Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22-01-2025 10:41
Behavioral task
behavioral1
Sample
db44367c8d669c3a233d3d8880738a709f1e3b9136d5cdec5a5191f2c3abc312N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
General
-
Target
db44367c8d669c3a233d3d8880738a709f1e3b9136d5cdec5a5191f2c3abc312N.exe
-
Size
163KB
-
MD5
66af565bda1a595b79c7f5bb52c7f4c0
-
SHA1
b8db952f12fb66daf0ceed1fe37bbf801b0088c1
-
SHA256
db44367c8d669c3a233d3d8880738a709f1e3b9136d5cdec5a5191f2c3abc312
-
SHA512
30159e228a3c9d936f28bf5e2731c4c0d6348940e8b253c758e419ffbff78cf6ded9a234b73eee43b84dd684beb68b66dc63d75f15dbd7daa5089bbd781a9c34
-
SSDEEP
1536:PN3PCSXsAYnJg0hnhMercahKlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:l3PFXsA4hGWKltOrWKDBr+yJb
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgifbil.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmgelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fafdkmap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkleeplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhnaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Napjdpcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdphngfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjodjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqopnhb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emoadlfo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mogcihaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olfobjbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eejjjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgenbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kniieo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkqkhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqeqd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpomcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkbbn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpfhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igfclkdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgbloglj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngndaccj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcgffqei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beeoaapl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfhad32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnbakghm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekqmhia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibafp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjomap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapkni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghhhcomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqhdbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Delnin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iidphgcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkkjmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbgeno32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmechmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jngbjd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmglcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikndgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmikeaap.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lndagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olanmgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhnbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcjiff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhacf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbanbmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glipgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbiejoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnbnhedj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajcdnd32.exe -
Berbew family
-
Gozi family
-
Executes dropped EXE 64 IoCs
