Analysis
-
max time kernel
119s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23/01/2025, 10:00
Behavioral task
behavioral1
Sample
fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cfN.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cfN.exe
-
Size
93KB
-
MD5
d3d08e4e08aebf37e5546d07d2b3af90
-
SHA1
6a398f09e4452d1d4d9e99c8959d774759590571
-
SHA256
fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cf
-
SHA512
7d4e970bb35d1d5bb2f12e38d8e8cfe92745cce545e656bdf44665dd03d9ecde0ceb1bb63776ac827ae65011bfc28c391d02a5115d4345ebd720a6fb3a7c7611
-
SSDEEP
1536:PKDEYPDawo1VIeBrA625JcssssPWs21DaYfMZRWuLsV+1D:PzYk1VLh2gYfc0DV+1D
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neohqicc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lngpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehdpcahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdaephpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbhphdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeiggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eocieq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpajdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okcchbnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnafdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olioeoeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjgclcjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiniaboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknicnpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chblqlcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekhjlioa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdblkoco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjieapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iglkoaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckcnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbniohpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfnhnfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhbhdnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldndng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijampgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jobocn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbgkgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbhphdab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mekanbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edofbpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjofjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmhljip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhjdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncmei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laknfmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noepdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcchgini.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcgaae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjpcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkffohon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppjjcogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mddibb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbigao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilmgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcahjqfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfkgdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edofbpja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljcbcngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mganfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjcfco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhqfie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpqgkpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjihci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfjcgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmgenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lamkllea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkdfhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epipql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peapmhnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bineidcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkffohon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkihpi32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1760 Pegnglnm.exe 2800 Qfikod32.exe 2776 Qcmkhi32.exe 2828 Qfkgdd32.exe 2488 Afndjdpe.exe 1072 Ainmlomf.exe 2632 Afbnec32.exe 1376 Abinjdad.exe 2980 