Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25/02/2025, 08:35
Behavioral task
behavioral1
Sample
04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe
-
Size
337KB
-
MD5
eb7149bc5392f44efeb1837a19abeb53
-
SHA1
f754d335de7a783bf1b03206c95a09aead483d70
-
SHA256
04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b
-
SHA512
0562b235a3ad00d153f151fb124213ba332985faef25518bc4e5b5444e339639b5c07a8f52c04288ec2057c5b9b2a7a4d9dbf15cac4f70bf9bd0d5769d397e78
-
SSDEEP
3072:IfDdfB+qLKF9H2h9gYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc0X:2JUHK91+fIyG5jZkCwi8h
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgnfdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkija32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmhdkdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnflke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfhcoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdjmcpnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhakcfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnifja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadfkhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooabmbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmoda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcokiaji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdnbbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipiljgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmgpoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phfmllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhjfgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omioekbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiffkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffibkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhhhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajeeeblb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgphp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opglafab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biaign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgehno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednbncmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfkfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinklffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcejm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjbafi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdaglmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmjdaqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgkii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oococb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlclgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Accqnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aodkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfpifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nipdkieg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhjopbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgadda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejmhkiig.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1432 Qjkjle32.exe 2240 Qmifhq32.exe 2752 Qqdbiopj.exe 2764 Qogbdl32.exe 2916 Abfnpg32.exe 2780 Ajmfad32.exe 2460 Abhkfg32.exe 1796 Amnocpdk.exe 2996 Aollokco.exe 2676 Akcldl32.exe 2944 Aekqmbod.exe 1212 Akeijlfq.exe 1864 Bnfblgca.exe 1972 Bepjha32.exe 1056 Bgnfdm32.exe 1980 Bnhoag32.exe 1688 Bpjkiogm.exe 1152 Bibpad32.exe 1656 Baigca32.exe 1108 Bplhnoej.exe 2232 Bffpki32.exe 1116 Bmphhc32.exe 2468 Bfhmqhkd.exe 2360 Bekmle32.exe 2496 Bmbemb32.exe 2448 Bpqain32.exe 2892 Cemjae32.exe 2620 Chlfnp32.exe 2336 Cbajkiof.exe 2804 Cadjgf32.exe 1984 Cljodo32.exe 2976 Cjmopkla.exe 2604 Cbdgqimc.exe 2132 Cllkin32.exe 1096 Cojhejbh.exe 1020 Cdgpnqpo.exe 2144 Ckahkk32.exe 2948 Cmpdgf32.exe 1872 Cdjmcpnl.exe 1992 Cheido32.exe 1584 Cifelgmd.exe 2316 Cmbalfem.exe 2400 Dpqnhadq.exe 2588 Dgjfek32.exe 1380 Dlgnmb32.exe 1168 Dpcjnabn.exe 2628 Dbafjlaa.exe 1952 Depbfhpe.exe 2852 Dikogf32.exe 2876 Dmgkgeah.exe 1608 Dljkcb32.exe 1232 Dpegcq32.exe 1180 Dohgomgf.exe 2952 Dcccpl32.exe 2384 Debplg32.exe 2660 Dinklffl.exe 2860 Dllhhaep.exe 580 Dpgcip32.exe 2128 Dojddmec.exe 2972 Daipqhdg.exe 1700 Diphbfdi.exe 2684 Dhbhmb32.exe 2832 Dkadjn32.exe 2324 Domqjm32.exe -
Loads dropped DLL 64 IoCs