pid Process 4472 Mchhggno.exe 4828 Mlampmdo.exe 3596 Mgfqmfde.exe 3952 Mlcifmbl.exe 3232 Mgimcebb.exe 748 Mlefklpj.exe 2640 Mgkjhe32.exe 2736 Mnebeogl.exe 1168 Ndokbi32.exe 1416 Nepgjaeg.exe 2416 Nngokoej.exe 2192 Npfkgjdn.exe 3968 Ndaggimg.exe 212 Njnpppkn.exe 4488 Nnjlpo32.exe 4548 Nnlhfn32.exe 4804 Nfgmjqop.exe 2820 Npmagine.exe 2524 Nfjjppmm.exe 4624 Olcbmj32.exe 512 Odkjng32.exe 1012 Ogifjcdp.exe 4124 Oncofm32.exe 4460 Olfobjbg.exe 3664 Odmgcgbi.exe 2852 Ojjolnaq.exe 3396 Ocbddc32.exe 4452 Ognpebpj.exe 4008 Ojllan32.exe 5024 Onhhamgg.exe 2268 Oqfdnhfk.exe 1068 Olmeci32.exe 1604 Ogbipa32.exe 3960 Pmoahijl.exe 3872 Pcijeb32.exe 4972 Pjcbbmif.exe 4596 Pclgkb32.exe 2744 Pjeoglgc.exe 1892 Pmdkch32.exe 4724 Pdkcde32.exe 4572 Pjhlml32.exe 4456 Pdmpje32.exe 3032 Pgllfp32.exe 4648 Pmidog32.exe 4932 Pgnilpah.exe 1948 Qmkadgpo.exe 2288 Qfcfml32.exe 2204 Qmmnjfnl.exe 2228 Qddfkd32.exe 2424 Qcgffqei.exe 2604 Ampkof32.exe 1988 Ageolo32.exe 960 Ambgef32.exe 4020 Anadoi32.exe 4996 Amddjegd.exe 2688 Aeklkchg.exe 2020 Ajhddjfn.exe 4984 Aeniabfd.exe 3916 Anfmjhmd.exe 4360 Accfbokl.exe 2816 Bjmnoi32.exe 3220 Bmkjkd32.exe 3888 Bcebhoii.exe 1868 Bganhm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cfbkeh32.exe Cmiflbel.exe File created C:\Windows\SysWOW64\Gdilpd32.dll Ogklelna.exe File created C:\Windows\SysWOW64\Hijeeipc.dll Kageaj32.exe File created C:\Windows\SysWOW64\Dhblne32.dll Blhpqhlh.exe File created C:\Windows\SysWOW64\Fmjhedep.dll Lmgabcge.exe File opened for modification C:\Windows\SysWOW64\Gfheof32.exe Gpnmbl32.exe File created C:\Windows\SysWOW64\Gkjcgjio.dll Jgkmgk32.exe File created C:\Windows\SysWOW64\Cbokknag.dll Fnckpmql.exe File created C:\Windows\SysWOW64\Jdbbeh32.dll Bogcgj32.exe File opened for modification C:\Windows\SysWOW64\Gpcmga32.exe Gijekg32.exe File created C:\Windows\SysWOW64\Ophpeg32.dll Kghjhemo.exe File created C:\Windows\SysWOW64\Jjqkamhk.dll Bkafmd32.exe File opened for modification C:\Windows\SysWOW64\Ffaong32.exe Fdccbl32.exe File opened for modification C:\Windows\SysWOW64\Mnnkgl32.exe Miaboe32.exe File created C:\Windows\SysWOW64\Pqindg32.dll Bheplb32.exe File created C:\Windows\SysWOW64\Cleegp32.exe Cdnmfclj.exe File created C:\Windows\SysWOW64\Hhnbpb32.exe Hfpecg32.exe File opened for modification C:\Windows\SysWOW64\Mbjnbqhp.exe Mlpeff32.exe File created C:\Windows\SysWOW64\Ddgfdiop.dll Cpglnhad.exe File created C:\Windows\SysWOW64\Gghpel32.dll Qlggjk32.exe File created C:\Windows\SysWOW64\Eafhkhce.dll Ejoomhmi.exe File created C:\Windows\SysWOW64\Gkkgpc32.exe Gfokoelp.exe File created C:\Windows\SysWOW64\Bfpjcbmh.dll Lpekef32.exe File created C:\Windows\SysWOW64\Lmdnbn32.exe Lfjfecno.exe File opened for modification C:\Windows\SysWOW64\Qfkqjmdg.exe Ppahmb32.exe File opened for modification C:\Windows\SysWOW64\Dnbakghm.exe Ddjmba32.exe File opened for modification C:\Windows\SysWOW64\Iohejo32.exe Imgicgca.exe File created C:\Windows\SysWOW64\Dfpgffpm.exe Dmgbnq32.exe File opened for modification C:\Windows\SysWOW64\Ifleoe32.exe Indmnh32.exe File created C:\Windows\SysWOW64\Mhicpg32.exe Mfhfhong.exe File created C:\Windows\SysWOW64\Kqpoakco.exe Knbbep32.exe File opened for modification C:\Windows\SysWOW64\Mnfnlf32.exe Mglfplgk.exe File created C:\Windows\SysWOW64\Olfghg32.exe Odoogi32.exe File opened for modification C:\Windows\SysWOW64\Ipjoja32.exe Iedjmioj.exe File opened for modification C:\Windows\SysWOW64\Gdgfce32.exe Gnmnfkia.exe File created C:\Windows\SysWOW64\Obfohnkk.dll Ogpepl32.exe File created C:\Windows\SysWOW64\Efeihb32.exe Ennqfenp.exe File created C:\Windows\SysWOW64\Pqknpl32.dll Hpiecd32.exe File opened for modification C:\Windows\SysWOW64\Kfnfjehl.exe Kodnmkap.exe File created C:\Windows\SysWOW64\Oileggkb.exe Ogmijllo.exe File created C:\Windows\SysWOW64\Pleaoa32.exe Pjgebf32.exe File created C:\Windows\SysWOW64\Cglgjeci.exe Cikglnkj.exe File created C:\Windows\SysWOW64\Ehfcfb32.exe Ealkjh32.exe File opened for modification C:\Windows\SysWOW64\Jbiejoaj.exe Jnmijq32.exe File opened for modification C:\Windows\SysWOW64\Phodcg32.exe Pddhbipj.exe File created C:\Windows\SysWOW64\Nlphicca.dll Fahaplon.exe File opened for modification C:\Windows\SysWOW64\Jecofa32.exe Jnifigpa.exe File opened for modification C:\Windows\SysWOW64\Nhlpfgbb.exe Mbognp32.exe File created C:\Windows\SysWOW64\Ceifibod.dll Qkmdkgob.exe File opened for modification C:\Windows\SysWOW64\Nnkpnclp.exe Ndflak32.exe File opened for modification C:\Windows\SysWOW64\Ambgef32.exe Ageolo32.exe File created C:\Windows\SysWOW64\Dcnqpo32.exe Dihlbf32.exe File opened for modification C:\Windows\SysWOW64\Ndflak32.exe Nagpeo32.exe File opened for modification C:\Windows\SysWOW64\Qmepam32.exe Pkegpb32.exe File created C:\Windows\SysWOW64\Idaiki32.dll Palklf32.exe File created C:\Windows\SysWOW64\Njnpppkn.exe Ndaggimg.exe File created C:\Windows\SysWOW64\Mjpabk32.dll Pgnilpah.exe File created C:\Windows\SysWOW64\Ehiffh32.exe Eejjjl32.exe File created C:\Windows\SysWOW64\Ckegbb32.dll Jnpmjf32.exe File created C:\Windows\SysWOW64\Hjhalefe.exe Hhfedm32.exe File created C:\Windows\SysWOW64\Hflkamml.dll Mccfdmmo.exe File created C:\Windows\SysWOW64\Dgcihgaj.exe Process not Found File created C:\Windows\SysWOW64\Delnin32.exe Daqbip32.exe File created C:\Windows\SysWOW64\Lahdik32.dll Ibicnh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7648 7172 Process not Found 1149 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmagnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoikmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaflgago.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqimikfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gochjpho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleaoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhacf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidphgcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbpojnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onhhamgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahaplon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmoiqneg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goglcahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebfng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monjjgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahaceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnebeogl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlnipg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhngolpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgcjddh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doilmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjomap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgpgng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekmnajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfjkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npchgdcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpdegjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fafdkmap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kndojobi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnmin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkcde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhhdil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojllan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmepn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgndoeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efafgifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfpinmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedjjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgemcli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okedcjcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbjhbbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjpeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlepcdoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjginjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licfngjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilccoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlgfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfefkkqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmdaljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkclgmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnobem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdigadjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaopfjm.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnnkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkemhahj.dll" Nlhkgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmenh32.dll" Dbpjaeoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkdoio32.dll" Ipjoja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgnnai32.dll" Mcelpggq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegbb32.dll" Jnpmjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmbanbmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dijbno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gihgfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onocomdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaplqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbdlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehiffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehkclgmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lciagi32.dll" Ghbbcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnnpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmdjdfgl.dll" Fkihnmhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iglhgnlj.dll" Oeaoab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qebhhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmkbfeab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmmif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjkmomfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kolfbd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnmoel32.dll" Fdijbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaplji32.dll" Mhfppabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehqkihfg.dll" Nenbjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efgemb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pogppn32.dll" Mpnnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igbcbhgq.dll" Fkbkdkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okehmlqi.dll" Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgagea32.dll" Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Palklf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfgmjqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ognpebpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihidlk32.dll" Bmngqdpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbehoafp.dll" Qgnbaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oodlnfco.dll" Nccokk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pahilmoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmeddp32.dll" Akglloai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoeieolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllokajf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nngokoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fknbil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kifona32.dll" Pemomqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnofdl32.dll" Dmfeidbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnipbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciipkkdj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoogfnnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igjeanmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnkkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnngbbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcelmhen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkfjqib.dll" Njmhhefi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfjfecno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfkqjmdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmidog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glokko32.dll" Hffcmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmgjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njnpppkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anfmjhmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggcfja32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 664 wrote to memory of 4472 664 db44367c8d669c3a233d3d8880738a709f1e3b9136d5cdec5a5191f2c3abc312N.exe 83 PID 664 wrote to memory of 4472 664 db44367c8d669c3a233d3d8880738a709f1e3b9136d5cdec5a5191f2c3abc312N.exe 83 PID 664 wrote to memory of 4472 664 db44367c8d669c3a233d3d8880738a709f1e3b9136d5cdec5a5191f2c3abc312N.exe 83 PID 4472 wrote to memory of 4828 4472 Mchhggno.exe 84 PID 4472 wrote to memory of 4828 4472 Mchhggno.exe 84 PID 4472 wrote to memory of 4828 4472 Mchhggno.exe 84 PID 4828 wrote to memory of 3596 4828 Mlampmdo.exe 85 PID 4828 wrote to memory of 3596 4828 Mlampmdo.exe 85 PID 4828 wrote to memory of 3596 4828 Mlampmdo.exe 85 PID 3596 wrote to memory of 3952 3596 Mgfqmfde.exe 86 PID 3596 wrote to memory of 3952 3596 Mgfqmfde.exe 86 PID 3596 wrote to memory of 3952 3596 Mgfqmfde.exe 86 PID 3952 wrote to memory of 3232 3952 Mlcifmbl.exe 87 PID 3952 wrote to memory of 3232 3952 Mlcifmbl.exe 87 PID 3952 wrote to memory of 3232 3952 Mlcifmbl.exe 87 PID 3232 wrote to memory of 748 3232 Mgimcebb.exe 88 PID 3232 wrote to memory of 748 3232 Mgimcebb.exe 88 PID 3232 wrote to memory of 748 3232 Mgimcebb.exe 88 PID 748 wrote to memory of 2640 748 Mlefklpj.exe 89 PID 748 wrote to memory of 2640 748 Mlefklpj.exe 89 PID 748 wrote to memory of 2640 748 Mlefklpj.exe 89 PID 2640 wrote to memory of 2736 2640 Mgkjhe32.exe 90 PID 2640 wrote to memory of 2736 2640 Mgkjhe32.exe 90 PID 2640 wrote to memory of 2736 2640 Mgkjhe32.exe 90 PID 2736 wrote to memory of 1168 2736 Mnebeogl.exe 91 PID 2736 wrote to memory of 1168 2736 Mnebeogl.exe 91 PID 2736 wrote to memory of 