Ahfgbkpl.exe 1964 Admgglep.exe 2372 Beldao32.exe 1004 Bacefpbg.exe 1360 Binikb32.exe 1696 Bmlbaqfh.exe 2148 Bbikig32.exe 2984 Cbkgog32.exe 1584 Cobhdhha.exe 1096 Celpqbon.exe 1772 Clfhml32.exe 2220 Cdamao32.exe 2520 Cofaog32.exe 1048 Cdcjgnbc.exe 544 Cagjqbam.exe 1864 Chabmm32.exe 1480 Dckcnj32.exe 2500 Dcmpcjcf.exe 2880 Djghpd32.exe 2340 Dcpmijqc.exe 2480 Dpcnbn32.exe 1508 Dfpfke32.exe 1856 Dbggpfci.exe 2724 Enngdgim.exe 1168 Ehfhgogp.exe 2380 Ejgeogmn.exe 2956 Egkehllh.exe 2920 Edofbpja.exe 2988 Engjkeab.exe 2004 Fcdbcloi.exe 516 Fmlglb32.exe 2328 Fjqhef32.exe 1156 Fpmpnmck.exe 2468 Ffghjg32.exe 1652 Fbniohpl.exe 660 Flfnhnfm.exe 1972 Fijnabef.exe 1356 Gngfjicn.exe 1492 Ghpkbn32.exe 2916 Gnicoh32.exe 2508 Gecklbih.exe 2284 Gmoppefc.exe 2940 Ghddnnfi.exe 2496 Gieaef32.exe 1588 Gdkebolm.exe 3048 Gihnkejd.exe 2672 Gpafgp32.exe 2696 Hflndjin.exe 2636 Hlhfmqge.exe 2580 Hdkaabnh.exe 2576 Ikgfdlcb.exe 868 Iaaoqf32.exe 2076 Ikicikap.exe 2124 Ilkpac32.exe 2476 Iecdji32.exe 2008 Ilmlfcel.exe -
Loads dropped DLL 64 IoCs
pid Process 2208 fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cfN.exe 2208 fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cfN.exe 1760 Pegnglnm.exe 1760 Pegnglnm.exe 2800 Qfikod32.exe 2800 Qfikod32.exe 2776 Qcmkhi32.exe 2776 Qcmkhi32.exe 2828 Qfkgdd32.exe 2828 Qfkgdd32.exe 2488 Afndjdpe.exe 2488 Afndjdpe.exe 1072 Ainmlomf.exe 1072 Ainmlomf.exe 2632 Afbnec32.exe 2632 Afbnec32.exe 1376 Abinjdad.exe 1376 Abinjdad.exe 2980 Ahfgbkpl.exe 2980 Ahfgbkpl.exe 1964 Admgglep.exe 1964 Admgglep.exe 2372 Beldao32.exe 2372 Beldao32.exe 1004 Bacefpbg.exe 1004 Bacefpbg.exe 1360 Binikb32.exe 1360 Binikb32.exe 1696 Bmlbaqfh.exe 1696 Bmlbaqfh.exe 2148 Bbikig32.exe 2148 Bbikig32.exe 2984 Cbkgog32.exe 2984 Cbkgog32.exe 1584 Cobhdhha.exe 1584 Cobhdhha.exe 1096 Celpqbon.exe 1096 Celpqbon.exe 1772 Clfhml32.exe 1772 Clfhml32.exe 2220 Cdamao32.exe 2220 Cdamao32.exe 2520 Cofaog32.exe 2520 Cofaog32.exe 1048 Cdcjgnbc.exe 1048 Cdcjgnbc.exe 544 Cagjqbam.exe 544 Cagjqbam.exe 1864 Chabmm32.exe 1864 Chabmm32.exe 1480 Dckcnj32.exe 1480 Dckcnj32.exe 2500 Dcmpcjcf.exe 2500 Dcmpcjcf.exe 2880 Djghpd32.exe 2880 Djghpd32.exe 2340 Dcpmijqc.exe 2340 Dcpmijqc.exe 2480 Dpcnbn32.exe 2480 Dpcnbn32.exe 1508 Dfpfke32.exe 1508 Dfpfke32.exe 1856 Dbggpfci.exe 1856 Dbggpfci.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ghddnnfi.exe Gmoppefc.exe File created C:\Windows\SysWOW64\Mmooam32.dll Mchokq32.exe File opened for modification C:\Windows\SysWOW64\Ekmjanpd.exe Dmiihjak.exe File created C:\Windows\SysWOW64\Lpcbkpnn.dll Fjqhef32.exe File created C:\Windows\SysWOW64\Bgbjkg32.dll Mhfoleio.exe File opened for modification C:\Windows\SysWOW64\Ihilqi32.exe Imchcplm.exe File created C:\Windows\SysWOW64\Ccolja32.exe Cnacbj32.exe File opened for modification C:\Windows\SysWOW64\Kphpdhdh.exe Jinghn32.exe File opened for modification C:\Windows\SysWOW64\Pjpicfdb.exe Pojdem32.exe File opened for modification C:\Windows\SysWOW64\Bbikig32.exe Bmlbaqfh.exe File created C:\Windows\SysWOW64\Kodghqop.exe Kjhopjqi.exe File created C:\Windows\SysWOW64\Ohbjgg32.exe Oahbjmjp.exe File created C:\Windows\SysWOW64\Bdggbp32.dll Iplnpq32.exe File opened for modification C:\Windows\SysWOW64\Kjfdcc32.exe Kpmpjm32.exe File created C:\Windows\SysWOW64\Ldfmlkmf.dll Didgig32.exe File created C:\Windows\SysWOW64\Kejahn32.exe Kegebn32.exe File created C:\Windows\SysWOW64\Peaibajp.exe Pogaeg32.exe File opened for modification C:\Windows\SysWOW64\Ifceemdj.exe Imkqmh32.exe File created C:\Windows\SysWOW64\Pdfdbg32.dll Gngfjicn.exe File opened for modification C:\Windows\SysWOW64\Nilndfgl.exe Npcika32.exe File created C:\Windows\SysWOW64\Opgcne32.dll Okfmbm32.exe File created C:\Windows\SysWOW64\Ophoecoa.exe Ocdnloph.exe File opened for modification C:\Windows\SysWOW64\Dlqgob32.exe Cipnng32.exe File opened for modification C:\Windows\SysWOW64\Lnambeed.exe Ldihjo32.exe File opened for modification C:\Windows\SysWOW64\Ombhgljn.exe Ncjcnfcn.exe File opened for modification C:\Windows\SysWOW64\Qnalcqpm.exe Qmpplh32.exe File created C:\Windows\SysWOW64\Dmmgak32.dll Qnalcqpm.exe File created C:\Windows\SysWOW64\Lnjflmmn.dll Dndndbnl.exe File created C:\Windows\SysWOW64\Ecgckc32.dll Iboghh32.exe File opened for modification C:\Windows\SysWOW64\Jkabmi32.exe Iplnpq32.exe File created C:\Windows\SysWOW64\Gabmfl32.dll Dpcnbn32.exe File opened for modification C:\Windows\SysWOW64\Memncbmj.exe Mpqekkob.exe File opened for modification C:\Windows\SysWOW64\Acemeo32.exe