Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
24/02/2025, 13:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8acca9eff58134be9992dbadda8f85a72af52e83d01844b494472812d6ed6b0e.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
120 seconds
Behavioral task
behavioral2
Sample
8acca9eff58134be9992dbadda8f85a72af52e83d01844b494472812d6ed6b0e.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
8acca9eff58134be9992dbadda8f85a72af52e83d01844b494472812d6ed6b0e.exe
-
Size
163KB
-
MD5
35065817dd729d63aed7cfec81650013
-
SHA1
c1ac42652b004a34f31a68b42a7b60168588ce0e
-
SHA256
8acca9eff58134be9992dbadda8f85a72af52e83d01844b494472812d6ed6b0e
-
SHA512
e3e7d8d316f9b3bea2dac0b5e7e6dc5c7de01a3b1a828d5eb60dac296a8d4fd398e0da93beee125dccfe2cb11b6aac877acf8cfe04eb31644c5cd2de5a730420
-
SSDEEP
3072:nluAsjxtK8dNYBIuT6dJBOltOrWKDBr+yJbw:lu5jxtK8dNYBKBOLOfw
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacjdbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikoopij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogkmgba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cglbhhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfccogfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khdoqefq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgbpaipl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpkmal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpfbcn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocgbend.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbaclegm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmedjl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnpjlajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbhmbdle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpcal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jemfhacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qamago32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnngpj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dncpkjoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jldkeeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapfiqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpqjjjjl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgqpkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjolie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipbaol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbccge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjffpe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpegkj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjocbhbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgeihiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbnlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqpfmlce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfckp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebkbbmqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapfiqoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paihlpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aibibp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnqcfjae.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfiddm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjbbfgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkjmlaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbpedjnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jblmgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkbfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmoafdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkjmlaac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbnajqc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpeha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enemaimp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcbnpnme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilhkigcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgmhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llcghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibnjkbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieeimlep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhocd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacjdbch.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilphdlqh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1192 Pmnbfhal.exe 3128 Pplobcpp.exe 2824 Palklf32.exe 4516 Pfiddm32.exe 2884 Panhbfep.exe 688 Qhhpop32.exe 2144 Qaqegecm.exe 4844 Qhjmdp32.exe 2712 Qjiipk32.exe 1924 Afpjel32.exe 4780 Amjbbfgo.exe 1736 Amcehdod.exe 4560 Bhhiemoj.exe 1080 Bobabg32.exe 1152 Bdojjo32.exe 4064 Bmhocd32.exe 2792 Bacjdbch.exe 4812 Bogkmgba.exe 3268 Bgbpaipl.exe 3932 Bhblllfo.exe 5024 Cggimh32.exe 1444 Cponen32.exe 640 Ckebcg32.exe 2328 Cglbhhga.exe 1596 Cdpcal32.exe 4752 Cacckp32.exe 3036 Cogddd32.exe 2344 Dhphmj32.exe 4328 Dpkmal32.exe 3624 Dgeenfog.exe 1496 Dggbcf32.exe 2948 Dqpfmlce.exe 5092 Doagjc32.exe 1140 Dbocfo32.exe 3328 Enfckp32.exe 3248 Eqdpgk32.exe 1952 Enhpao32.exe 4584 Ehndnh32.exe 1576 Enkmfolf.exe 4712 Edeeci32.exe 2516 Enmjlojd.exe 3012 Ehbnigjj.exe 1392 Ebkbbmqj.exe 4252 Edionhpn.exe 4200 Fnbcgn32.exe 1856 Fdlkdhnk.exe 2348 Fgjhpcmo.exe 3428 Fdnhih32.exe 216 Foclgq32.exe 2944 Feqeog32.exe 4244 Fkjmlaac.exe 4080 Fbdehlip.exe 2064 Fecadghc.exe 2808 Fbgbnkfm.exe 2964 Gnnccl32.exe 3504 Gbiockdj.exe 720 Gpmomo32.exe 3320 Gbkkik32.exe 2976 Gkdpbpih.exe 3804 Gnblnlhl.exe 4460 Geldkfpi.exe 5016 Gbpedjnb.exe 4044 Geoapenf.exe 1468 Gbbajjlp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ehndnh32.exe Enhpao32.exe File created C:\Windows\SysWOW64\Fbdehlip.exe Fkjmlaac.exe File created C:\Windows\SysWOW64\Jojdlfeo.exe Jhplpl32.exe File created C:\Windows\SysWOW64\Fcpakn32.exe Fjhmbihg.exe File opened for modification C:\Windows\SysWOW64\Fnjocf32.exe Fjocbhbo.exe File created C:\Windows\SysWOW64\Nbnlaldg.exe Noppeaed.exe File created C:\Windows\SysWOW64\Coppbe32.dll Hnibokbd.exe File created C:\Windows\SysWOW64\Aabkbono.exe Qikbaaml.exe File created C:\Windows\SysWOW64\Ejccgi32.exe Egegjn32.exe File created C:\Windows\SysWOW64\Fkgillpj.exe Fcpakn32.exe File created C:\Windows\SysWOW64\Kbqceofn.dll Bhhiemoj.exe File created C:\Windows\SysWOW64\Hpfohk32.dll Nimmifgo.exe File created C:\Windows\SysWOW64\Ndmojj32.dll Enemaimp.exe File opened for modification C:\Windows\SysWOW64\Fcbnpnme.exe Fbaahf32.exe File created C:\Windows\SysWOW64\Jooeqo32.dll Ibpgqa32.exe File created C:\Windows\SysWOW64\Feqeog32.exe Foclgq32.exe File created C:\Windows\SysWOW64\Ehfomc32.dll Kiphjo32.exe File opened for modification C:\Windows\SysWOW64\Noppeaed.exe Nqmojd32.exe File created C:\Windows\SysWOW64\Pciqnk32.exe Pidlqb32.exe File created C:\Windows\SysWOW64\Hbiapb32.exe Hkohchko.exe File created C:\Windows\SysWOW64\Epoaed32.dll Dgeenfog.exe File created C:\Windows\SysWOW64\Ocoick32.dll Gnblnlhl.exe File opened for modification C:\Windows\SysWOW64\Ledepn32.exe Lojmcdgl.exe File created C:\Windows\SysWOW64\Lckboblp.exe Loofnccf.exe File opened for modification C:\Windows\SysWOW64\Ajohfcpj.exe Adepji32.exe File opened for modification C:\Windows\SysWOW64\Ggepalof.exe Gdgdeppb.exe File opened for modification C:\Windows\SysWOW64\Icogcjde.exe Ibnjkbog.exe File opened for modification C:\Windows\SysWOW64\Gpmomo32.exe Gbiockdj.exe File created C:\Windows\SysWOW64\Jlikkkhn.exe Jikoopij.exe File opened for modification C:\Windows\SysWOW64\Jddiegbm.exe Jogqlpde.exe File created C:\Windows\SysWOW64\Bpfljc32.dll Fecadghc.exe File created C:\Windows\SysWOW64\Nhoped32.dll Pfojdh32.exe File opened for modification C:\Windows\SysWOW64\Hiacacpg.exe Heegad32.exe File created C:\Windows\SysWOW64\Jbccge32.exe Jpegkj32.exe File created C:\Windows\SysWOW64\Llcghg32.exe Lfiokmkc.exe File created C:\Windows\SysWOW64\Fllinoed.dll Eafbmgad.exe File created C:\Windows\SysWOW64\Gbjlkd32.dll Fbaahf32.exe File created C:\Windows\SysWOW64\Qhjmdp32.exe Qaqegecm.exe File opened for modification C:\Windows\SysWOW64\Ppgomnai.exe Pfojdh32.exe File created C:\Windows\SysWOW64\Cnidqf32.dll Famhmfkl.exe File opened for modification C:\Windows\SysWOW64\Lbqinm32.exe Klgqabib.exe File created C:\Windows\SysWOW64\Aamebb32.dll Cdpcal32.exe File opened for modification C:\Windows\SysWOW64\Qclmck32.exe Qamago32.exe File created C:\Windows\SysWOW64\Hlnecf32.dll Infhebbh.exe File created C:\Windows\SysWOW64\Cjceejee.dll Pmnbfhal.exe File opened for modification C:\Windows\SysWOW64\Hlblcn32.exe Hehdfdek.exe File created C:\Windows\SysWOW64\Ieicjl32.dll Jocnlg32.exe File opened for modification C:\Windows\SysWOW64\Kcmfnd32.exe Kpnjah32.exe File created C:\Windows\SysWOW64\Jlobem32.dll Bhblllfo.exe File created C:\Windows\SysWOW64\Hioflcbj.exe Hnibokbd.exe File opened for modification C:\Windows\SysWOW64\Kiphjo32.exe Kedlip32.exe File created