Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-12-2024 03:31
Behavioral task
behavioral1
Sample
d57032bc9b417079d23eb9e40d7d751824d676bd5f03c9e041f0e8c7db78e25e.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
d57032bc9b417079d23eb9e40d7d751824d676bd5f03c9e041f0e8c7db78e25e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
d57032bc9b417079d23eb9e40d7d751824d676bd5f03c9e041f0e8c7db78e25e.exe
-
Size
384KB
-
MD5
0d1bf82523176c9c4c1cfbdda83c35ba
-
SHA1
201bb2e355f6a4a59a4f2a31e62f4967af183ac0
-
SHA256
d57032bc9b417079d23eb9e40d7d751824d676bd5f03c9e041f0e8c7db78e25e
-
SHA512
5c864c3ef8aa33a3f0faf50763011bba43226eb9e85426cf67885e1ce6adf33fef316695e2f65f3bf191c78722b5c4abd40ea2a2f584f3e739aba96ac38089e8
-
SSDEEP
3072:Ul59HeLP8L8DiYouSrYBVI6h+pVAURfE+HAokWmvEie0RFz3yE2ZwVh16Mz7GFDV:Ul5leLlI6hcRs+HLlD0rN2ZwVht740Ps
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqdpgk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqofippg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maoifh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahippdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgmnooom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmedmj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phkaqqoi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajhndkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apaadpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdlhgpag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijhhenhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjqdafmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edbiniff.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdndloi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckdkhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klddlckd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Philfgdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbfjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opjgidfa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgeainn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpaqmgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnjhhpgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkiephp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmpkakak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblimcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhegig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfepdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnllhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpkehi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnndime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Limpiomm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplaaiqd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekgqennl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhoeef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkqgno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqmggi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcbohpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioppho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhddgofo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajohfcpj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glabolja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdcmnfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnbbqpn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maaekg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcaknbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgflcifg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhgie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emjgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geohklaa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfkpjng.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egpgehnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfhke32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okcogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfcelml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngobghg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoadlfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flkdfh32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4084 Aolblopj.exe 4540 Akccap32.exe 4796 Albpkc32.exe 3600 Ahippdbe.exe 4256 Bhkmec32.exe 3096 Bepmoh32.exe 1224 Bohbhmfm.exe 2524 Bafndi32.exe 4944 Bedgjgkg.exe 2804 Bhbcfbjk.exe 3480 Bdickcpo.exe 3088 Blqllqqa.exe 4512 Coohhlpe.exe 4280 Camddhoi.exe 4604 Cfipef32.exe 2156 Clchbqoo.exe 4372 Ckeimm32.exe 3780 Cndeii32.exe 2108 Cfkmkf32.exe 4988 Cdnmfclj.exe 2268 Cleegp32.exe 4348 Ckhecmcf.exe 216 Cocacl32.exe 1412 Cbbnpg32.exe 968 Cfnjpfcl.exe 1180 Chlflabp.exe 4976 Clgbmp32.exe 2416 Ckjbhmad.exe 2276 Cnindhpg.exe 2836 Cfpffeaj.exe 2192 Cdbfab32.exe 1512 Chnbbqpn.exe 1520 Ckmonl32.exe 1604 Cohkokgj.exe 2856 Cnkkjh32.exe 4328 Cfbcke32.exe 4356 Cdecgbfa.exe 3976 Dmlkhofd.exe 4100 Dkokcl32.exe 2140 Dokgdkeh.exe 3812 Dbicpfdk.exe 3016 Dfdpad32.exe 3568 Dhclmp32.exe 1396 Dmohno32.exe 3168 Dkahilkl.exe 4104 Dnpdegjp.exe 2224 Dbkqfe32.exe 1204 Ddjmba32.exe 1952 Dheibpje.exe 4428 Dkceokii.exe 2776 Dnbakghm.exe 4236 Dbnmke32.exe 3156 Ddligq32.exe 4340 Digehphc.exe 372 Dkfadkgf.exe 1000 Doaneiop.exe 868 Dbpjaeoc.exe 4936 Dflfac32.exe 1608 Dijbno32.exe 624 Dkhnjk32.exe 4664 Dodjjimm.exe 4432 Dbbffdlq.exe 3908 Deqcbpld.exe 2228 Eiloco32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mgloefco.exe Modgdicm.exe File opened for modification C:\Windows\SysWOW64\Bfhofnpp.exe Apngjd32.exe File created C:\Windows\SysWOW64\Odmqgd32.dll Fgkfqgce.exe File created C:\Windows\SysWOW64\Opjgidfa.exe Oknnanhj.exe File opened for modification C:\Windows\SysWOW64\Hoeieolb.exe Hiipmhmk.exe File created C:\Windows\SysWOW64\Ghcfpl32.dll Njbgmjgl.exe File created C:\Windows\SysWOW64\Njjmni32.exe Nfldgk32.exe File created C:\Windows\SysWOW64\Mmhpkebp.dll Bppcpc32.exe File opened for modification C:\Windows\SysWOW64\Epeohn32.exe Eepkkefp.exe File opened for modification C:\Windows\SysWOW64\Oookgbpj.exe Okcogc32.exe File created C:\Windows\SysWOW64\Feifgnki.exe Fbjjkble.exe File opened for modification C:\Windows\SysWOW64\Ohkijc32.exe Nmedmj32.exe File opened for modification C:\Windows\SysWOW64\Eecphp32.exe Efpomccg.exe File created C:\Windows\SysWOW64\Qclmck32.exe Pblajhje.exe File created C:\Windows\SysWOW64\Dodfed32.dll Ejagaj32.exe File opened for modification C:\Windows\SysWOW64\Fgiaemic.exe Fcneeo32.exe File created C:\Windows\SysWOW64\Blgddd32.exe Bihhhi32.exe File created C:\Windows\SysWOW64\Cmonod32.dll Dmnpfd32.exe File opened for modification C:\Windows\SysWOW64\Igqbiacj.exe Iqgjmg32.exe File created C:\Windows\SysWOW64\Deokja32.exe Cbqonf32.exe File created C:\Windows\SysWOW64\Ljnlecmp.exe Loighj32.exe File created C:\Windows\SysWOW64\Mkfefigf.dll Qmeigg32.exe File created C:\Windows\SysWOW64\Ppgomnai.exe Pbcncibp.exe File opened for modification C:\Windows\SysWOW64\Phbolflm.exe Pfdbpjmi.exe File created C:\Windows\SysWOW64\Mdlgmgdh.exe Mhefhf32.exe File created C:\Windows\SysWOW64\Nmedmj32.exe Nkghqo32.exe File created C:\Windows\SysWOW64\Fgjimp32.dll Pmpolgoi.exe File created C:\Windows\SysWOW64\Eqlfhjig.exe Eqiibjlj.exe File created C:\Windows\SysWOW64\Nohjfifo.dll Pcgdhkem.exe File opened for modification C:\Windows\SysWOW64\Bgkaip32.exe Bfieagka.exe File opened for modification C:\Windows\SysWOW64\Fbhnec32.exe Ehbihj32.exe File created C:\Windows\SysWOW64\Kgngqico.exe Kmhccpci.exe File created C:\Windows\SysWOW64\Gdglhf32.dll Ngndaccj.exe File created C:\Windows\SysWOW64\Pmidfo32.dll Flhoinbl.exe File opened for modification C:\Windows\SysWOW64\Ogjpld32.exe Oookgbpj.exe File created C:\Windows\SysWOW64\Pikdooal.dll Chfaenfb.exe File opened for modification C:\Windows\SysWOW64\Mffjnc32.exe Lplaaiqd.exe File created C:\Windows\SysWOW64\Nfldgk32.exe Noblkqca.exe File created C:\Windows\SysWOW64\Jhplpl32.exe Jbccge32.exe File created C:\Windows\SysWOW64\Ckdkhq32.exe Ccmcgcmp.exe File opened for modification C:\Windows\SysWOW64\Dggkipii.exe Dcibca32.exe File created C:\Windows\SysWOW64\Jbbmmo32.exe Jogqlpde.exe File created C:\Windows\SysWOW64\Fnammclg.dll Ijhhenhf.exe File opened for modification C:\Windows\SysWOW64\Inkjfk32.exe Igqbiacj.exe File created C:\Windows\SysWOW64\Epehoppk.dll Bpaikm32.exe File created C:\Windows\SysWOW64\Hfaajnfb.exe Gojiiafp.exe File opened for modification C:\Windows\SysWOW64\Hcdfho32.exe Hljnkdnk.exe File created C:\Windows\SysWOW64\Fdpnbald.dll Oileakbj.exe File created C:\Windows\SysWOW64\Qidimpef.dll Anhcpeon.exe File created C:\Windows\SysWOW64\Dbdano32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dpnbmi32.exe