Ajmhljip.exe File opened for modification C:\Windows\SysWOW64\Jpajdi32.exe Jfiekc32.exe File created C:\Windows\SysWOW64\Kgmkef32.exe Kpcbhlki.exe File opened for modification C:\Windows\SysWOW64\Oaciom32.exe Ohkdfhge.exe File opened for modification C:\Windows\SysWOW64\Agloko32.exe Afkccffq.exe File opened for modification C:\Windows\SysWOW64\Jobocn32.exe Jdmjfe32.exe File created C:\Windows\SysWOW64\Lmgggn32.dll Polakmbi.exe File opened for modification C:\Windows\SysWOW64\Mekanbol.exe Mnaiah32.exe File created C:\Windows\SysWOW64\Mnpkkdjl.dll Bjlnaghp.exe File created C:\Windows\SysWOW64\Imkqmh32.exe Ifahpnfl.exe File opened for modification C:\Windows\SysWOW64\Cagjqbam.exe Cdcjgnbc.exe File created C:\Windows\SysWOW64\Jopbnn32.exe Jhfjadim.exe File created C:\Windows\SysWOW64\Fdblkoco.exe Ekjgbi32.exe File created C:\Windows\SysWOW64\Hdqhambg.exe Habkeacd.exe File created C:\Windows\SysWOW64\Injchoib.dll Kkaolm32.exe File created C:\Windows\SysWOW64\Bljbfq32.dll Hibidc32.exe File created C:\Windows\SysWOW64\Polakmbi.exe Pjpicfdb.exe File opened for modification C:\Windows\SysWOW64\Ljndga32.exe Kdakoj32.exe File created C:\Windows\SysWOW64\Acplpjpj.exe Ancdgcab.exe File created C:\Windows\SysWOW64\Lbbpgc32.dll Nfpnnk32.exe File opened for modification C:\Windows\SysWOW64\Dpofpg32.exe Ckkhga32.exe File created C:\Windows\SysWOW64\Hajkip32.exe Hlnbqijd.exe File opened for modification C:\Windows\SysWOW64\Cfaaalep.exe Cmimif32.exe File created C:\Windows\SysWOW64\Depfiffk.dll Kqokgd32.exe File opened for modification C:\Windows\SysWOW64\Qlpadaac.exe Polakmbi.exe File created C:\Windows\SysWOW64\Nmiinh32.dll Fadagl32.exe File opened for modification C:\Windows\SysWOW64\Jiaaaicm.exe Ifceemdj.exe File created C:\Windows\SysWOW64\Bogiic32.dll Jblbpnhk.exe File opened for modification C:\Windows\SysWOW64\Noepdo32.exe Memlki32.exe File opened for modification C:\Windows\SysWOW64\Dibhjokm.exe Dchpnd32.exe File opened for modification C:\Windows\SysWOW64\Bclcfnih.exe Bigohejb.exe File created C:\Windows\SysWOW64\Hjincg32.dll Jjhgdqef.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2644 2700 WerFault.exe 640 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfgbkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppkkikh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldihjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlqgob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokofpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbqajk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbinad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqffna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcjgnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpkbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbakpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kggfnoch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmimif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjgdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpgqlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okcchbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocihgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njipabhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdpcahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigcobid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfljmmjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpajdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipnng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbqekhmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblbpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qekdpkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkcebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihqilnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbpnlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpiombe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abinjdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmdpejgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfifmghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifahpnfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldchgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmlglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dchpnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmobin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkekilg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjodhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmffhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlmnfeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fadagl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nickoldp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedcembk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokdga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Higiih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokdaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficilgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opmhqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjkcfjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekbmfdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ombhgljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afndjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkhga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmjgkpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjhaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjkmijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkaneao.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjeihl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgjelg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgpobfea.dll" Lghgocek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmmpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogjhnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmdpejgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagjqbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeaael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hajkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endbib32.dll" Cagjqbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phmfpddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiqdooej.dll" Jdpidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambcga32.dll" Elqcnfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ledcahkp.dll" Lllpclnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhlgnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjhopjqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgmoqm32.dll" Hmkiobge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnickdla.dll" Moqgiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edofbpja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnafdc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfljmmjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqhadmhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqendf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpbhg32.dll" Hklhca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajmhljip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmimif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbqajk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njobpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhikae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbjbnoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goekpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdlphmj.dll" Higiih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofaog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilmlfcel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdiik32.dll" Mffdmfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmden32.dll" Egkehllh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmcelb32.dll" Iecdji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnlaomae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liiohhdc.dll" Ipijpkei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leaallcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbopon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnalcqpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcchgini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpofpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afffgjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpkfchgk.dll" Biikne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibdclp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhpkoo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejcab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nilndfgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okfmbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Didgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qenpjecb.dll" Oclpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hflndjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqkbkicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmfjcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peolmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfnqkbe.dll" Ekipgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elqcnfdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Higiih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 