1168 2736 Mnebeogl.exe 91 PID 1168 wrote to memory of 1416 1168 Ndokbi32.exe 92 PID 1168 wrote to memory of 1416 1168 Ndokbi32.exe 92 PID 1168 wrote to memory of 1416 1168 Ndokbi32.exe 92 PID 1416 wrote to memory of 2416 1416 Nepgjaeg.exe 93 PID 1416 wrote to memory of 2416 1416 Nepgjaeg.exe 93 PID 1416 wrote to memory of 2416 1416 Nepgjaeg.exe 93 PID 2416 wrote to memory of 2192 2416 Nngokoej.exe 94 PID 2416 wrote to memory of 2192 2416 Nngokoej.exe 94 PID 2416 wrote to memory of 2192 2416 Nngokoej.exe 94 PID 2192 wrote to memory of 3968 2192 Npfkgjdn.exe 95 PID 2192 wrote to memory of 3968 2192 Npfkgjdn.exe 95 PID 2192 wrote to memory of 3968 2192 Npfkgjdn.exe 95 PID 3968 wrote to memory of 212 3968 Ndaggimg.exe 96 PID 3968 wrote to memory of 212 3968 Ndaggimg.exe 96 PID 3968 wrote to memory of 212 3968 Ndaggimg.exe 96 PID 212 wrote to memory of 4488 212 Njnpppkn.exe 97 PID 212 wrote to memory of 4488 212 Njnpppkn.exe 97 PID 212 wrote to memory of 4488 212 Njnpppkn.exe 97 PID 4488 wrote to memory of 4548 4488 Nnjlpo32.exe 98 PID 4488 wrote to memory of 4548 4488 Nnjlpo32.exe 98 PID 4488 wrote to memory of 4548 4488 Nnjlpo32.exe 98 PID 4548 wrote to memory of 4804 4548 Nnlhfn32.exe 99 PID 4548 wrote to memory of 4804 4548 Nnlhfn32.exe 99 PID 4548 wrote to memory of 4804 4548 Nnlhfn32.exe 99 PID 4804 wrote to memory of 2820 4804 Nfgmjqop.exe 100 PID 4804 wrote to memory of 2820 4804 Nfgmjqop.exe 100 PID 4804 wrote to memory of 2820 4804 Nfgmjqop.exe 100 PID 2820 wrote to memory of 2524 2820 Npmagine.exe 101 PID 2820 wrote to memory of 2524 2820 Npmagine.exe 101 PID 2820 wrote to memory of 2524 2820 Npmagine.exe 101 PID 2524 wrote to memory of 4624 2524 Nfjjppmm.exe 102 PID 2524 wrote to memory of 4624 2524 Nfjjppmm.exe 102 PID 2524 wrote to memory of 4624 2524 Nfjjppmm.exe 102 PID 4624 wrote to memory of 512 4624 Olcbmj32.exe 103 PID 4624 wrote to memory of 512 4624 Olcbmj32.exe 103 PID 4624 wrote to memory of 512 4624 Olcbmj32.exe 103 PID 512 wrote to memory of 1012 512 Odkjng32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\db44367c8d669c3a233d3d8880738a709f1e3b9136d5cdec5a5191f2c3abc312N.exe"C:\Users\Admin\AppData\Local\Temp\db44367c8d669c3a233d3d8880738a709f1e3b9136d5cdec5a5191f2c3abc312N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Mchhggno.exeC:\Windows\system32\Mchhggno.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Mlampmdo.exeC:\Windows\system32\Mlampmdo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\SysWOW64\Mgfqmfde.exeC:\Windows\system32\Mgfqmfde.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Mlcifmbl.exeC:\Windows\system32\Mlcifmbl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Mgimcebb.exeC:\Windows\system32\Mgimcebb.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Windows\SysWOW64\Mlefklpj.exeC:\Windows\system32\Mlefklpj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Windows\SysWOW64\Mgkjhe32.exeC:\Windows\system32\Mgkjhe32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Mnebeogl.exeC:\Windows\system32\Mnebeogl.exe9⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ndokbi32.exeC:\Windows\system32\Ndokbi32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Nepgjaeg.exeC:\Windows\system32\Nepgjaeg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Nngokoej.exeC:\Windows\system32\Nngokoej.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Npfkgjdn.exeC:\Windows\system32\Npfkgjdn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ndaggimg.exeC:\Windows\system32\Ndaggimg.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\Njnpppkn.exeC:\Windows\system32\Njnpppkn.exe15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Nnjlpo32.exeC:\Windows\system32\Nnjlpo32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Nnlhfn32.exeC:\Windows\system32\Nnlhfn32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4548 -
C:\Windows\SysWOW64\Nfgmjqop.exeC:\Windows\system32\Nfgmjqop.exe18⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4804 -
C:\Windows\SysWOW64\Npmagine.exeC:\Windows\system32\Npmagine.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Nfjjppmm.exeC:\Windows\system32\Nfjjppmm.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Olcbmj32.exeC:\Windows\system32\Olcbmj32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Odkjng32.exeC:\Windows\system32\Odkjng32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:512 -
C:\Windows\SysWOW64\Ogifjcdp.exeC:\Windows\system32\Ogifjcdp.exe23⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Oncofm32.exeC:\Windows\system32\Oncofm32.exe24⤵