pid Process 1076 04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe 1076 04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe 1432 Qjkjle32.exe 1432 Qjkjle32.exe 2240 Qmifhq32.exe 2240 Qmifhq32.exe 2752 Qqdbiopj.exe 2752 Qqdbiopj.exe 2764 Qogbdl32.exe 2764 Qogbdl32.exe 2916 Abfnpg32.exe 2916 Abfnpg32.exe 2780 Ajmfad32.exe 2780 Ajmfad32.exe 2460 Abhkfg32.exe 2460 Abhkfg32.exe 1796 Amnocpdk.exe 1796 Amnocpdk.exe 2996 Aollokco.exe 2996 Aollokco.exe 2676 Akcldl32.exe 2676 Akcldl32.exe 2944 Aekqmbod.exe 2944 Aekqmbod.exe 1212 Akeijlfq.exe 1212 Akeijlfq.exe 1864 Bnfblgca.exe 1864 Bnfblgca.exe 1972 Bepjha32.exe 1972 Bepjha32.exe 1056 Bgnfdm32.exe 1056 Bgnfdm32.exe 1980 Bnhoag32.exe 1980 Bnhoag32.exe 1688 Bpjkiogm.exe 1688 Bpjkiogm.exe 1152 Bibpad32.exe 1152 Bibpad32.exe 1656 Baigca32.exe 1656 Baigca32.exe 1108 Bplhnoej.exe 1108 Bplhnoej.exe 2232 Bffpki32.exe 2232 Bffpki32.exe 1116 Bmphhc32.exe 1116 Bmphhc32.exe 2468 Bfhmqhkd.exe 2468 Bfhmqhkd.exe 2360 Bekmle32.exe 2360 Bekmle32.exe 2496 Bmbemb32.exe 2496 Bmbemb32.exe 2448 Bpqain32.exe 2448 Bpqain32.exe 2892 Cemjae32.exe 2892 Cemjae32.exe 2620 Chlfnp32.exe 2620 Chlfnp32.exe 2336 Cbajkiof.exe 2336 Cbajkiof.exe 2804 Cadjgf32.exe 2804 Cadjgf32.exe 1984 Cljodo32.exe 1984 Cljodo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pkdhln32.dll Aakjdo32.exe File created C:\Windows\SysWOW64\Qfngfgqe.dll Gkomjo32.exe File opened for modification C:\Windows\SysWOW64\Hegnahjo.exe Halbai32.exe File created C:\Windows\SysWOW64\Micklk32.exe Mjpkqonj.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Jmdepg32.exe File opened for modification C:\Windows\SysWOW64\Pkmlmbcd.exe Pljlbf32.exe File created C:\Windows\SysWOW64\Dgnenf32.dll Bmnnkl32.exe File created C:\Windows\SysWOW64\Kfnmpn32.exe Kgkleabc.exe File created C:\Windows\SysWOW64\Bkmhnjlh.exe Bgblmk32.exe File created C:\Windows\SysWOW64\Hbknkl32.exe Hnpbjnpo.exe File created C:\Windows\SysWOW64\Kofaicon.exe Kpcqnf32.exe File created C:\Windows\SysWOW64\Afbqkf32.dll Micklk32.exe File created C:\Windows\SysWOW64\Nhndalhm.dll Akkoig32.exe File created C:\Windows\SysWOW64\Nmepgp32.dll Hldlga32.exe File created C:\Windows\SysWOW64\Dcqlnqml.dll Kjokokha.exe File opened for modification C:\Windows\SysWOW64\Mjkgjl32.exe Mfokinhf.exe File opened for modification C:\Windows\SysWOW64\Edclib32.exe Epgphcqd.exe File opened for modification C:\Windows\SysWOW64\Ackmih32.exe Aopahjll.exe File opened for modification C:\Windows\SysWOW64\Bofgii32.exe Bmhkmm32.exe File opened for modification C:\Windows\SysWOW64\Bkbaii32.exe Bgffhkoj.exe File created C:\Windows\SysWOW64\Hjhmbnfb.dll Cnckjddd.exe File created C:\Windows\SysWOW64\Hcenjk32.dll Jgabdlfb.exe File created C:\Windows\SysWOW64\Jhjpijfl.dll Lqipkhbj.exe File created C:\Windows\SysWOW64\Adlcfjgh.exe Abmgjo32.exe File created C:\Windows\SysWOW64\Ljodek32.dll Cljodo32.exe File opened for modification C:\Windows\SysWOW64\Kljabgnh.exe Khoebi32.exe File created C:\Windows\SysWOW64\Fnacpffh.exe Fjegog32.exe File opened for modification C:\Windows\SysWOW64\Jojkco32.exe Jpgjgboe.exe File opened for modification C:\Windows\SysWOW64\Qjkjle32.exe 04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe File opened for modification C:\Windows\SysWOW64\Obgkpb32.exe Ookpodkj.exe File opened for modification C:\Windows\SysWOW64\Cfeepelg.exe Cpkmcldj.exe File created C:\Windows\SysWOW64\Lfmlmhlo.dll Lhfefgkg.exe File opened for modification C:\Windows\SysWOW64\Ajmijmnn.exe Aebmjo32.exe File opened for modification C:\Windows\SysWOW64\Pjcmap32.exe Pegqpacp.exe File created C:\Windows\SysWOW64\Emclhigi.dll Qkffng32.exe File opened for modification C:\Windows\SysWOW64\Aqjdgmgd.exe Amohfo32.exe File created C:\Windows\SysWOW64\Ioohokoo.exe Ifgpnmom.exe File created C:\Windows\SysWOW64\Pdkiofep.dll Bkjdndjo.exe File opened for modification C:\Windows\SysWOW64\Gcheib32.exe Gqiimfam.exe File created C:\Windows\SysWOW64\Pcncbo32.dll Mpmcielb.exe File opened for modification C:\Windows\SysWOW64\Jioopgef.exe Jedcpi32.exe File created C:\Windows\SysWOW64\Gqiimfam.exe Gbfiaj32.exe File created C:\Windows\SysWOW64\Bflbigdb.exe Bgibnj32.exe File created C:\Windows\SysWOW64\Cpmjhk32.exe Clbnhmjo.exe File created C:\Windows\SysWOW64\Hakapcjd.dll Iefcfe32.exe File created C:\Windows\SysWOW64\Ldbofgme.exe Lfoojj32.exe File created C:\Windows\SysWOW64\Cbajkiof.exe Chlfnp32.exe File created C:\Windows\SysWOW64\Ildnklen.dll Fofpoo32.exe File created C:\Windows\SysWOW64\Ihnoip32.dll Imleli32.exe File created C:\Windows\SysWOW64\Alhjjh32.dll Ifffkncm.exe File created C:\Windows\SysWOW64\Mbbfep32.exe Mngjeamd.exe File created C:\Windows\SysWOW64\Bcpgdhpp.exe Aodkci32.exe File created C:\Windows\SysWOW64\Eppcmncq.exe Eldglp32.exe File opened for modification C:\Windows\SysWOW64\Gepafc32.exe Gqdefddb.exe File opened for modification C:\Windows\SysWOW64\Kjihalag.exe Kfnmpn32.exe File opened for modification C:\Windows\SysWOW64\Adcdbl32.exe Aqhhanig.exe File created C:\Windows\SysWOW64\Ecploipa.exe Eoepnk32.exe File created C:\Windows\SysWOW64\Folfoj32.exe Fkpjnkig.exe File opened for modification C:\Windows\SysWOW64\Hldlga32.exe Hifpke32.exe File opened for modification C:\Windows\SysWOW64\Locjhqpa.exe Lkgngb32.exe File created C:\Windows\SysWOW64\Loefnpnn.exe Lhknaf32.exe File created C:\Windows\SysWOW64\Akafaiao.dll Nenkqi32.exe File created C:\Windows\SysWOW64\Jmiajbpa.dll Ibfaopoi.exe File created C:\Windows\SysWOW64\Damocb32.dll Pdmnam32.exe -
Program crash 1 IoCs