1760 2208 fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cfN.exe 30 PID 2208 wrote to memory of 1760 2208 fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cfN.exe 30 PID 2208 wrote to memory of 1760 2208 fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cfN.exe 30 PID 2208 wrote to memory of 1760 2208 fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cfN.exe 30 PID 1760 wrote to memory of 2800 1760 Pegnglnm.exe 31 PID 1760 wrote to memory of 2800 1760 Pegnglnm.exe 31 PID 1760 wrote to memory of 2800 1760 Pegnglnm.exe 31 PID 1760 wrote to memory of 2800 1760 Pegnglnm.exe 31 PID 2800 wrote to memory of 2776 2800 Qfikod32.exe 32 PID 2800 wrote to memory of 2776 2800 Qfikod32.exe 32 PID 2800 wrote to memory of 2776 2800 Qfikod32.exe 32 PID 2800 wrote to memory of 2776 2800 Qfikod32.exe 32 PID 2776 wrote to memory of 2828 2776 Qcmkhi32.exe 33 PID 2776 wrote to memory of 2828 2776 Qcmkhi32.exe 33 PID 2776 wrote to memory of 2828 2776 Qcmkhi32.exe 33 PID 2776 wrote to memory of 2828 2776 Qcmkhi32.exe 33 PID 2828 wrote to memory of 2488 2828 Qfkgdd32.exe 34 PID 2828 wrote to memory of 2488 2828 Qfkgdd32.exe 34 PID 2828 wrote to memory of 2488 2828 Qfkgdd32.exe 34 PID 2828 wrote to memory of 2488 2828 Qfkgdd32.exe 34 PID 2488 wrote to memory of 1072 2488 Afndjdpe.exe 35 PID 2488 wrote to memory of 1072 2488 Afndjdpe.exe 35 PID 2488 wrote to memory of 1072 2488 Afndjdpe.exe 35 PID 2488 wrote to memory of 1072 2488 Afndjdpe.exe 35 PID 1072 wrote to memory of 2632 1072 Ainmlomf.exe 36 PID 1072 wrote to memory of 2632 1072 Ainmlomf.exe 36 PID 1072 wrote to memory of 2632 1072 Ainmlomf.exe 36 PID 1072 wrote to memory of 2632 1072 Ainmlomf.exe 36 PID 2632 wrote to memory of 1376 2632 Afbnec32.exe 37 PID 2632 wrote to memory of 1376 2632 Afbnec32.exe 37 PID 2632 wrote to memory of 1376 2632 Afbnec32.exe 37 PID 2632 wrote to memory of 1376 2632 Afbnec32.exe 37 PID 1376 wrote to memory of 2980 1376 Abinjdad.exe 38 PID 1376 wrote to memory of 2980 1376 Abinjdad.exe 38 PID 1376 wrote to memory of 2980 1376 Abinjdad.exe 38 PID 1376 wrote to memory of 2980 1376 Abinjdad.exe 38 PID 2980 wrote to memory of 1964 2980 Ahfgbkpl.exe 39 PID 2980 wrote to memory of 1964 2980 Ahfgbkpl.exe 39 PID 2980 wrote to memory of 1964 2980 Ahfgbkpl.exe 39 PID 2980 wrote to memory of 1964 2980 Ahfgbkpl.exe 39 PID 1964 wrote to memory of 2372 1964 Admgglep.exe 40 PID 1964 wrote to memory of 2372 1964 Admgglep.exe 40 PID 1964 wrote to memory of 2372 1964 Admgglep.exe 40 PID 1964 wrote to memory of 2372 1964 Admgglep.exe 40 PID 2372 wrote to memory of 1004 2372 Beldao32.exe 41 PID 2372 wrote to memory of 1004 2372 Beldao32.exe 41 PID 2372 wrote to memory of 1004 2372 Beldao32.exe 41 PID 2372 wrote to memory of 1004 2372 Beldao32.exe 41 PID 1004 wrote to memory of 1360 1004 Bacefpbg.exe 42 PID 1004 wrote to memory of 1360 1004 Bacefpbg.exe 42 PID 1004 wrote to memory of 1360 1004 Bacefpbg.exe 42 PID 1004 wrote to memory of 1360 1004 Bacefpbg.exe 42 PID 1360 wrote to memory of 1696 1360 Binikb32.exe 43 PID 1360 wrote to memory of 1696 1360 Binikb32.exe 43 PID 1360 wrote to memory of 1696 1360 Binikb32.exe 43 PID 1360 wrote to memory of 1696 1360 Binikb32.exe 43 PID 1696 wrote to memory of 2148 1696 Bmlbaqfh.exe 44 PID 1696 wrote to memory of 2148 1696 Bmlbaqfh.exe 44 PID 1696 wrote to memory of 2148 1696 Bmlbaqfh.exe 44 PID 1696 wrote to memory of 2148 1696 Bmlbaqfh.exe 44 PID 2148 wrote to memory of 2984 2148 Bbikig32.exe 45 PID 2148 wrote to memory of 2984 2148 Bbikig32.exe 45 PID 2148 wrote to memory of 2984 2148 Bbikig32.exe 45 PID 2148 wrote to memory of 2984 2148 Bbikig32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cfN.exe"C:\Users\Admin\AppData\Local\Temp\fafe5efc92e88bb46a04cb4a6cd4c93201ed551e2532ea7a65c8eb41f3de08cfN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Pegnglnm.exeC:\Windows\system32\Pegnglnm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Qfikod32.exeC:\Windows\system32\Qfikod32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Qcmkhi32.exeC:\Windows\system32\Qcmkhi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Afndjdpe.exeC:\Windows\system32\Afndjdpe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Abinjdad.exeC:\Windows\system32\Abinjdad.