- Executes dropped EXE
PID:4124 -
C:\Windows\SysWOW64\Olfobjbg.exeC:\Windows\system32\Olfobjbg.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Odmgcgbi.exeC:\Windows\system32\Odmgcgbi.exe26⤵
- Executes dropped EXE
PID:3664 -
C:\Windows\SysWOW64\Ojjolnaq.exeC:\Windows\system32\Ojjolnaq.exe27⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Ocbddc32.exeC:\Windows\system32\Ocbddc32.exe28⤵
- Executes dropped EXE
PID:3396 -
C:\Windows\SysWOW64\Ognpebpj.exeC:\Windows\system32\Ognpebpj.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4452 -
C:\Windows\SysWOW64\Ojllan32.exeC:\Windows\system32\Ojllan32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4008 -
C:\Windows\SysWOW64\Onhhamgg.exeC:\Windows\system32\Onhhamgg.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5024 -
C:\Windows\SysWOW64\Oqfdnhfk.exeC:\Windows\system32\Oqfdnhfk.exe32⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Olmeci32.exeC:\Windows\system32\Olmeci32.exe33⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Ogbipa32.exeC:\Windows\system32\Ogbipa32.exe34⤵
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Pmoahijl.exeC:\Windows\system32\Pmoahijl.exe35⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Pcijeb32.exeC:\Windows\system32\Pcijeb32.exe36⤵
- Executes dropped EXE
PID:3872 -
C:\Windows\SysWOW64\Pjcbbmif.exeC:\Windows\system32\Pjcbbmif.exe37⤵
- Executes dropped EXE
PID:4972 -
C:\Windows\SysWOW64\Pclgkb32.exeC:\Windows\system32\Pclgkb32.exe38⤵
- Executes dropped EXE
PID:4596 -
C:\Windows\SysWOW64\Pjeoglgc.exeC:\Windows\system32\Pjeoglgc.exe39⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Pmdkch32.exeC:\Windows\system32\Pmdkch32.exe40⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Pdkcde32.exeC:\Windows\system32\Pdkcde32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Windows\SysWOW64\Pjhlml32.exeC:\Windows\system32\Pjhlml32.exe42⤵
- Executes dropped EXE
PID:4572 -
C:\Windows\SysWOW64\Pdmpje32.exeC:\Windows\system32\Pdmpje32.exe43⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Pgllfp32.exeC:\Windows\system32\Pgllfp32.exe44⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Pmidog32.exeC:\Windows\system32\Pmidog32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4648 -
C:\Windows\SysWOW64\Pgnilpah.exeC:\Windows\system32\Pgnilpah.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Qmkadgpo.exeC:\Windows\system32\Qmkadgpo.exe47⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Qfcfml32.exeC:\Windows\system32\Qfcfml32.exe48⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Qmmnjfnl.exeC:\Windows\system32\Qmmnjfnl.exe49⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Qddfkd32.exeC:\Windows\system32\Qddfkd32.exe50⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Qcgffqei.exeC:\Windows\system32\Qcgffqei.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ampkof32.exeC:\Windows\system32\Ampkof32.exe52⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Ageolo32.exeC:\Windows\system32\Ageolo32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Ambgef32.exeC:\Windows\system32\Ambgef32.exe54⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Anadoi32.exeC:\Windows\system32\Anadoi32.exe55⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Amddjegd.exeC:\Windows\system32\Amddjegd.exe56⤵
- Executes dropped EXE
PID:4996 -
C:\Windows\SysWOW64\Aeklkchg.exeC:\Windows\system32\Aeklkchg.exe57⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ajhddjfn.exeC:\Windows\system32\Ajhddjfn.exe58⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Aeniabfd.exeC:\Windows\system32\Aeniabfd.exe59⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Anfmjhmd.exeC:\Windows\system32\Anfmjhmd.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:3916 -
C:\Windows\SysWOW64\Accfbokl.exeC:\Windows\system32\Accfbokl.exe61⤵
- Executes dropped EXE
PID:4360 -
C:\Windows\SysWOW64\Bjmnoi32.exeC:\Windows\system32\Bjmnoi32.exe62⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Bmkjkd32.exeC:\Windows\system32\Bmkjkd32.exe63⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Bcebhoii.exeC:\Windows\system32\Bcebhoii.exe64⤵
- Executes dropped EXE
PID:3888 -
C:\Windows\SysWOW64\Bganhm32.exeC:\Windows\system32\Bganhm32.exe65⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Bjokdipf.exeC:\Windows\system32\Bjokdipf.exe66⤵PID:4172
-
C:\Windows\SysWOW64\Bmngqdpj.exeC:\Windows\system32\Bmngqdpj.exe67⤵