Didjqoae.exe File created C:\Windows\SysWOW64\Eblimcdf.exe Epmmqheb.exe File created C:\Windows\SysWOW64\Ifolcq32.dll Mjjkaabc.exe File opened for modification C:\Windows\SysWOW64\Qpcecb32.exe Qaqegecm.exe File created C:\Windows\SysWOW64\Cnggkf32.dll Eqiibjlj.exe File created C:\Windows\SysWOW64\Cogcho32.dll Pfppoa32.exe File created C:\Windows\SysWOW64\Idmafn32.dll Lkbmih32.exe File created C:\Windows\SysWOW64\Lcgmnddm.dll Moglpedd.exe File created C:\Windows\SysWOW64\Iogkekkb.dll Cfnjpfcl.exe File created C:\Windows\SysWOW64\Ignnjk32.exe Ifnbph32.exe File created C:\Windows\SysWOW64\Jknbhdmb.dll Nkdlkope.exe File opened for modification C:\Windows\SysWOW64\Nglcjfie.exe Nejgbn32.exe File created C:\Windows\SysWOW64\Pblcieig.dll Gmfkjl32.exe File created C:\Windows\SysWOW64\Qhjgfkpf.dll Hqmggi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10656 10740 Process not Found 1133 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhoinbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkahilkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmijnfgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhjhlqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfniikha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffqhcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocaebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeihb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didjqoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdnmfclj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efblbbqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmdec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfodgeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abjfqpji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkbmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnhacn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhehkepj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmohno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbpjaeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoeieolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocknbglo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdogjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaioidkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenmcggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqegecm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnccl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdfpmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmlkhofd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfeoijbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agcdnjcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mafofggd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgjbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpaqqdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbocfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmjaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdqdokk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoekde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiijfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpandm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijhhenhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldhdlnli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hladlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpfhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aimhmkgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomkkagl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinboekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpoiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfnpca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbffdlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcneeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbmmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncaklhdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckidcpjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhnichde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnboma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pokanf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opjgidfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