Analysis
-
max time kernel
94s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-01-2025 06:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
487ee710cca21ea05025d3e0364bde6ccf7768ea841cedab3b583e300849b337.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
487ee710cca21ea05025d3e0364bde6ccf7768ea841cedab3b583e300849b337.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
487ee710cca21ea05025d3e0364bde6ccf7768ea841cedab3b583e300849b337.exe
-
Size
96KB
-
MD5
920076607642c3697d5c1ea5f2d5b90a
-
SHA1
3117ff601e03dd88c9330aab8732aeb2ccb2b4fb
-
SHA256
487ee710cca21ea05025d3e0364bde6ccf7768ea841cedab3b583e300849b337
-
SHA512
a78932519af55726e2812dce5b149dcef24fdcef3dc185eb944ed8e65b9207e261c5c66166a2dd0d22c669c2f5cbe9ffc304d99a27b048d250532f394e7e889f
-
SSDEEP
1536:EO9afvyXvO1HXnO5sAvcF2l2LZ7RZObZUUWaegPYAi:EFfa9XWZClUUWaeX
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnebo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacjdbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbldphde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpbnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhimhobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihbponja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgdai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njedbjej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfogbjb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpolgoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnbeeiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhhdnf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pciqnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegkpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhplpl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpacqg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdeiqgkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngqagcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cammjakm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcclncbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amkhmoap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljdkll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjffpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bphqji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgnffj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chnlgjlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kheekkjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpamabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihibbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kidben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njedbjej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Panhbfep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdoacabq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fniihmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmjfodne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agimkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhmbqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foclgq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbiockdj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfmmplad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnajppda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcdeeq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlljnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdolgfbp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caojpaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpmhdmea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihibbjo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqklkbbi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfmolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcffnbee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cacckp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbeeiji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkdek32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 5056 Nggnadib.exe 4724 Nmdgikhi.exe 2748 Ncnofeof.exe 4528 Nncccnol.exe 4464 Npepkf32.exe 1872 Njjdho32.exe 3600 Nmipdk32.exe 4264 Npgmpf32.exe 4928 Nfaemp32.exe 2036 Nagiji32.exe 1156 Ngqagcag.exe 432 Ojomcopk.exe 2704 Omnjojpo.exe 4172 Ocgbld32.exe 556 Onmfimga.exe 4752 Oakbehfe.exe 4384 Ogekbb32.exe 2240 Ombcji32.exe 3640 Oghghb32.exe 372 Ojfcdnjc.exe 4128 Ogjdmbil.exe 664 Ojhpimhp.exe 1072 Oabhfg32.exe 3724 Ohlqcagj.exe 4660 Pjkmomfn.exe 1952 Ppgegd32.exe 4968 Pnifekmd.exe 3416 Ppjbmc32.exe 3920 Pmnbfhal.exe 768 Pdhkcb32.exe 672 Pjbcplpe.exe 536 Pmpolgoi.exe 3704 Phfcipoo.exe 3728 Pjdpelnc.exe 1964 Panhbfep.exe 5020 Qhhpop32.exe 2996 Qjfmkk32.exe 4508 Qmeigg32.exe 704 Qdoacabq.exe 5088 Qfmmplad.exe 1936 Qodeajbg.exe 3164 Qacameaj.exe 4040 Qdaniq32.exe 3608 Afpjel32.exe 4368 Amjbbfgo.exe 1696 Aknbkjfh.exe 3612 Apjkcadp.exe 2920 Agdcpkll.exe 4076 Amnlme32.exe 4292 Adhdjpjf.exe 1744 Aonhghjl.exe 