C:\Windows\SysWOW64\Opbean32.exe Ojemig32.exe File created C:\Windows\SysWOW64\Ldbhiiol.dll Bfkbfd32.exe File opened for modification C:\Windows\SysWOW64\Ekljpm32.exe Eaceghcg.exe File opened for modification C:\Windows\SysWOW64\Kopcbo32.exe Kdkoef32.exe File created C:\Windows\SysWOW64\Lhpnlclc.exe Laffpi32.exe File created C:\Windows\SysWOW64\Dggbcf32.exe Dgeenfog.exe File created C:\Windows\SysWOW64\Fgcpfdbd.dll Ehbnigjj.exe File opened for modification C:\Windows\SysWOW64\Gkdpbpih.exe Gbkkik32.exe File created C:\Windows\SysWOW64\Cgpfqchb.dll Jeocna32.exe File created C:\Windows\SysWOW64\Lpgmhg32.exe Lcclncbh.exe File created C:\Windows\SysWOW64\Njbgmjgl.exe Nblolm32.exe File created C:\Windows\SysWOW64\Fpenlneh.dll Nbphglbe.exe File opened for modification C:\Windows\SysWOW64\Gdiakp32.exe Gbkdod32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8636 8372 WerFault.exe 429 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nblolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgmhcaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgpeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckoia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblmgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdbac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpqjjjjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjficg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckebcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimldogg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooibkpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahfkimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnngpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqcfjae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddklbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgihop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcali32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpochfji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnamjhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjblf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcpakn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkgillpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdnne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqpfmlce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjhpcmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebcao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haidfpki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgcmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icogcjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jogqlpde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgfhnhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlikkkhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddcebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkddo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbeip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijkled32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbqinm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdehlip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkkik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonlfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfojdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcgjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbnlim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbhool32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qclmck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapfiqoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcehdod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hioflcbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocnlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeocna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqklkbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnccl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cponen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqdpgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egegjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbaahf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjhfif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqdkkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aabkbono.