cejjdlap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflfac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbjena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kegpifod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnangaoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddqbbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbihjifh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihbponja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fggdpnkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peempn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhgccijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfcmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kffonkgk.dll" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfqlfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhblllfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpclaedf.dll" Hgapmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldqdebb.dll" Qkfkng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdebopdl.dll" Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneoha32.dll" Jhplpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cepjip32.dll" Dpkmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfaml32.dll" Maoifh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pklamb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfdbpjmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifffoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocopa32.dll" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfmmplad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eomffaag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll" Peempn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnoacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loemnnhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogpoiia.dll" Lhdggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cffkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efeihb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjljdk.dll" Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apodoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joqafgni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icfmci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgjglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbkeacqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajjicg32.dll" Dpkehi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jongga32.dll" Gidnkkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nglhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmijpchc.dll" Amnlme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhkgnkoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceehcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdglhf32.dll" Ngndaccj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loofnccf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gccebdmn.dll" Ielfgmnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmpjmf32.dll" Gcimfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecpko32.dll" Bgjjoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpecpo32.dll" Kpnjah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdeiqgkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odljjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnofdgl.dll" Fneoma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akgjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbfndd32.dll" Odgqopeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblfejda.dll" Oajccgmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdlgkm32.dll" Pnlcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fneggdhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gojiiafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkilc32.dll" Noblkqca.