4540 Agimkk32.exe 5096 Amcehdod.exe 3524 Bdmmeo32.exe 2428 Bkgeainn.exe 1252 Baannc32.exe 2820 Bgnffj32.exe 2352 Bacjdbch.exe 928 Bhmbqm32.exe 1088 Bklomh32.exe 1000 Bmjkic32.exe 2516 Bphgeo32.exe 2104 Bgbpaipl.exe 3908 Bdfpkm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gacepg32.exe Gihpkd32.exe File created C:\Windows\SysWOW64\Nfgklkoc.exe Momcpa32.exe File opened for modification C:\Windows\SysWOW64\Bdapehop.exe Bmggingc.exe File opened for modification C:\Windows\SysWOW64\Binhnomg.exe Bfolacnc.exe File created C:\Windows\SysWOW64\Pnpkdp32.dll Oabhfg32.exe File created C:\Windows\SysWOW64\Jponoqjl.dll Pnifekmd.exe File created C:\Windows\SysWOW64\Lbandhne.dll Qacameaj.exe File created C:\Windows\SysWOW64\Ablmdkdf.dll Kheekkjl.exe File created C:\Windows\SysWOW64\Jhpicj32.dll Ojomcopk.exe File opened for modification C:\Windows\SysWOW64\Jahqiaeb.exe Jbepme32.exe File opened for modification C:\Windows\SysWOW64\Nijqcf32.exe Noblkqca.exe File created C:\Windows\SysWOW64\Onmfimga.exe Ocgbld32.exe File opened for modification C:\Windows\SysWOW64\Njljch32.exe Njjmni32.exe File opened for modification C:\Windows\SysWOW64\Pjbcplpe.exe Pdhkcb32.exe File created C:\Windows\SysWOW64\Ibmlia32.dll Cggimh32.exe File created C:\Windows\SysWOW64\Coppbe32.dll Hahokfag.exe File created C:\Windows\SysWOW64\Naagioah.dll Nbnlaldg.exe File created C:\Windows\SysWOW64\Dfbjkg32.dll Bigbmpco.exe File created C:\Windows\SysWOW64\Ckgohf32.exe Caojpaij.exe File opened for modification C:\Windows\SysWOW64\Nodiqp32.exe Nijqcf32.exe File created C:\Windows\SysWOW64\Fljhbbae.dll Ojemig32.exe File created C:\Windows\SysWOW64\Ccegac32.dll Hpfbcn32.exe File created C:\Windows\SysWOW64\Ckpamabg.exe Bgdemb32.exe File opened for modification C:\Windows\SysWOW64\Pmpolgoi.exe Pjbcplpe.exe File opened for modification C:\Windows\SysWOW64\Ccdihbgg.exe Cdolgfbp.exe File created C:\Windows\SysWOW64\Mpaqbf32.dll Hbihjifh.exe File created C:\Windows\SysWOW64\Bbfmgd32.exe Bphqji32.exe File created C:\Windows\SysWOW64\Clpchk32.dll Jlikkkhn.exe File opened for modification C:\Windows\SysWOW64\Oblhcj32.exe Oqklkbbi.exe File opened for modification C:\Windows\SysWOW64\Fkfcqb32.exe Figgdg32.exe File opened for modification C:\Windows\SysWOW64\Ipkdek32.exe Ihdldn32.exe File created C:\Windows\SysWOW64\Ckkpjkai.dll Npgmpf32.exe File created C:\Windows\SysWOW64\Lngqkhda.dll Pjbcplpe.exe File created C:\Windows\SysWOW64\Bhmbqm32.exe Bacjdbch.exe File created C:\Windows\SysWOW64\Eiidnkam.dll Koonge32.exe File created C:\Windows\SysWOW64\Mlljnf32.exe Mhanngbl.exe File opened for modification C:\Windows\SysWOW64\Oqoefand.exe Ojemig32.exe File opened for modification C:\Windows\SysWOW64\Paihlpfi.exe Pjoppf32.exe File opened for modification C:\Windows\SysWOW64\Acccdj32.exe Ajjokd32.exe File created C:\Windows\SysWOW64\Mpkcqhdh.dll Dgjoif32.exe File created C:\Windows\SysWOW64\Hnbeeiji.exe Hldiinke.exe File created C:\Windows\SysWOW64\Npgmpf32.exe Nmipdk32.exe File created C:\Windows\SysWOW64\Ejphhm32.dll Aknbkjfh.exe File created C:\Windows\SysWOW64\Olekop32.dll Hihibbjo.exe File opened for modification C:\Windows\SysWOW64\Nfgklkoc.exe Momcpa32.exe File opened for modification C:\Windows\SysWOW64\Ojomcopk.exe Ngqagcag.exe File opened for modification C:\Windows\SysWOW64\Afockelf.exe Amfobp32.exe File opened for modification C:\Windows\SysWOW64\Hnlodjpa.exe Hlmchoan.exe File created C:\Windows\SysWOW64\Jahqiaeb.exe Jbepme32.exe File opened for modification C:\Windows\SysWOW64\Ohlqcagj.exe Oabhfg32.exe File opened for modification C:\Windows\SysWOW64\Cpacqg32.exe Cgiohbfi.exe File opened for modification C:\Windows\SysWOW64\Pbcncibp.exe Pcpnhl32.exe File created C:\Windows\SysWOW64\Ipdbmgdb.dll Legben32.exe File created C:\Windows\SysWOW64\Kbpkkeen.dll Bdapehop.exe File created C:\Windows\SysWOW64\Cklgfgfg.dll Bdfpkm32.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Aknbkjfh.exe File created C:\Windows\SysWOW64\Ogpmdqpl.dll Dnajppda.exe File opened for modification C:\Windows\SysWOW64\Abmjqe32.exe Ampaho32.exe File created C:\Windows\SysWOW64\Ombcji32.exe Ogekbb32.exe File created C:\Windows\SysWOW64\Klpakj32.exe Kheekkjl.exe File created C:\Windows\SysWOW64\Binhnomg.exe Bfolacnc.exe File opened for modification C:\Windows\SysWOW64\Lcclncbh.exe Klggli32.exe File opened for modification C:\Windows\SysWOW64\Oqhoeb32.exe Oiagde32.exe File created C:\Windows\SysWOW64\Iaidib32.dll Oflmnh32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8536 8412 WerFault.exe 374 