File created C:\Windows\SysWOW64\Nhhominh.exe Nkdndeon.exe File created C:\Windows\SysWOW64\Nhjpkq32.dll Qmcclolh.exe File opened for modification C:\Windows\SysWOW64\Lekcffem.exe Lggbmbfc.exe File created C:\Windows\SysWOW64\Lffojn32.dll Lekcffem.exe File created C:\Windows\SysWOW64\Opblgehg.exe Ncnlnaim.exe File opened for modification C:\Windows\SysWOW64\Gfcopl32.exe Gmkjgfmf.exe File created C:\Windows\SysWOW64\Clhecl32.exe Cenmfbml.exe File created C:\Windows\SysWOW64\Caenkc32.exe Clhecl32.exe File created C:\Windows\SysWOW64\Cgdciiod.exe Cdfgmnpa.exe File created C:\Windows\SysWOW64\Gbnenk32.exe Gpoibp32.exe File created C:\Windows\SysWOW64\Afbnec32.exe Amjiln32.exe File created C:\Windows\SysWOW64\Fpkchm32.exe Fgpock32.exe File created C:\Windows\SysWOW64\Icbkhnan.exe Inebpgbf.exe File opened for modification C:\Windows\SysWOW64\Mgfiocfl.exe Meemgk32.exe File created C:\Windows\SysWOW64\Qmepanje.exe Qfkgdd32.exe File created C:\Windows\SysWOW64\Hmecge32.dll Apkbnibq.exe File created C:\Windows\SysWOW64\Eacehe32.dll Joekimld.exe File created C:\Windows\SysWOW64\Jdfipdll.dll Kikokf32.exe File created C:\Windows\SysWOW64\Hoalia32.exe Hlbpme32.exe File opened for modification C:\Windows\SysWOW64\Dqddmd32.exe Dboglhna.exe File created C:\Windows\SysWOW64\Ilgjhena.exe Iaaekl32.exe File created C:\Windows\SysWOW64\Cocgje32.dll Gmamfddp.exe File created C:\Windows\SysWOW64\Bafmhm32.dll Coladm32.exe File created C:\Windows\SysWOW64\Ccekdaeg.dll Cgdciiod.exe File created C:\Windows\SysWOW64\Gihnkejd.exe Gbnenk32.exe File created C:\Windows\SysWOW64\Ldcpnjhf.dll Gbnenk32.exe File created C:\Windows\SysWOW64\Hhadgakg.exe Hbekojlp.exe File created C:\Windows\SysWOW64\Biqfpb32.exe Bbfnchfb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3284 3260 WerFault.exe 218 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbejjfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhdnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capdpcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caenkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenffl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngoleb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqlfhjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdgkicek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knaeeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfjgaih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlejl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pigklmqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbfnchfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdidmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdbea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdoccg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpmog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnddg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbniohpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqddmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknnnoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifgekbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbakpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlepioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaofc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhdqma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjlgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgdij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inebpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afndjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljcbcngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fichqckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogaeieoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlnpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbkhnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laackgka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbbnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokdja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimpcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaobmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpock32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbekojlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnlnaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoalia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjmoace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkgbcofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhdfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpoaheja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdkaabnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhfjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbpoebgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcgnbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmlfcel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcgeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhmpbc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbonine.dll" Gjpddigo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nknnnoph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncnlnaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neikpfdc.dll" Manjaldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kacclb32.dll" Bgdfjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohebjg32.dll" Edjlgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ommbioja.dll" Ipabfcdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgdfjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpefbfgo.dll" Ebicee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chobmj32.dll" Gjjafkpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjheobko.dll" Ebnmpemq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll" Eqngcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhafjd32.dll" Iciaim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlepioj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glfjgaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icbkhnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccekdaeg.dll" Cgdciiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaamhjgm.dll" Kfjfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakhbifq.dll" Clhecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgpock32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlhfmqge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilgjhena.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmgifa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jchbfbij.dll" Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgiobadq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncjbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqhifni.dll" Mpnngi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Occlcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edjlgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjcedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhoedaep.dll" Ekghcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meemgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhjpnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekghcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll" Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okhgod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amjiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apkbnibq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnlnpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkgbcofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkdbea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfikod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibpbf32.dll" Geaofc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhaooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpoaheja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgdfjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncqodedk.dll" Dbejjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgbibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijnabef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hijjpeha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lenffl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbpgjjo.dll" Nhhominh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmcclolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjdfoo32.dll" Gjngoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmbgageq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbdcepcm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2880 wrote to memory of 2876 2880 60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368adN.exe 30 PID 2880 wrote to memory of 2876 2880 60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368adN.exe 30 PID 2880 wrote to memory of 2876 2880 60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368adN.exe 30 PID 2880 wrote to memory of 2876 2880 60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368adN.exe 30 PID 2876 wrote to memory of 2112 2876 Coladm32.exe 31 PID 2876 wrote to memory of 2112 2876 Coladm32.exe 31 PID 2876 wrote to memory of 2112 2876 Coladm32.exe 31 PID 2876 wrote to memory of 2112 2876 Coladm32.exe 31 PID 2112 wrote to memory of 2804 2112 Dlpbna32.exe 32 PID 2112 wrote to memory of 2804 2112 Dlpbna32.exe 32 PID 2112 wrote to memory of 2804 2112 Dlpbna32.exe 32 PID 2112 wrote to memory of 2804 2112 Dlpbna32.exe 32 PID 2804 wrote to memory of 2696 2804 Dboglhna.exe 33 PID 2804 wrote to memory of 2696 2804 Dboglhna.exe 33 PID 2804 wrote to memory of 2696 2804 Dboglhna.exe 33 PID 2804 wrote to memory of 2696 2804 Dboglhna.exe 33 PID 2696 wrote to memory of 396 2696 Dqddmd32.exe 34 PID 2696 wrote to memory of 396 2696 Dqddmd32.exe 34 PID 2696 wrote to memory of 396 2696 Dqddmd32.exe 34 PID 2696 wrote to memory of 396 2696 Dqddmd32.exe 34 PID 396 wrote to memory of 1524 396 Dgqion32.exe 35 PID 396 wrote to memory of 1524 396 Dgqion32.exe 35 PID 396 wrote to memory of 1524 396 Dgqion32.exe 35 PID 396 wrote to memory of 1524 396 Dgqion32.exe 35 PID 1524 wrote to memory of 2528 1524 Empomd32.exe 36 PID 1524 wrote to memory of 2528 1524 Empomd32.exe 36 PID 1524 wrote to memory of 2528 1524 Empomd32.exe 36 PID 1524 wrote to memory of 2528 1524 Empomd32.exe 36 PID 2528 wrote to memory of 2608 2528 Eqngcc32.exe 37 PID 2528 wrote to memory of 2608 2528 Eqngcc32.exe 37 PID 2528 wrote to memory of 2608 2528 Eqngcc32.exe 37 PID 2528 wrote to memory of 2608 2528 Eqngcc32.exe 37 PID 2608 wrote to memory of 2180 2608 Ekghcq32.exe 38 PID 2608 wrote to memory of 2180 2608 Ekghcq32.exe 38 PID 2608 wrote to memory of 2180 2608 Ekghcq32.exe 38 PID 2608 wrote to memory of 2180 2608 Ekghcq32.exe 38 PID 2180 wrote to memory of 3060 2180 Elieipej.exe 39 PID 2180 wrote to memory of 3060 2180 Elieipej.exe 39 PID 2180 wrote to memory of 3060 2180 Elieipej.exe 39 PID 2180 wrote to memory of 3060 2180 Elieipej.exe 39 PID 3060 wrote to memory of 2584 3060 Fpgnoo32.exe 40 PID 3060 wrote to memory of 2584 3060 Fpgnoo32.exe 40 PID 3060 wrote to memory of 2584 3060 Fpgnoo32.exe 40 PID 3060 wrote to memory of 2584 3060 Fpgnoo32.exe 40 PID 2584 wrote to memory of 1508 2584 Fnmjpk32.exe 41 PID 2584 wrote to memory of 1508 2584 Fnmjpk32.exe 41 PID 2584 wrote to memory of 1508 2584 Fnmjpk32.exe 41 PID 2584 wrote to memory of 1508 2584 Fnmjpk32.exe 41 PID 1508 wrote to memory of 1312 1508 Fmbgageq.exe 42 PID 1508 wrote to memory of 1312 1508 Fmbgageq.exe 42 PID 1508 wrote to memory of 1312 1508 Fmbgageq.exe 42 PID 1508 wrote to memory of 1312 1508 Fmbgageq.exe 42 PID 1312 wrote to memory of 2128 1312 Fjhdpk32.exe 43 PID 1312 wrote to memory of 2128 1312 Fjhdpk32.exe 43 PID 1312 wrote to memory of 2128 1312 Fjhdpk32.exe 43 PID 1312 wrote to memory of 2128 1312 Fjhdpk32.exe 43 PID 2128 wrote to memory of 1436 2128 Gjjafkpe.exe 44 PID 2128 wrote to memory of 1436 2128 Gjjafkpe.exe 44 PID 2128 wrote to memory of 1436 2128 Gjjafkpe.exe 44 PID 2128 wrote to memory of 1436 2128 Gjjafkpe.exe 44 PID 1436 wrote to memory of 2348 1436 Gmkjgfmf.exe 45 PID 1436 wrote to memory of 2348 1436 Gmkjgfmf.exe 45 PID 1436 wrote to memory of 2348 1436 Gmkjgfmf.exe 45 PID 1436 wrote to memory of 2348 1436 Gmkjgfmf.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368adN.exe"C:\Users\Admin\AppData\Local\Temp\60d2ce40058dc82a69e4fe8f7f3e62551129dc1cde70eef11444580d91c368adN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Gfcopl32.exeC:\Windows\system32\Gfcopl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:564 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1016 -