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3916 wrote to memory of 4084 3916 d57032bc9b417079d23eb9e40d7d751824d676bd5f03c9e041f0e8c7db78e25e.exe 83 PID 3916 wrote to memory of 4084 3916 d57032bc9b417079d23eb9e40d7d751824d676bd5f03c9e041f0e8c7db78e25e.exe 83 PID 3916 wrote to memory of 4084 3916 d57032bc9b417079d23eb9e40d7d751824d676bd5f03c9e041f0e8c7db78e25e.exe 83 PID 4084 wrote to memory of 4540 4084 Aolblopj.exe 84 PID 4084 wrote to memory of 4540 4084 Aolblopj.exe 84 PID 4084 wrote to memory of 4540 4084 Aolblopj.exe 84 PID 4540 wrote to memory of 4796 4540 Akccap32.exe 85 PID 4540 wrote to memory of 4796 4540 Akccap32.exe 85 PID 4540 wrote to memory of 4796 4540 Akccap32.exe 85 PID 4796 wrote to memory of 3600 4796 Albpkc32.exe 86 PID 4796 wrote to memory of 3600 4796 Albpkc32.exe 86 PID 4796 wrote to memory of 3600 4796 Albpkc32.exe 86 PID 3600 wrote to memory of 4256 3600 Ahippdbe.exe 87 PID 3600 wrote to memory of 4256 3600 Ahippdbe.exe 87 PID 3600 wrote to memory of 4256 3600 Ahippdbe.exe 87 PID 4256 wrote to memory of 3096 4256 Bhkmec32.exe 88 PID 4256 wrote to memory of 3096 4256 Bhkmec32.exe 88 PID 4256 wrote to memory of 3096 4256 Bhkmec32.exe 88 PID 3096 wrote to memory of 1224 3096 Bepmoh32.exe 89 PID 3096 wrote to memory of 1224 3096 Bepmoh32.exe 89 PID 3096 wrote to memory of 1224 3096 Bepmoh32.exe 89 PID 1224 wrote to memory of 2524 1224 Bohbhmfm.exe 90 PID 1224 wrote to memory of 2524 1224 Bohbhmfm.exe 90 PID 1224 wrote to memory of 2524 1224 Bohbhmfm.exe 90 PID 2524 wrote to memory of 4944 2524 Bafndi32.exe 91 PID 2524 wrote to memory of 4944 2524 Bafndi32.exe 91 PID 2524 wrote to memory of 4944 2524 Bafndi32.exe 91 PID 4944 wrote to memory of 2804 4944 Bedgjgkg.exe 92 PID 4944 wrote to memory of 2804 4944 Bedgjgkg.exe 92 PID 4944 wrote to memory of 2804 4944 Bedgjgkg.exe 92 PID 2804 wrote to memory of 3480 2804 Bhbcfbjk.exe 93 PID 2804 wrote to memory of 3480 2804 Bhbcfbjk.exe 93 PID 2804 wrote to memory of 3480 2804 Bhbcfbjk.exe 93 PID 3480 wrote to memory of 3088 3480 Bdickcpo.exe 94 PID 3480 wrote to memory of 3088 3480 Bdickcpo.exe 94 PID 3480 wrote to memory of 3088 3480 Bdickcpo.exe 94 PID 3088 wrote to memory of 4512 3088 Blqllqqa.exe 95 PID 3088 wrote to memory of 4512 3088 Blqllqqa.exe 95 PID 3088 wrote to memory of 4512 3088 Blqllqqa.exe 95 PID 4512 wrote to memory of 4280 4512 Coohhlpe.exe 96 PID 4512 wrote to memory of 4280 4512 Coohhlpe.exe 96 PID 4512 wrote to memory of 4280 4512 Coohhlpe.exe 96 PID 4280 wrote to memory of 4604 4280 Camddhoi.exe 97 PID 4280 wrote to memory of 4604 4280 Camddhoi.exe 97 PID 4280 wrote to memory of 4604 4280 Camddhoi.exe 97 PID 4604 wrote to memory of 2156 4604 Cfipef32.exe 98 PID 4604 wrote to memory of 2156 4604 Cfipef32.exe 98 PID 4604 wrote to memory of 2156 4604 Cfipef32.exe 98 PID 2156 wrote to memory of 4372 2156 Clchbqoo.exe 99 PID 2156 wrote to memory of 4372 2156 Clchbqoo.exe 99 PID 2156 wrote to memory of 4372 2156 Clchbqoo.exe 99 PID 4372 wrote to memory of 3780 4372 Ckeimm32.exe 100 PID 4372 wrote to memory of 3780 4372 Ckeimm32.exe 100 PID 4372 wrote to memory of 3780 4372 Ckeimm32.exe 100 PID 3780 wrote to memory of 2108 3780 Cndeii32.exe 101 PID 3780 wrote to memory of 2108 3780 Cndeii32.exe 101 PID 3780 wrote to memory of 2108 3780 Cndeii32.exe 101 PID 2108 wrote to memory of 4988 2108 Cfkmkf32.exe 102 PID 2108 wrote to memory of 4988 2108 Cfkmkf32.exe 102 PID 2108 wrote to memory of 4988 2108 Cfkmkf32.exe 102 PID 4988 wrote to memory of 2268 4988 Cdnmfclj.exe 103 PID 4988 wrote to memory of 2268 4988 Cdnmfclj.exe 103 PID 4988 wrote to memory of 2268 4988 Cdnmfclj.exe 103 PID 2268 wrote to memory of 4348 2268 Cleegp32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\d57032bc9b417079d23eb9e40d7d751824d676bd5f03c9e041f0e8c7db78e25e.exe"C:\Users\Admin\AppData\Local\Temp\d57032bc9b417079d23eb9e40d7d751824d676bd5f03c9e041f0e8c7db78e25e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3916 -
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\Akccap32.exeC:\Windows\system32\Akccap32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Windows\SysWOW64\Ahippdbe.exeC:\Windows\system32\Ahippdbe.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Bhkmec32.exeC:\Windows\system32\Bhkmec32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4256 -
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3096 -
C:\Windows\SysWOW64\Bohbhmfm.exeC:\Windows\system32\Bohbhmfm.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\SysWOW64\Bafndi32.exeC:\Windows\system32\Bafndi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Bedgjgkg.exeC:\Windows\system32\Bedgjgkg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Blqllqqa.exeC:\Windows\system32\Blqllqqa.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\Cfipef32.exeC:\Windows\system32\Cfipef32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\SysWOW64\Clchbqoo.exeC:\Windows\system32\Clchbqoo.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Ckeimm32.exeC:\Windows\system32\Ckeimm32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4372 -