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmipdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakbehfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjbmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agdcpkll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njljch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abfdpfaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diqnjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oghghb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnlgjlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhqcgnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Binhnomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpnjah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfekbdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afockelf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegkpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmfco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjkmomfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohlqcagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phfcipoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpcinld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdkll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acccdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjkcadp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblmgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnlaldg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpljehpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caojpaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdldn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkkqmiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdeiqgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmeigg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpacqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgegd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enpfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipbaol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolhkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkaclqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejqldci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mledmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njedbjej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlhih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlblcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjfodne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkjmlaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbkpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajaelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfogbjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapgdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Filapfbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdiknlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhanngbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdaniq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cammjakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlofcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcpnhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagmdllg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihibbjo.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhqcgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijdjfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haaaaeim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abmjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkgeainn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbpkkeen.dll" Bdapehop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddcebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmpolgoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbkofn32.dll" Qjfmkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oghghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agimkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obqanjdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfqhkbn.dll" Cgiohbfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhhpop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklhcfle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejqldci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkqqe32.dll" Jblmgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmncpmp.dll" Iahgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cklgfgfg.dll" Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccegac32.dll" Hpfbcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbihjifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcdbi32.dll" Bapgdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmnnimak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhimhobl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcmal32.dll" Mcoljagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njbgmjgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceohefin.dll" Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlmchoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iolhkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkddhfnh.dll" Bdeiqgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kidben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mledmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgicnp32.dll" Dkcndeen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfekbdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nggnadib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjhbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abfdpfaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcffnbee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfnhfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfbaalbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfogbjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlmnj32.dll" Ipbaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibqnkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ablmdkdf.dll" Kheekkjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klpakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibepke32.dll" Kidben32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojqcnhkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bagmdllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgklmacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Legben32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Binhnomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckgohf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneall32.dll" Phfcipoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihpcinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjkhnd32.dll" Nmjfodne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojhpimhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppcbba32.dll" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amnlme32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 5056 2204 487ee710cca21ea05025d3e0364bde6ccf7768ea841cedab3b583e300849b337.exe 83 PID 2204 wrote to memory of 5056 2204 487ee710cca21ea05025d3e0364bde6ccf7768ea841cedab3b583e300849b337.exe 83 PID 2204 wrote to memory of 5056 2204 487ee710cca21ea05025d3e0364bde6ccf7768ea841cedab3b583e300849b337.exe 83 PID 5056 wrote to memory of 4724 5056 Nggnadib.exe 84 PID 5056 wrote to memory of 4724 5056 Nggnadib.exe 84 PID 5056 wrote to memory of 4724 5056 Nggnadib.exe 84 PID 4724 wrote to memory of 2748 4724 Nmdgikhi.exe 85 PID 4724 wrote to memory of 2748 4724 Nmdgikhi.exe 85 PID 4724 wrote to memory of 2748 4724 Nmdgikhi.exe 85 PID 2748 wrote to memory of 4528 2748 Ncnofeof.exe 86 PID 2748 wrote to memory of 4528 2748 Ncnofeof.exe 86 PID 2748 wrote to memory of 4528 2748 Ncnofeof.exe 86 PID 4528 wrote to memory of 4464 4528 Nncccnol.exe 87 PID 4528 wrote to memory of 4464 4528 Nncccnol.exe 87 PID 4528 wrote to memory of 4464 4528 Nncccnol.exe 87 PID 4464 wrote to memory of 1872 4464 Npepkf32.exe 88 PID 4464 wrote to memory of 1872 4464 Npepkf32.exe 88 PID 4464 wrote to memory of 1872 4464 Npepkf32.exe 88 PID 1872 wrote to memory of 3600 1872 Njjdho32.exe 89 PID 1872 wrote to memory of 3600 1872 Njjdho32.exe 89 PID 1872 wrote to memory of 3600 1872 Njjdho32.exe 89 PID 3600 wrote to memory of 4264 3600 Nmipdk32.exe 90 PID 3600 wrote to memory of 4264 3600 Nmipdk32.exe 90 PID 3600 wrote to memory of 4264 3600 Nmipdk32.exe 90 PID 4264 wrote to memory of 4928 4264 Npgmpf32.exe 91 PID 4264 wrote to memory of 4928 4264 Npgmpf32.exe 91 PID 4264 wrote to memory of 4928 4264 Npgmpf32.exe 91 PID 4928 wrote to memory of 2036 4928 Nfaemp32.exe 92 PID 4928 wrote to memory of 2036 4928 Nfaemp32.exe 92 PID 4928 wrote to memory of 2036 4928 Nfaemp32.exe 92 PID 2036 wrote to memory of 1156 2036 Nagiji32.exe 93 PID 2036 wrote to memory of 1156 2036 Nagiji32.exe 93 PID 2036 wrote to memory of 1156 2036 Nagiji32.exe 93 PID 1156 wrote to memory of 432 1156 Ngqagcag.exe 94 PID 1156 wrote to memory of 432 1156 Ngqagcag.exe 94 PID 1156 wrote to memory of 432 1156 Ngqagcag.exe 94 PID 432 wrote to memory of 2704 432 Ojomcopk.exe 95 PID 432 wrote to memory of 2704 432 Ojomcopk.exe 95 PID 432 wrote to memory of 2704 432 Ojomcopk.exe 95 PID 2704 wrote to memory of 4172 2704 Omnjojpo.exe 96 PID 2704 wrote to memory of 4172 2704 Omnjojpo.exe 96 PID 2704 wrote to memory of 4172 2704 Omnjojpo.exe 96 PID 4172 wrote to memory of 556 4172 Ocgbld32.exe 97 PID 4172 wrote to memory of 556 4172 Ocgbld32.exe 97 PID 4172 wrote to memory of 556 4172 Ocgbld32.exe 97 PID 556 wrote to memory of 4752 556 Onmfimga.exe 98 PID 556 wrote to memory of 4752 556 Onmfimga.exe 98 PID 556 wrote to memory of 4752 556 Onmfimga.exe 98 PID 4752 wrote to memory of 4384 4752 Oakbehfe.exe 99 PID 4752 wrote to memory of 4384 4752 Oakbehfe.exe 99 PID 4752 wrote to memory of 4384 4752 Oakbehfe.exe 99 PID 4384 wrote to memory of 2240 4384 Ogekbb32.exe 100 PID 4384 wrote to memory of 2240 4384 Ogekbb32.exe 100 PID 4384 wrote to memory of 2240 4384 Ogekbb32.exe 100 PID 2240 wrote to memory of 3640 2240 Ombcji32.exe 101 PID 2240 wrote to memory of 3640 2240 Ombcji32.exe 101 PID 2240 wrote to memory of 3640 2240 Ombcji32.exe 101 PID 3640 wrote to memory of 372 3640 Oghghb32.exe 102 PID 3640 wrote to memory of 372 3640 Oghghb32.exe 102 PID 3640 wrote to memory of 372 3640 Oghghb32.exe 102 PID 372 wrote to memory of 4128 372 Ojfcdnjc.exe 103 PID 372 wrote to memory of 4128 372 Ojfcdnjc.exe 103 PID 372 wrote to memory of 4128 372 Ojfcdnjc.exe 103 PID 4128 wrote to memory of 664 4128 Ogjdmbil.