C:\Windows\SysWOW64\Hoalia32.exeC:\Windows\system32\Hoalia32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Igeddb32.exeC:\Windows\system32\Igeddb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Jkcmjpma.exeC:\Windows\system32\Jkcmjpma.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Jgjmoace.exeC:\Windows\system32\Jgjmoace.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe34⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe37⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Lpldcfmd.exeC:\Windows\system32\Lpldcfmd.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:520 -
C:\Windows\SysWOW64\Lpoaheja.exeC:\Windows\system32\Lpoaheja.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Lenffl32.exeC:\Windows\system32\Lenffl32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe44⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Mbdcepcm.exeC:\Windows\system32\Mbdcepcm.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Mhalngad.exeC:\Windows\system32\Mhalngad.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Mokdja32.exeC:\Windows\system32\Mokdja32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Meemgk32.exeC:\Windows\system32\Meemgk32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Mgfiocfl.exeC:\Windows\system32\Mgfiocfl.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Mpnngi32.exeC:\Windows\system32\Mpnngi32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Mkdbea32.exeC:\Windows\system32\Mkdbea32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Mgkbjb32.exeC:\Windows\system32\Mgkbjb32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Mdoccg32.exeC:\Windows\system32\Mdoccg32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Nljhhi32.exeC:\Windows\system32\Nljhhi32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Ngoleb32.exeC:\Windows\system32\Ngoleb32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe58⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Nakikpin.exeC:\Windows\system32\Nakikpin.exe59⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:944 -
C:\Windows\SysWOW64\Okhgod32.exeC:\Windows\system32\Okhgod32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1440 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Odcimipf.exeC:\Windows\system32\Odcimipf.exe65⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Ogaeieoj.exeC:\Windows\system32\Ogaeieoj.exe66⤵
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe67⤵PID:2660
-
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1388 -
C:\Windows\SysWOW64\Pigklmqc.exeC:\Windows\system32\Pigklmqc.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe70⤵
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Pkhdnh32.exeC:\Windows\system32\Pkhdnh32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Pbblkaea.exeC:\Windows\system32\Pbblkaea.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:788 -
C:\Windows\SysWOW64\Pildgl32.exeC:\Windows\system32\Pildgl32.exe73⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Pnimpcke.exeC:\Windows\system32\Pnimpcke.exe74⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe75⤵PID:1276
-
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe76⤵
- Drops file in System32 directory
PID:1800 -
C:\Windows\SysWOW64\Pnnfkb32.exeC:\Windows\system32\Pnnfkb32.exe77⤵PID:2164
-
C:\Windows\SysWOW64\Palbgn32.exeC:\Windows\system32\Palbgn32.exe78⤵PID:2704
-
C:\Windows\SysWOW64\Qfikod32.exeC:\Windows\system32\Qfikod32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Qmcclolh.exeC:\Windows\system32\Qmcclolh.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe81⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Qmepanje.exeC:\Windows\system32\Qmepanje.exe82⤵PID:2056
-
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe83⤵
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Apfici32.exeC:\Windows\system32\Apfici32.exe84⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Amjiln32.exeC:\Windows\system32\Amjiln32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe86⤵
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe87⤵PID:108
-
C:\Windows\SysWOW64\Apkbnibq.exeC:\Windows\system32\Apkbnibq.exe88⤵
- Drops file in System32 directory
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Aicfgn32.exeC:\Windows\system32\Aicfgn32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Bhjpnj32.exeC:\Windows\system32\Bhjpnj32.exe90⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Bmgifa32.exeC:\Windows\system32\Bmgifa32.exe91⤵
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Bfpmog32.exeC:\Windows\system32\Bfpmog32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Biqfpb32.exeC:\Windows\system32\Biqfpb32.exe94⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Bgdfjfmi.exeC:\Windows\system32\Bgdfjfmi.exe95⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Blaobmkq.exeC:\Windows\system32\Blaobmkq.exe96⤵
- System Location Discovery: System Language Discovery
PID:748 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1376 -
C:\Windows\SysWOW64\Chhpgn32.exeC:\Windows\system32\Chhpgn32.exe98⤵PID:912
-
C:\Windows\SysWOW64\Ccnddg32.exeC:\Windows\system32\Ccnddg32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Capdpcge.exeC:\Windows\system32\Capdpcge.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe101⤵PID:2484
-
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Caenkc32.exeC:\Windows\system32\Caenkc32.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe105⤵PID:580
-
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Cdfgmnpa.exeC:\Windows\system32\Cdfgmnpa.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Djjeedhp.exeC:\Windows\system32\Djjeedhp.exe109⤵PID:2032
-
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Ebicee32.exeC:\Windows\system32\Ebicee32.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Ehclbpic.exeC:\Windows\system32\Ehclbpic.exe112⤵PID:1264
-
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Egihcl32.exeC:\Windows\system32\Egihcl32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe115⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Ecoihm32.exeC:\Windows\system32\Ecoihm32.exe116⤵PID:3036
-
C:\Windows\SysWOW64\Eqcjaa32.exeC:\Windows\system32\Eqcjaa32.exe117⤵PID:2152
-
C:\Windows\SysWOW64\Emjjfb32.exeC:\Windows\system32\Emjjfb32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Fgpock32.exeC:\Windows\system32\Fgpock32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Fpkchm32.exeC:\Windows\system32\Fpkchm32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-