C:\Windows\SysWOW64\Cndeii32.exeC:\Windows\system32\Cndeii32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3780 -
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4988 -
C:\Windows\SysWOW64\Cleegp32.exeC:\Windows\system32\Cleegp32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Ckhecmcf.exeC:\Windows\system32\Ckhecmcf.exe23⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe24⤵
- Executes dropped EXE
PID:216 -
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe25⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:968 -
C:\Windows\SysWOW64\Chlflabp.exeC:\Windows\system32\Chlflabp.exe27⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Clgbmp32.exeC:\Windows\system32\Clgbmp32.exe28⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Ckjbhmad.exeC:\Windows\system32\Ckjbhmad.exe29⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Cnindhpg.exeC:\Windows\system32\Cnindhpg.exe30⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe31⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe32⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Chnbbqpn.exeC:\Windows\system32\Chnbbqpn.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Ckmonl32.exeC:\Windows\system32\Ckmonl32.exe34⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Cohkokgj.exeC:\Windows\system32\Cohkokgj.exe35⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Cnkkjh32.exeC:\Windows\system32\Cnkkjh32.exe36⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe37⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Cdecgbfa.exeC:\Windows\system32\Cdecgbfa.exe38⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Dmlkhofd.exeC:\Windows\system32\Dmlkhofd.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3976 -
C:\Windows\SysWOW64\Dkokcl32.exeC:\Windows\system32\Dkokcl32.exe40⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe41⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe42⤵
- Executes dropped EXE
PID:3812 -
C:\Windows\SysWOW64\Dfdpad32.exeC:\Windows\system32\Dfdpad32.exe43⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Dhclmp32.exeC:\Windows\system32\Dhclmp32.exe44⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1396 -
C:\Windows\SysWOW64\Dkahilkl.exeC:\Windows\system32\Dkahilkl.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3168 -
C:\Windows\SysWOW64\Dnpdegjp.exeC:\Windows\system32\Dnpdegjp.exe47⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe48⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ddjmba32.exeC:\Windows\system32\Ddjmba32.exe49⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Dheibpje.exeC:\Windows\system32\Dheibpje.exe50⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Dkceokii.exeC:\Windows\system32\Dkceokii.exe51⤵
- Executes dropped EXE
PID:4428 -
C:\Windows\SysWOW64\Dnbakghm.exeC:\Windows\system32\Dnbakghm.exe52⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe53⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe54⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Digehphc.exeC:\Windows\system32\Digehphc.exe55⤵
- Executes dropped EXE
PID:4340 -
C:\Windows\SysWOW64\Dkfadkgf.exeC:\Windows\system32\Dkfadkgf.exe56⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Doaneiop.exeC:\Windows\system32\Doaneiop.exe57⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\Dflfac32.exeC:\Windows\system32\Dflfac32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4936 -
C:\Windows\SysWOW64\Dijbno32.exeC:\Windows\system32\Dijbno32.exe60⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe61⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe62⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Windows\SysWOW64\Deqcbpld.exeC:\Windows\system32\Deqcbpld.exe64⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe65⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe66⤵PID:3660
-
C:\Windows\SysWOW64\Enigke32.exeC:\Windows\system32\Enigke32.exe67⤵PID:1088
-
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe68⤵
- Drops file in System32 directory
PID:3716 -