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\487ee710cca21ea05025d3e0364bde6ccf7768ea841cedab3b583e300849b337.exe"C:\Users\Admin\AppData\Local\Temp\487ee710cca21ea05025d3e0364bde6ccf7768ea841cedab3b583e300849b337.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Nggnadib.exeC:\Windows\system32\Nggnadib.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Nmdgikhi.exeC:\Windows\system32\Nmdgikhi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Ncnofeof.exeC:\Windows\system32\Ncnofeof.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Nncccnol.exeC:\Windows\system32\Nncccnol.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Njjdho32.exeC:\Windows\system32\Njjdho32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600 -
C:\Windows\SysWOW64\Npgmpf32.exeC:\Windows\system32\Npgmpf32.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\SysWOW64\Nfaemp32.exeC:\Windows\system32\Nfaemp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\Nagiji32.exeC:\Windows\system32\Nagiji32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Ngqagcag.exeC:\Windows\system32\Ngqagcag.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Omnjojpo.exeC:\Windows\system32\Omnjojpo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe15⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\SysWOW64\Oakbehfe.exeC:\Windows\system32\Oakbehfe.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Oghghb32.exeC:\Windows\system32\Oghghb32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\Ogjdmbil.exeC:\Windows\system32\Ogjdmbil.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4128 -
C:\Windows\SysWOW64\Ojhpimhp.exeC:\Windows\system32\Ojhpimhp.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:664 -
C:\Windows\SysWOW64\Oabhfg32.exeC:\Windows\system32\Oabhfg32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Ohlqcagj.exeC:\Windows\system32\Ohlqcagj.exe25⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3724 -
C:\Windows\SysWOW64\Pjkmomfn.exeC:\Windows\system32\Pjkmomfn.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4660 -
C:\Windows\SysWOW64\Ppgegd32.exeC:\Windows\system32\Ppgegd32.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\Pnifekmd.exeC:\Windows\system32\Pnifekmd.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\Ppjbmc32.exeC:\Windows\system32\Ppjbmc32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3416 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe30⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Pdhkcb32.exeC:\Windows\system32\Pdhkcb32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Pjbcplpe.exeC:\Windows\system32\Pjbcplpe.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Pmpolgoi.exeC:\Windows\system32\Pmpolgoi.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:536 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3704 -
C:\Windows\SysWOW64\Pjdpelnc.exeC:\Windows\system32\Pjdpelnc.exe35⤵
- Executes dropped EXE
PID:3728 -
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Qjfmkk32.exeC:\Windows\system32\Qjfmkk32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4508 -
C:\Windows\SysWOW64\Qdoacabq.exeC:\Windows\system32\Qdoacabq.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe42⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Qacameaj.exeC:\Windows\system32\Qacameaj.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3164 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4040 -
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3608 -
C:\Windows\SysWOW64\Amjbbfgo.exeC:\Windows\system32\Amjbbfgo.exe46⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Aknbkjfh.exeC:\Windows\system32\Aknbkjfh.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1696 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3612 -
C:\Windows\SysWOW64\Agdcpkll.exeC:\Windows\system32\Agdcpkll.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Amnlme32.exeC:\Windows\system32\Amnlme32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:4076 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe51⤵
- Executes dropped EXE
PID:4292 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe52⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Agimkk32.exeC:\Windows\system32\Agimkk32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4540 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Bdmmeo32.exeC:\Windows\system32\Bdmmeo32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3524 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe57⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe61⤵
- Executes dropped EXE
PID:1088 -