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdocph32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojidbohn.dll" Edeeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccppmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlikkkhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kheekkjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnqcfjae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnpjlajn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolphl32.dll" Ekljpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgahlk32.dll" Icogcjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdqeooaa.dll" Jacpcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khabke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epqblnhh.dll" Kbnlim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghaeocdd.dll" Ookoaokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppgomnai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdnne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diadam32.dll" Ledepn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kefbdjgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocfgbfdm.dll" Fdlkdhnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbjfjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhplpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbfmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhhnfh32.dll" Enlcahgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caecnh32.dll" Mjggal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqcejcha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indkpcdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bogkmgba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkjmlaac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aabkbono.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgcmbj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaedanal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laffpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckjejfe.dll" Gpmomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geoapenf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibepke32.dll" Kplmliko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdiakp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enmjlojd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjffpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aaiqcnhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohoiloe.dll" Fgqgfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhkkfnao.dll" Jaljbmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgnfpc32.dll" Kbgfhnhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmhocd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggimh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckebcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjmgil32.dll" Pcpnhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdpiqehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnmlhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdojjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cacckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhhpop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heegad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajdbac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnnccl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiacacpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qamago32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haidfpki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgpchp32.dll" Hkcbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edionhpn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afjpan32.dll" Bphqji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnbcgn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4112 wrote to memory of 1192 4112 8acca9eff58134be9992dbadda8f85a72af52e83d01844b494472812d6ed6b0e.exe 83 PID 4112 wrote to memory of 1192 4112 8acca9eff58134be9992dbadda8f85a72af52e83d01844b494472812d6ed6b0e.exe 83 PID 4112 wrote to memory of 1192 4112 8acca9eff58134be9992dbadda8f85a72af52e83d01844b494472812d6ed6b0e.exe 83 PID 1192 wrote to memory of 3128 1192 Pmnbfhal.exe 84 PID 1192 wrote to memory of 3128 1192 Pmnbfhal.exe 84 PID 1192 wrote to memory of 3128 1192 Pmnbfhal.exe 84 PID 3128 wrote to memory of 2824 3128 Pplobcpp.exe 87 PID 3128 wrote to memory of 2824 3128 Pplobcpp.exe 87 