pid pid_target Process 9212 9016 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghajacmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlphbbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmlmbcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lboiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahkpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibqqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amnocpdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hloiib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhejnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfkapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacclpae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiomn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaaeepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjeinje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdaqmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkcpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palepb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkndhabp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbofjnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpogbgmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klehgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmahg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjdmjgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beackp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbhdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkngc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnknoogp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmedlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlfhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijklknbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emagacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihlqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnolfon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpkbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenpajfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjpbign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilfpqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcbabpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imnbbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldoimh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnneb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaeipfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjokokha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbekjcf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifigco32.dll" Hjofdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcqlnqml.dll" Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giddhc32.dll" Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bihmcd32.dll" Lhelbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpbcokk.dll" Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll" Bjdkjpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjakccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bplhnoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcccpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlafnbal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgnebokc.dll" Kpdjaecc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfmllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnqmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnmeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihmpobck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdoljh32.dll" Iaeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oajlkojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkgpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldbofgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgffhkoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmdhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jedcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciffggmh.dll" Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfebhg32.dll" Nnafnopi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnfie32.dll" Elldgehk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiahmmdf.dll" Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idejihgk.dll" Fhomkcoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hphidanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncniim32.dll" Lblcfnhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohfqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfeeehni.dll" Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhfefgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfapjbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pplaki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damocb32.dll" Pdmnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihcbj32.dll" Eoepnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjokokha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihqegkl.dll" Ajqljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblifk32.dll" Amohfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfefmpeo.dll" Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aollokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdakniag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adqaqk32.dll" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll" Clojhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdgpnqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifampo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqpagjge.dll" Fjegog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oqfqioai.dll" Kdbbgdjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loqmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjmopkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlgnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomhdbkn.dll" Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljlbf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1076 