C:\Windows\SysWOW64\Bmjkic32.exeC:\Windows\system32\Bmjkic32.exe62⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe63⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Bdfpkm32.exeC:\Windows\system32\Bdfpkm32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3908 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe66⤵PID:4708
-
C:\Windows\SysWOW64\Cggimh32.exeC:\Windows\system32\Cggimh32.exe67⤵
- Drops file in System32 directory
PID:3904 -
C:\Windows\SysWOW64\Ckbemgcp.exeC:\Windows\system32\Ckbemgcp.exe68⤵
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Cammjakm.exeC:\Windows\system32\Cammjakm.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3672 -
C:\Windows\SysWOW64\Caojpaij.exeC:\Windows\system32\Caojpaij.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4452 -
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe71⤵
- Modifies registry class
PID:3076 -
C:\Windows\SysWOW64\Cnfkdb32.exeC:\Windows\system32\Cnfkdb32.exe72⤵PID:2660
-
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4112 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5036 -
C:\Windows\SysWOW64\Cklhcfle.exeC:\Windows\system32\Cklhcfle.exe75⤵
- Modifies registry class
PID:3424 -
C:\Windows\SysWOW64\Dahmfpap.exeC:\Windows\system32\Dahmfpap.exe76⤵PID:2284
-
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe77⤵PID:2508
-
C:\Windows\SysWOW64\Dnonkq32.exeC:\Windows\system32\Dnonkq32.exe78⤵PID:2072
-
C:\Windows\SysWOW64\Dkcndeen.exeC:\Windows\system32\Dkcndeen.exe79⤵
- Modifies registry class
PID:3772 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3688 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4000 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe82⤵PID:4316
-
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe83⤵
- System Location Discovery: System Language Discovery
PID:4328 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe84⤵PID:3124
-
C:\Windows\SysWOW64\Eohmkb32.exeC:\Windows\system32\Eohmkb32.exe85⤵PID:4024
-
C:\Windows\SysWOW64\Ekonpckp.exeC:\Windows\system32\Ekonpckp.exe86⤵PID:4884
-
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe87⤵
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe88⤵PID:4632
-
C:\Windows\SysWOW64\Figgdg32.exeC:\Windows\system32\Figgdg32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Fkfcqb32.exeC:\Windows\system32\Fkfcqb32.exe90⤵PID:3732
-
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe91⤵PID:3296
-
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe92⤵
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Fgmdec32.exeC:\Windows\system32\Fgmdec32.exe93⤵PID:4352
-
C:\Windows\SysWOW64\Foclgq32.exeC:\Windows\system32\Foclgq32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3312 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe95⤵PID:4964
-
C:\Windows\SysWOW64\Filapfbo.exeC:\Windows\system32\Filapfbo.exe96⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe97⤵
- System Location Discovery: System Language Discovery
PID:4712 -
C:\Windows\SysWOW64\Fniihmpf.exeC:\Windows\system32\Fniihmpf.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3448 -
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe99⤵PID:4580
-
C:\Windows\SysWOW64\Fohfbpgi.exeC:\Windows\system32\Fohfbpgi.exe100⤵PID:1380
-
C:\Windows\SysWOW64\Fbgbnkfm.exeC:\Windows\system32\Fbgbnkfm.exe101⤵PID:3136
-
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4180 -
C:\Windows\SysWOW64\Gkaclqkk.exeC:\Windows\system32\Gkaclqkk.exe104⤵
- System Location Discovery: System Language Discovery
PID:4348 -
C:\Windows\SysWOW64\Gghdaa32.exeC:\Windows\system32\Gghdaa32.exe105⤵PID:3000
-
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe106⤵
- Drops file in System32 directory
PID:4472 -
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe107⤵PID:5152
-
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:5196 -
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe109⤵
- Drops file in System32 directory
PID:5240 -
C:\Windows\SysWOW64\Hioflcbj.exeC:\Windows\system32\Hioflcbj.exe110⤵PID:5284
-
C:\Windows\SysWOW64\Hlmchoan.exeC:\Windows\system32\Hlmchoan.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:5328 -
C:\Windows\SysWOW64\Hnlodjpa.exeC:\Windows\system32\Hnlodjpa.exe112⤵PID:5372
-
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe113⤵PID:5416
-
C:\Windows\SysWOW64\Hhdcmp32.exeC:\Windows\system32\Hhdcmp32.exe114⤵PID:5460
-
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe115⤵PID:5504
-
C:\Windows\SysWOW64\Hbihjifh.exeC:\Windows\system32\Hbihjifh.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:5564 -
C:\Windows\SysWOW64\Halhfe32.exeC:\Windows\system32\Halhfe32.exe117⤵PID:5608
-
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe118⤵PID:5668
-
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5716 -
C:\Windows\SysWOW64\Hpmhdmea.exeC:\Windows\system32\Hpmhdmea.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5784 -
C:\Windows\SysWOW64\Hbldphde.exeC:\Windows\system32\Hbldphde.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-