PID 3128 wrote to memory of 2824 3128 Pplobcpp.exe 87 PID 2824 wrote to memory of 4516 2824 Palklf32.exe 88 PID 2824 wrote to memory of 4516 2824 Palklf32.exe 88 PID 2824 wrote to memory of 4516 2824 Palklf32.exe 88 PID 4516 wrote to memory of 2884 4516 Pfiddm32.exe 90 PID 4516 wrote to memory of 2884 4516 Pfiddm32.exe 90 PID 4516 wrote to memory of 2884 4516 Pfiddm32.exe 90 PID 2884 wrote to memory of 688 2884 Panhbfep.exe 91 PID 2884 wrote to memory of 688 2884 Panhbfep.exe 91 PID 2884 wrote to memory of 688 2884 Panhbfep.exe 91 PID 688 wrote to memory of 2144 688 Qhhpop32.exe 92 PID 688 wrote to memory of 2144 688 Qhhpop32.exe 92 PID 688 wrote to memory of 2144 688 Qhhpop32.exe 92 PID 2144 wrote to memory of 4844 2144 Qaqegecm.exe 93 PID 2144 wrote to memory of 4844 2144 Qaqegecm.exe 93 PID 2144 wrote to memory of 4844 2144 Qaqegecm.exe 93 PID 4844 wrote to memory of 2712 4844 Qhjmdp32.exe 94 PID 4844 wrote to memory of 2712 4844 Qhjmdp32.exe 94 PID 4844 wrote to memory of 2712 4844 Qhjmdp32.exe 94 PID 2712 wrote to memory of 1924 2712 Qjiipk32.exe 95 PID 2712 wrote to memory of 1924 2712 Qjiipk32.exe 95 PID 2712 wrote to memory of 1924 2712 Qjiipk32.exe 95 PID 1924 wrote to memory of 4780 1924 Afpjel32.exe 96 PID 1924 wrote to memory of 4780 1924 Afpjel32.exe 96 PID 1924 wrote to memory of 4780 1924 Afpjel32.exe 96 PID 4780 wrote to memory of 1736 4780 Amjbbfgo.exe 97 PID 4780 wrote to memory of 1736 4780 Amjbbfgo.exe 97 PID 4780 wrote to memory of 1736 4780 Amjbbfgo.exe 97 PID 1736 wrote to memory of 4560 1736 Amcehdod.exe 98 PID 1736 wrote to memory of 4560 1736 Amcehdod.exe 98 PID 1736 wrote to memory of 4560 1736 Amcehdod.exe 98 PID 4560 wrote to memory of 1080 4560 Bhhiemoj.exe 99 PID 4560 wrote to memory of 1080 4560 Bhhiemoj.exe 99 PID 4560 wrote to memory of 1080 4560 Bhhiemoj.exe 99 PID 1080 wrote to memory of 1152 1080 Bobabg32.exe 100 PID 1080 wrote to memory of 1152 1080 Bobabg32.exe 100 PID 1080 wrote to memory of 1152 1080 Bobabg32.exe 100 PID 1152 wrote to memory of 4064 1152 Bdojjo32.exe 101 PID 1152 wrote to memory of 4064 1152 Bdojjo32.exe 101 PID 1152 wrote to memory of 4064 1152 Bdojjo32.exe 101 PID 4064 wrote to memory of 2792 4064 Bmhocd32.exe 102 PID 4064 wrote to memory of 2792 4064 Bmhocd32.exe 102 PID 4064 wrote to memory of 2792 4064 Bmhocd32.exe 102 PID 2792 wrote to memory of 4812 2792 Bacjdbch.exe 103 PID 2792 wrote to memory of 4812 2792 Bacjdbch.exe 103 PID 2792 wrote to memory of 4812 2792 Bacjdbch.exe 103 PID 4812 wrote to memory of 3268 4812 Bogkmgba.exe 104 PID 4812 wrote to memory of 3268 4812 Bogkmgba.exe 104 PID 4812 wrote to memory of 3268 4812 Bogkmgba.exe 104 PID 3268 wrote to memory of 3932 3268 Bgbpaipl.exe 105 PID 3268 wrote to memory of 3932 3268 Bgbpaipl.exe 105 PID 3268 wrote to memory of 3932 3268 Bgbpaipl.exe 105 PID 3932 wrote to memory of 5024 3932 Bhblllfo.exe 106 PID 3932 wrote to memory of 5024 3932 Bhblllfo.exe 106 PID 3932 wrote to memory of 5024 3932 Bhblllfo.exe 106 PID 5024 wrote to memory of 1444 5024 Cggimh32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\8acca9eff58134be9992dbadda8f85a72af52e83d01844b494472812d6ed6b0e.exe"C:\Users\Admin\AppData\Local\Temp\8acca9eff58134be9992dbadda8f85a72af52e83d01844b494472812d6ed6b0e.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Pplobcpp.exeC:\Windows\system32\Pplobcpp.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Windows\SysWOW64\Panhbfep.exeC:\Windows\system32\Panhbfep.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Qaqegecm.exeC:\Windows\system32\Qaqegecm.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Qhjmdp32.exeC:\Windows\system32\Qhjmdp32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Amjbbfgo.exeC:\Windows\system32\Amjbbfgo.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Bmhocd32.exeC:\Windows\system32\Bmhocd32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4064 -
C:\Windows\SysWOW64\Bacjdbch.exeC:\Windows\system32\Bacjdbch.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Bgbpaipl.exeC:\Windows\system32\Bgbpaipl.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\Bhblllfo.exeC:\Windows\system32\Bhblllfo.exe21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\Cggimh32.exeC:\Windows\system32\Cggimh32.exe22⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\Ckebcg32.exeC:\Windows\system32\Ckebcg32.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Cglbhhga.exeC:\Windows\system32\Cglbhhga.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Cdpcal32.exeC:\Windows\system32\Cdpcal32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1596 -