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Ahfgbkpl.exeC:\Windows\system32\Ahfgbkpl.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Admgglep.exeC:\Windows\system32\Admgglep.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Bacefpbg.exeC:\Windows\system32\Bacefpbg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Binikb32.exeC:\Windows\system32\Binikb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Bmlbaqfh.exeC:\Windows\system32\Bmlbaqfh.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Bbikig32.exeC:\Windows\system32\Bbikig32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Cbkgog32.exeC:\Windows\system32\Cbkgog32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Celpqbon.exeC:\Windows\system32\Celpqbon.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Cdamao32.exeC:\Windows\system32\Cdamao32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Cofaog32.exeC:\Windows\system32\Cofaog32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Windows\SysWOW64\Cagjqbam.exeC:\Windows\system32\Cagjqbam.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Djghpd32.exeC:\Windows\system32\Djghpd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Dpcnbn32.exeC:\Windows\system32\Dpcnbn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1508 -
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Enngdgim.exeC:\Windows\system32\Enngdgim.exe33⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe34⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Ejgeogmn.exeC:\Windows\system32\Ejgeogmn.exe35⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Engjkeab.exeC:\Windows\system32\Engjkeab.exe38⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Fcdbcloi.exeC:\Windows\system32\Fcdbcloi.exe39⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:516 -
C:\Windows\SysWOW64\Fjqhef32.exeC:\Windows\system32\Fjqhef32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2328 -
C:\Windows\SysWOW64\Fpmpnmck.exeC:\Windows\system32\Fpmpnmck.exe42⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Ffghjg32.exeC:\Windows\system32\Ffghjg32.exe43⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Fbniohpl.exeC:\Windows\system32\Fbniohpl.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Flfnhnfm.exeC:\Windows\system32\Flfnhnfm.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe46⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Gngfjicn.exeC:\Windows\system32\Gngfjicn.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Ghpkbn32.exeC:\Windows\system32\Ghpkbn32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Gnicoh32.exeC:\Windows\system32\Gnicoh32.exe49⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Gecklbih.exeC:\Windows\system32\Gecklbih.exe50⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Ghddnnfi.exeC:\Windows\system32\Ghddnnfi.exe52⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe53⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Gdkebolm.exeC:\Windows\system32\Gdkebolm.exe54⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe55⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe56⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Hflndjin.exeC:\Windows\system32\Hflndjin.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe58⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe59⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Ikgfdlcb.exeC:\Windows\system32\Ikgfdlcb.exe60⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Iaaoqf32.exeC:\Windows\system32\Iaaoqf32.exe61⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Ikicikap.exeC:\Windows\system32\Ikicikap.exe62⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ilkpac32.exeC:\Windows\system32\Ilkpac32.exe63⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Iecdji32.exeC:\Windows\system32\Iecdji32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Ilmlfcel.exeC:\Windows\system32\Ilmlfcel.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Ijampgde.exeC:\Windows\system32\Ijampgde.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Ipkema32.exeC:\Windows\system32\Ipkema32.exe67⤵PID:716
-
C:\Windows\SysWOW64\Jhfjadim.exeC:\Windows\system32\Jhfjadim.exe68⤵
- Drops file in System32 directory
PID:1164 -
C:\Windows\SysWOW64\Jopbnn32.exeC:\Windows\system32\Jopbnn32.exe69⤵PID:1716
-
C:\Windows\SysWOW64\Jdmjfe32.exeC:\Windows\system32\Jdmjfe32.exe70⤵