wrote to memory of 1432 1076 04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe 30 PID 1076 wrote to memory of 1432 1076 04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe 30 PID 1076 wrote to memory of 1432 1076 04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe 30 PID 1076 wrote to memory of 1432 1076 04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe 30 PID 1432 wrote to memory of 2240 1432 Qjkjle32.exe 31 PID 1432 wrote to memory of 2240 1432 Qjkjle32.exe 31 PID 1432 wrote to memory of 2240 1432 Qjkjle32.exe 31 PID 1432 wrote to memory of 2240 1432 Qjkjle32.exe 31 PID 2240 wrote to memory of 2752 2240 Qmifhq32.exe 32 PID 2240 wrote to memory of 2752 2240 Qmifhq32.exe 32 PID 2240 wrote to memory of 2752 2240 Qmifhq32.exe 32 PID 2240 wrote to memory of 2752 2240 Qmifhq32.exe 32 PID 2752 wrote to memory of 2764 2752 Qqdbiopj.exe 33 PID 2752 wrote to memory of 2764 2752 Qqdbiopj.exe 33 PID 2752 wrote to memory of 2764 2752 Qqdbiopj.exe 33 PID 2752 wrote to memory of 2764 2752 Qqdbiopj.exe 33 PID 2764 wrote to memory of 2916 2764 Qogbdl32.exe 34 PID 2764 wrote to memory of 2916 2764 Qogbdl32.exe 34 PID 2764 wrote to memory of 2916 2764 Qogbdl32.exe 34 PID 2764 wrote to memory of 2916 2764 Qogbdl32.exe 34 PID 2916 wrote to memory of 2780 2916 Abfnpg32.exe 35 PID 2916 wrote to memory of 2780 2916 Abfnpg32.exe 35 PID 2916 wrote to memory of 2780 2916 Abfnpg32.exe 35 PID 2916 wrote to memory of 2780 2916 Abfnpg32.exe 35 PID 2780 wrote to memory of 2460 2780 Ajmfad32.exe 36 PID 2780 wrote to memory of 2460 2780 Ajmfad32.exe 36 PID 2780 wrote to memory of 2460 2780 Ajmfad32.exe 36 PID 2780 wrote to memory of 2460 2780 Ajmfad32.exe 36 PID 2460 wrote to memory of 1796 2460 Abhkfg32.exe 37 PID 2460 wrote to memory of 1796 2460 Abhkfg32.exe 37 PID 2460 wrote to memory of 1796 2460 Abhkfg32.exe 37 PID 2460 wrote to memory of 1796 2460 Abhkfg32.exe 37 PID 1796 wrote to memory of 2996 1796 Amnocpdk.exe 38 PID 1796 wrote to memory of 2996 1796 Amnocpdk.exe 38 PID 1796 wrote to memory of 2996 1796 Amnocpdk.exe 38 PID 1796 wrote to memory of 2996 1796 Amnocpdk.exe 38 PID 2996 wrote to memory of 2676 2996 Aollokco.exe 39 PID 2996 wrote to memory of 2676 2996 Aollokco.exe 39 PID 2996 wrote to memory of 2676 2996 Aollokco.exe 39 PID 2996 wrote to memory of 2676 2996 Aollokco.exe 39 PID 2676 wrote to memory of 2944 2676 Akcldl32.exe 40 PID 2676 wrote to memory of 2944 2676 Akcldl32.exe 40 PID 2676 wrote to memory of 2944 2676 Akcldl32.exe 40 PID 2676 wrote to memory of 2944 2676 Akcldl32.exe 40 PID 2944 wrote to memory of 1212 2944 Aekqmbod.exe 41 PID 2944 wrote to memory of 1212 2944 Aekqmbod.exe 41 PID 2944 wrote to memory of 1212 2944 Aekqmbod.exe 41 PID 2944 wrote to memory of 1212 2944 Aekqmbod.exe 41 PID 1212 wrote to memory of 1864 1212 Akeijlfq.exe 42 PID 1212 wrote to memory of 1864 1212 Akeijlfq.exe 42 PID 1212 wrote to memory of 1864 1212 Akeijlfq.exe 42 PID 1212 wrote to memory of 1864 1212 Akeijlfq.exe 42 PID 1864 wrote to memory of 1972 1864 Bnfblgca.exe 43 PID 1864 wrote to memory of 1972 1864 Bnfblgca.exe 43 PID 1864 wrote to memory of 1972 1864 Bnfblgca.exe 43 PID 1864 wrote to memory of 1972 1864 Bnfblgca.exe 43 PID 1972 wrote to memory of 1056 1972 Bepjha32.exe 44 PID 1972 wrote to memory of 1056 1972 Bepjha32.exe 44 PID 1972 wrote to memory of 1056 1972 Bepjha32.exe 44 PID 1972 wrote to memory of 1056 1972 Bepjha32.exe 44 PID 1056 wrote to memory of 1980 1056 Bgnfdm32.exe 45 PID 1056 wrote to memory of 1980 1056 Bgnfdm32.exe 45 PID 1056 wrote to memory of 1980 1056 Bgnfdm32.exe 45 PID 1056 wrote to memory of 1980 1056 Bgnfdm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe"C:\Users\Admin\AppData\Local\Temp\04e8d3a451dfdbc8bcee551eb3d3a31e9f747d5a907e980e11f967dc9f191b8b.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1116 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Chlfnp32.exeC:\Windows\system32\Chlfnp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe34⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Cllkin32.exeC:\Windows\system32\Cllkin32.exe35⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe36⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe38⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe39⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe41⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe42⤵