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe27⤵
- Executes dropped EXE
- Modifies registry class
PID:4752 -
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe28⤵
- Executes dropped EXE
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Dhphmj32.exeC:\Windows\system32\Dhphmj32.exe29⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Dpkmal32.exeC:\Windows\system32\Dpkmal32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3624 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1496 -
C:\Windows\SysWOW64\Dqpfmlce.exeC:\Windows\system32\Dqpfmlce.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe34⤵
- Executes dropped EXE
PID:5092 -
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe35⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Enfckp32.exeC:\Windows\system32\Enfckp32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3328 -
C:\Windows\SysWOW64\Eqdpgk32.exeC:\Windows\system32\Eqdpgk32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3248 -
C:\Windows\SysWOW64\Enhpao32.exeC:\Windows\system32\Enhpao32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Ehndnh32.exeC:\Windows\system32\Ehndnh32.exe39⤵
- Executes dropped EXE
PID:4584 -
C:\Windows\SysWOW64\Enkmfolf.exeC:\Windows\system32\Enkmfolf.exe40⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Edeeci32.exeC:\Windows\system32\Edeeci32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Enmjlojd.exeC:\Windows\system32\Enmjlojd.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Ehbnigjj.exeC:\Windows\system32\Ehbnigjj.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:4252 -
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:4200 -
C:\Windows\SysWOW64\Fdlkdhnk.exeC:\Windows\system32\Fdlkdhnk.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Fdnhih32.exeC:\Windows\system32\Fdnhih32.exe49⤵
- Executes dropped EXE
PID:3428 -
C:\Windows\SysWOW64\Foclgq32.exeC:\Windows\system32\Foclgq32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:216 -
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe51⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4244 -
C:\Windows\SysWOW64\Fbdehlip.exeC:\Windows\system32\Fbdehlip.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4080 -
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Fbgbnkfm.exeC:\Windows\system32\Fbgbnkfm.exe55⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Gnnccl32.exeC:\Windows\system32\Gnnccl32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3504 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:720 -
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3320 -
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe60⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Gnblnlhl.exeC:\Windows\system32\Gnblnlhl.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3804 -
C:\Windows\SysWOW64\Geldkfpi.exeC:\Windows\system32\Geldkfpi.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:4460 -
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Geoapenf.exeC:\Windows\system32\Geoapenf.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4044 -
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe65⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe66⤵PID:4568
-
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4416 -
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe68⤵
- Drops file in System32 directory
PID:1356 -
C:\Windows\SysWOW64\Hioflcbj.exeC:\Windows\system32\Hioflcbj.exe69⤵
- System Location Discovery: System Language Discovery
PID:3716 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2156 -
C:\Windows\SysWOW64\Hiacacpg.exeC:\Windows\system32\Hiacacpg.exe71⤵
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Hehdfdek.exeC:\Windows\system32\Hehdfdek.exe72⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Hlblcn32.exeC:\Windows\system32\Hlblcn32.exe73⤵PID:1088
-
C:\Windows\SysWOW64\Hnphoj32.exeC:\Windows\system32\Hnphoj32.exe74⤵PID:2640
-
C:\Windows\SysWOW64\Hifmmb32.exeC:\Windows\system32\Hifmmb32.exe75⤵PID:3832
-
C:\Windows\SysWOW64\Hhimhobl.exeC:\Windows\system32\Hhimhobl.exe76⤵PID:2552
-
C:\Windows\SysWOW64\Ihkjno32.exeC:\Windows\system32\Ihkjno32.exe77⤵PID:4664
-