- Modifies registry class
PID:4808 -
C:\Windows\SysWOW64\Beeoaapl.exeC:\Windows\system32\Beeoaapl.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2924 -
C:\Windows\SysWOW64\Bffkij32.exeC:\Windows\system32\Bffkij32.exe69⤵PID:1524
-
C:\Windows\SysWOW64\Bmpcfdmg.exeC:\Windows\system32\Bmpcfdmg.exe70⤵PID:992
-
C:\Windows\SysWOW64\Bnpppgdj.exeC:\Windows\system32\Bnpppgdj.exe71⤵PID:1496
-
C:\Windows\SysWOW64\Bhhdil32.exeC:\Windows\system32\Bhhdil32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe73⤵PID:736
-
C:\Windows\SysWOW64\Chmndlge.exeC:\Windows\system32\Chmndlge.exe74⤵PID:3548
-
C:\Windows\SysWOW64\Cmiflbel.exeC:\Windows\system32\Cmiflbel.exe75⤵
- Drops file in System32 directory
PID:4284 -
C:\Windows\SysWOW64\Cfbkeh32.exeC:\Windows\system32\Cfbkeh32.exe76⤵PID:3272
-
C:\Windows\SysWOW64\Chagok32.exeC:\Windows\system32\Chagok32.exe77⤵PID:3660
-
C:\Windows\SysWOW64\Cajlhqjp.exeC:\Windows\system32\Cajlhqjp.exe78⤵PID:4044
-
C:\Windows\SysWOW64\Chcddk32.exeC:\Windows\system32\Chcddk32.exe79⤵PID:2308
-
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe80⤵PID:5008
-
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe81⤵PID:4232
-
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe82⤵PID:4872
-
C:\Windows\SysWOW64\Dhhnpjmh.exeC:\Windows\system32\Dhhnpjmh.exe83⤵PID:532
-
C:\Windows\SysWOW64\Daqbip32.exeC:\Windows\system32\Daqbip32.exe84⤵
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4700 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe86⤵
- Drops file in System32 directory
PID:5096 -
C:\Windows\SysWOW64\Dfpgffpm.exeC:\Windows\system32\Dfpgffpm.exe87⤵PID:2580
-
C:\Windows\SysWOW64\Dogogcpo.exeC:\Windows\system32\Dogogcpo.exe88⤵PID:2624
-
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe89⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe90⤵
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe91⤵PID:436
-
C:\Windows\SysWOW64\Ehapfiem.exeC:\Windows\system32\Ehapfiem.exe92⤵PID:1152
-
C:\Windows\SysWOW64\Ekpmbddq.exeC:\Windows\system32\Ekpmbddq.exe93⤵PID:4292
-
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe94⤵PID:2100
-
C:\Windows\SysWOW64\Ehdmlhcj.exeC:\Windows\system32\Ehdmlhcj.exe95⤵PID:4788
-
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe96⤵PID:2292
-
C:\Windows\SysWOW64\Ealadnik.exeC:\Windows\system32\Ealadnik.exe97⤵PID:2668
-
C:\Windows\SysWOW64\Ehfjah32.exeC:\Windows\system32\Ehfjah32.exe98⤵PID:4584
-
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe99⤵PID:2384
-
C:\Windows\SysWOW64\Emcbio32.exeC:\Windows\system32\Emcbio32.exe100⤵PID:1912
-
C:\Windows\SysWOW64\Eejjjl32.exeC:\Windows\system32\Eejjjl32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4544 -
C:\Windows\SysWOW64\Ehiffh32.exeC:\Windows\system32\Ehiffh32.exe102⤵
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Eobocb32.exeC:\Windows\system32\Eobocb32.exe103⤵PID:1680
-
C:\Windows\SysWOW64\Eaakpm32.exeC:\Windows\system32\Eaakpm32.exe104⤵PID:1592
-
C:\Windows\SysWOW64\Ehkclgmb.exeC:\Windows\system32\Ehkclgmb.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe106⤵PID:4968
-
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe107⤵PID:4860
-
C:\Windows\SysWOW64\Feocelll.exeC:\Windows\system32\Feocelll.exe108⤵PID:3160
-
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe109⤵PID:4880
-
C:\Windows\SysWOW64\Fkllnbjc.exeC:\Windows\system32\Fkllnbjc.exe110⤵PID:552
-
C:\Windows\SysWOW64\Fafdkmap.exeC:\Windows\system32\Fafdkmap.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5136 -
C:\Windows\SysWOW64\Fhpmgg32.exeC:\Windows\system32\Fhpmgg32.exe112⤵PID:5176
-
C:\Windows\SysWOW64\Fnmepn32.exeC:\Windows\system32\Fnmepn32.exe113⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Fahaplon.exeC:\Windows\system32\Fahaplon.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5264 -
C:\Windows\SysWOW64\Fedmqk32.exeC:\Windows\system32\Fedmqk32.exe115⤵PID:5308
-
C:\Windows\SysWOW64\Folaiqng.exeC:\Windows\system32\Folaiqng.exe116⤵PID:5352
-
C:\Windows\SysWOW64\Fnobem32.exeC:\Windows\system32\Fnobem32.exe117⤵
- System Location Discovery: System Language Discovery
PID:5396 -
C:\Windows\SysWOW64\Fdijbg32.exeC:\Windows\system32\Fdijbg32.exe118⤵
- Modifies registry class
PID:5440 -
C:\Windows\SysWOW64\Fggfnc32.exeC:\Windows\system32\Fggfnc32.exe119⤵PID:5484
-
C:\Windows\SysWOW64\Fonnop32.exeC:\Windows\system32\Fonnop32.exe120⤵PID:5528
-
C:\Windows\SysWOW64\Fehfljca.exeC:\Windows\system32\Fehfljca.exe121⤵PID:5572
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-