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe43⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe44⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe45⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Dlgnmb32.exeC:\Windows\system32\Dlgnmb32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1380 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe47⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe48⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe49⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe50⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe51⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe52⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe53⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Dohgomgf.exeC:\Windows\system32\Dohgomgf.exe54⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe56⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe58⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe59⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Dojddmec.exeC:\Windows\system32\Dojddmec.exe60⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe61⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe62⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe64⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Domqjm32.exeC:\Windows\system32\Domqjm32.exe65⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe66⤵PID:2704
-
C:\Windows\SysWOW64\Ddiibc32.exeC:\Windows\system32\Ddiibc32.exe67⤵PID:1664
-
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe68⤵PID:692
-
C:\Windows\SysWOW64\Eoompl32.exeC:\Windows\system32\Eoompl32.exe69⤵PID:2104
-
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe71⤵PID:1320
-
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe72⤵PID:3012
-
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe73⤵PID:2284
-
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe74⤵PID:1928
-
C:\Windows\SysWOW64\Ednbncmb.exeC:\Windows\system32\Ednbncmb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe76⤵PID:1756
-
C:\Windows\SysWOW64\Ejkkfjkj.exeC:\Windows\system32\Ejkkfjkj.exe77⤵PID:1732
-
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe78⤵PID:1248
-
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe79⤵PID:2160
-
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe80⤵PID:1944
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe81⤵PID:1844
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe83⤵PID:2520
-
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe84⤵
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Epgphcqd.exeC:\Windows\system32\Epgphcqd.exe85⤵
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe86⤵PID:2040
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe87⤵PID:600
-
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe88⤵PID:1740
-
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe89⤵PID:1644
-
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe90⤵PID:320
-
C:\Windows\SysWOW64\Elnqmd32.exeC:\Windows\system32\Elnqmd32.exe91⤵
- Modifies registry class
PID:1772 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe92⤵PID:2728
-
C:\Windows\SysWOW64\Fchijone.exeC:\Windows\system32\Fchijone.exe93⤵PID:2980
-
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1988 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe96⤵PID:1580
-
C:\Windows\SysWOW64\Fqlicclo.exeC:\Windows\system32\Fqlicclo.exe97⤵PID:2424
-
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe98⤵PID:2272
-
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe100⤵PID:1648
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe101⤵PID:2668
-
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe102⤵PID:2136
-
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe103⤵
- System Location Discovery: System Language Discovery
PID:1104 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe104⤵PID:2108
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe105⤵PID:3036
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe106⤵PID:1540
-
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe107⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Fdpkbf32.exeC:\Windows\system32\Fdpkbf32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe109⤵PID:1888
-
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe110⤵PID:3024
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe111⤵
- Drops file in System32 directory
PID:1400 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe112⤵PID:2332
-
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe113⤵PID:796
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe114⤵PID:2748
-
C:\Windows\SysWOW64\Findhdcb.exeC:\Windows\system32\Findhdcb.exe115⤵PID:1652
-
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe117⤵PID:2408
-
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe118⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe119⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe120⤵PID:1508
-
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe121⤵PID:2088
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-