C:\Windows\SysWOW64\Eecphp32.exeC:\Windows\system32\Eecphp32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Emjgim32.exeC:\Windows\system32\Emjgim32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Eoideh32.exeC:\Windows\system32\Eoideh32.exe71⤵PID:4680
-
C:\Windows\SysWOW64\Enkdaepb.exeC:\Windows\system32\Enkdaepb.exe72⤵PID:5100
-
C:\Windows\SysWOW64\Efblbbqd.exeC:\Windows\system32\Efblbbqd.exe73⤵
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\Eeelnp32.exeC:\Windows\system32\Eeelnp32.exe74⤵PID:2984
-
C:\Windows\SysWOW64\Emmdom32.exeC:\Windows\system32\Emmdom32.exe75⤵PID:4556
-
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe76⤵PID:5152
-
C:\Windows\SysWOW64\Ennqfenp.exeC:\Windows\system32\Ennqfenp.exe77⤵PID:5196
-
C:\Windows\SysWOW64\Efeihb32.exeC:\Windows\system32\Efeihb32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5232 -
C:\Windows\SysWOW64\Eicedn32.exeC:\Windows\system32\Eicedn32.exe79⤵PID:5272
-
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5312 -
C:\Windows\SysWOW64\Epmmqheb.exeC:\Windows\system32\Epmmqheb.exe81⤵
- Drops file in System32 directory
PID:5352 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5396 -
C:\Windows\SysWOW64\Efgemb32.exeC:\Windows\system32\Efgemb32.exe83⤵PID:5436
-
C:\Windows\SysWOW64\Eifaim32.exeC:\Windows\system32\Eifaim32.exe84⤵PID:5484
-
C:\Windows\SysWOW64\Ekdnei32.exeC:\Windows\system32\Ekdnei32.exe85⤵PID:5524
-
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe86⤵
- Modifies registry class
PID:5580 -
C:\Windows\SysWOW64\Ebnfbcbc.exeC:\Windows\system32\Ebnfbcbc.exe87⤵PID:5616
-
C:\Windows\SysWOW64\Felbnn32.exeC:\Windows\system32\Felbnn32.exe88⤵PID:5656
-
C:\Windows\SysWOW64\Fihnomjp.exeC:\Windows\system32\Fihnomjp.exe89⤵PID:5704
-
C:\Windows\SysWOW64\Fpbflg32.exeC:\Windows\system32\Fpbflg32.exe90⤵PID:5748
-
C:\Windows\SysWOW64\Fneggdhg.exeC:\Windows\system32\Fneggdhg.exe91⤵
- Modifies registry class
PID:5792 -
C:\Windows\SysWOW64\Fflohaij.exeC:\Windows\system32\Fflohaij.exe92⤵PID:5832
-
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe93⤵PID:5880
-
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe94⤵PID:5924
-
C:\Windows\SysWOW64\Fpdcag32.exeC:\Windows\system32\Fpdcag32.exe95⤵PID:5964
-
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe96⤵PID:6008
-
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe97⤵PID:6048
-
C:\Windows\SysWOW64\Fimhjl32.exeC:\Windows\system32\Fimhjl32.exe98⤵PID:6088
-
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6128 -
C:\Windows\SysWOW64\Fnipbc32.exeC:\Windows\system32\Fnipbc32.exe100⤵PID:4572
-
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5048 -
C:\Windows\SysWOW64\Fiodpl32.exeC:\Windows\system32\Fiodpl32.exe102⤵PID:2056
-
C:\Windows\SysWOW64\Fmkqpkla.exeC:\Windows\system32\Fmkqpkla.exe103⤵PID:2484
-
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe104⤵PID:3880
-
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe105⤵PID:3332
-
C:\Windows\SysWOW64\Ffceip32.exeC:\Windows\system32\Ffceip32.exe106⤵PID:1284
-
C:\Windows\SysWOW64\Fiaael32.exeC:\Windows\system32\Fiaael32.exe107⤵PID:2408
-
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe108⤵PID:4468
-
C:\Windows\SysWOW64\Fpkibf32.exeC:\Windows\system32\Fpkibf32.exe109⤵PID:3308
-
C:\Windows\SysWOW64\Fbjena32.exeC:\Windows\system32\Fbjena32.exe110⤵
- Modifies registry class
PID:5224 -
C:\Windows\SysWOW64\Gfeaopqo.exeC:\Windows\system32\Gfeaopqo.exe111⤵PID:5268
-
C:\Windows\SysWOW64\Gidnkkpc.exeC:\Windows\system32\Gidnkkpc.exe112⤵
- Modifies registry class
PID:5340 -
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe113⤵PID:5404
-
C:\Windows\SysWOW64\Gnqfcbnj.exeC:\Windows\system32\Gnqfcbnj.exe114⤵PID:5492
-
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe115⤵PID:5556
-
C:\Windows\SysWOW64\Gejopl32.exeC:\Windows\system32\Gejopl32.exe116⤵PID:5644
-
C:\Windows\SysWOW64\Gldglf32.exeC:\Windows\system32\Gldglf32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3092 -
C:\Windows\SysWOW64\Gbnoiqdq.exeC:\Windows\system32\Gbnoiqdq.exe118⤵PID:5772
-
C:\Windows\SysWOW64\Gnepna32.exeC:\Windows\system32\Gnepna32.exe119⤵PID:5820
-
C:\Windows\SysWOW64\Geohklaa.exeC:\Windows\system32\Geohklaa.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5016 -
C:\Windows\SysWOW64\Gmfplibd.exeC:\Windows\system32\Gmfplibd.exe121⤵PID:5904
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-