C:\Windows\SysWOW64\Ipbaol32.exeC:\Windows\system32\Ipbaol32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2844 -
C:\Windows\SysWOW64\Iacngdgj.exeC:\Windows\system32\Iacngdgj.exe79⤵PID:2492
-
C:\Windows\SysWOW64\Iijfhbhl.exeC:\Windows\system32\Iijfhbhl.exe80⤵PID:4084
-
C:\Windows\SysWOW64\Ieagmcmq.exeC:\Windows\system32\Ieagmcmq.exe81⤵PID:2308
-
C:\Windows\SysWOW64\Ilkoim32.exeC:\Windows\system32\Ilkoim32.exe82⤵PID:868
-
C:\Windows\SysWOW64\Ihbponja.exeC:\Windows\system32\Ihbponja.exe83⤵PID:1680
-
C:\Windows\SysWOW64\Ipihpkkd.exeC:\Windows\system32\Ipihpkkd.exe84⤵PID:696
-
C:\Windows\SysWOW64\Ilphdlqh.exeC:\Windows\system32\Ilphdlqh.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Jidinqpb.exeC:\Windows\system32\Jidinqpb.exe86⤵PID:3024
-
C:\Windows\SysWOW64\Jblmgf32.exeC:\Windows\system32\Jblmgf32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4612 -
C:\Windows\SysWOW64\Jaonbc32.exeC:\Windows\system32\Jaonbc32.exe88⤵PID:64
-
C:\Windows\SysWOW64\Jocnlg32.exeC:\Windows\system32\Jocnlg32.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Jemfhacc.exeC:\Windows\system32\Jemfhacc.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3708 -
C:\Windows\SysWOW64\Jhkbdmbg.exeC:\Windows\system32\Jhkbdmbg.exe91⤵PID:3228
-
C:\Windows\SysWOW64\Jpbjfjci.exeC:\Windows\system32\Jpbjfjci.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3608 -
C:\Windows\SysWOW64\Jeocna32.exeC:\Windows\system32\Jeocna32.exe93⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Jikoopij.exeC:\Windows\system32\Jikoopij.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1508 -
C:\Windows\SysWOW64\Jlikkkhn.exeC:\Windows\system32\Jlikkkhn.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Jpegkj32.exeC:\Windows\system32\Jpegkj32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Jbccge32.exeC:\Windows\system32\Jbccge32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3096 -
C:\Windows\SysWOW64\Jimldogg.exeC:\Windows\system32\Jimldogg.exe98⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Jhplpl32.exeC:\Windows\system32\Jhplpl32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:3760 -
C:\Windows\SysWOW64\Jojdlfeo.exeC:\Windows\system32\Jojdlfeo.exe100⤵PID:2892
-
C:\Windows\SysWOW64\Jbepme32.exeC:\Windows\system32\Jbepme32.exe101⤵PID:4412
-
C:\Windows\SysWOW64\Kedlip32.exeC:\Windows\system32\Kedlip32.exe102⤵
- Drops file in System32 directory
PID:1784 -
C:\Windows\SysWOW64\Kiphjo32.exeC:\Windows\system32\Kiphjo32.exe103⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Kolabf32.exeC:\Windows\system32\Kolabf32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5132 -
C:\Windows\SysWOW64\Kbhmbdle.exeC:\Windows\system32\Kbhmbdle.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5168 -
C:\Windows\SysWOW64\Kefiopki.exeC:\Windows\system32\Kefiopki.exe106⤵
- Modifies registry class
PID:5216 -
C:\Windows\SysWOW64\Kheekkjl.exeC:\Windows\system32\Kheekkjl.exe107⤵
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Kplmliko.exeC:\Windows\system32\Kplmliko.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5300 -
C:\Windows\SysWOW64\Klbnajqc.exeC:\Windows\system32\Klbnajqc.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5348 -
C:\Windows\SysWOW64\Kpnjah32.exeC:\Windows\system32\Kpnjah32.exe110⤵
- Drops file in System32 directory
PID:5388 -
C:\Windows\SysWOW64\Kcmfnd32.exeC:\Windows\system32\Kcmfnd32.exe111⤵
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Windows\SysWOW64\Kapfiqoj.exeC:\Windows\system32\Kapfiqoj.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5476 -
C:\Windows\SysWOW64\Kifojnol.exeC:\Windows\system32\Kifojnol.exe113⤵PID:5520
-
C:\Windows\SysWOW64\Kpqggh32.exeC:\Windows\system32\Kpqggh32.exe114⤵PID:5564
-
C:\Windows\SysWOW64\Kocgbend.exeC:\Windows\system32\Kocgbend.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5608 -
C:\Windows\SysWOW64\Kpccmhdg.exeC:\Windows\system32\Kpccmhdg.exe116⤵PID:5652
-
C:\Windows\SysWOW64\Kadpdp32.exeC:\Windows\system32\Kadpdp32.exe117⤵PID:5696
-
C:\Windows\SysWOW64\Lljdai32.exeC:\Windows\system32\Lljdai32.exe118⤵PID:5740
-
C:\Windows\SysWOW64\Lpepbgbd.exeC:\Windows\system32\Lpepbgbd.exe119⤵PID:5780
-
C:\Windows\SysWOW64\Lcclncbh.exeC:\Windows\system32\Lcclncbh.exe120⤵
- Drops file in System32 directory
PID:5824 -
C:\Windows\SysWOW64\Lpgmhg32.exeC:\Windows\system32\Lpgmhg32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5868
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-