- Drops file in System32 directory
PID:1468 -
C:\Windows\SysWOW64\Jobocn32.exeC:\Windows\system32\Jobocn32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:860 -
C:\Windows\SysWOW64\Jbakpi32.exeC:\Windows\system32\Jbakpi32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Jgnchplb.exeC:\Windows\system32\Jgnchplb.exe73⤵PID:2872
-
C:\Windows\SysWOW64\Jbcgeilh.exeC:\Windows\system32\Jbcgeilh.exe74⤵PID:2868
-
C:\Windows\SysWOW64\Jgppmpjp.exeC:\Windows\system32\Jgppmpjp.exe75⤵PID:2788
-
C:\Windows\SysWOW64\Jqhdfe32.exeC:\Windows\system32\Jqhdfe32.exe76⤵PID:1032
-
C:\Windows\SysWOW64\Jknicnpf.exeC:\Windows\system32\Jknicnpf.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2820 -
C:\Windows\SysWOW64\Kdfmlc32.exeC:\Windows\system32\Kdfmlc32.exe78⤵PID:2228
-
C:\Windows\SysWOW64\Kfgjdlme.exeC:\Windows\system32\Kfgjdlme.exe79⤵PID:1148
-
C:\Windows\SysWOW64\Kopnma32.exeC:\Windows\system32\Kopnma32.exe80⤵PID:1912
-
C:\Windows\SysWOW64\Kggfnoch.exeC:\Windows\system32\Kggfnoch.exe81⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Kqokgd32.exeC:\Windows\system32\Kqokgd32.exe82⤵
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Kjhopjqi.exeC:\Windows\system32\Kjhopjqi.exe83⤵
- Drops file in System32 directory
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Kodghqop.exeC:\Windows\system32\Kodghqop.exe84⤵PID:784
-
C:\Windows\SysWOW64\Kfopdk32.exeC:\Windows\system32\Kfopdk32.exe85⤵PID:1128
-
C:\Windows\SysWOW64\Kpgdnp32.exeC:\Windows\system32\Kpgdnp32.exe86⤵PID:1692
-
C:\Windows\SysWOW64\Kbeqjl32.exeC:\Windows\system32\Kbeqjl32.exe87⤵PID:508
-
C:\Windows\SysWOW64\Lnlaomae.exeC:\Windows\system32\Lnlaomae.exe88⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Lefikg32.exeC:\Windows\system32\Lefikg32.exe89⤵PID:2028
-
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2760 -
C:\Windows\SysWOW64\Lamjph32.exeC:\Windows\system32\Lamjph32.exe91⤵
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Lnqkjl32.exeC:\Windows\system32\Lnqkjl32.exe92⤵PID:2764
-
C:\Windows\SysWOW64\Lcncbc32.exeC:\Windows\system32\Lcncbc32.exe93⤵PID:2712
-
C:\Windows\SysWOW64\Lncgollm.exeC:\Windows\system32\Lncgollm.exe94⤵PID:2360
-
C:\Windows\SysWOW64\Lpddgd32.exeC:\Windows\system32\Lpddgd32.exe95⤵PID:3028
-
C:\Windows\SysWOW64\Lmhdph32.exeC:\Windows\system32\Lmhdph32.exe96⤵PID:2428
-
C:\Windows\SysWOW64\Lpgqlc32.exeC:\Windows\system32\Lpgqlc32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Mioeeifi.exeC:\Windows\system32\Mioeeifi.exe98⤵PID:1124
-
C:\Windows\SysWOW64\Mddibb32.exeC:\Windows\system32\Mddibb32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:840 -
C:\Windows\SysWOW64\Miaaki32.exeC:\Windows\system32\Miaaki32.exe100⤵PID:1452
-
C:\Windows\SysWOW64\Mpkjgckc.exeC:\Windows\system32\Mpkjgckc.exe101⤵PID:2304
-
C:\Windows\SysWOW64\Mfebdm32.exeC:\Windows\system32\Mfebdm32.exe102⤵PID:1312
-
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Moqgiopk.exeC:\Windows\system32\Moqgiopk.exe104⤵
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Mhikae32.exeC:\Windows\system32\Mhikae32.exe105⤵
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Mbopon32.exeC:\Windows\system32\Mbopon32.exe106⤵
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Memlki32.exeC:\Windows\system32\Memlki32.exe107⤵
- Drops file in System32 directory
PID:108 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Neohqicc.exeC:\Windows\system32\Neohqicc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe110⤵PID:1488
-
C:\Windows\SysWOW64\Npiiafpa.exeC:\Windows\system32\Npiiafpa.exe111⤵PID:936
-
C:\Windows\SysWOW64\Nianjl32.exeC:\Windows\system32\Nianjl32.exe112⤵PID:924
-
C:\Windows\SysWOW64\Npkfff32.exeC:\Windows\system32\Npkfff32.exe113⤵PID:1916
-
C:\Windows\SysWOW64\Nickoldp.exeC:\Windows\system32\Nickoldp.exe114⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Nlbgkgcc.exeC:\Windows\system32\Nlbgkgcc.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Nggkipci.exeC:\Windows\system32\Nggkipci.exe116⤵PID:2792
-
C:\Windows\SysWOW64\Nmacej32.exeC:\Windows\system32\Nmacej32.exe117⤵PID:2900
-
C:\Windows\SysWOW64\Ogjhnp32.exeC:\Windows\system32\Ogjhnp32.exe118⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Ohkdfhge.exeC:\Windows\system32\Ohkdfhge.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2560 -
C:\Windows\SysWOW64\Oaciom32.exeC:\Windows\system32\Oaciom32.exe120⤵PID:2460
-
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe121⤵PID:2144
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-