Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
06/03/2025, 00:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec.exe
-
Size
69KB
-
MD5
59a36f40363820fa28d8825909e11b70
-
SHA1
c39e5983cd735b53250d8dde729b3c4a43812610
-
SHA256
461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec
-
SHA512
512ff8cbbea0a16c49081012c3279e85b81c590681296d488334022440aa41b34853cdf4c415362eea8d0d0f899d7f5910655a1aed58418e32d38e7ca2319dd0
-
SSDEEP
768:qY7y1nHNDPnCi74a27SOr+qie5tnqHG8rGqq3WFCMjwEH2/1H5xXdnhg+HQJ414y:qJXDF4a+QMtqHG8rq3Wpwis5YXa7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pajeam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehngkcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paoollik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfihkqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akkffkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckbemgcp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aplaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aajohjon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnmfclj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjqmpgg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfccogfc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnjpfcl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljobphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnfjehl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llodgnja.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqkqhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofckhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmoijje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghkjdoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lindkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmgabcge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpffeaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipmfjee.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panhbfep.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkofga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjcikejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmmmfj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnmc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebifmm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqbliicp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmadco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jblmgf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkfadkgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblimcdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecellgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahbjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ommceclc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcjmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adikdfna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbojlfdp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqhfoebo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mepfiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geldkfpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilphdlqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amikgpcc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhlgmmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eofgpikj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pagbaglh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgjoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fijdjfdb.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4808 Lmpkadnm.exe 960 Lkalplel.exe 4308 Lnohlgep.exe 4836 Lmbhgd32.exe 1604 Lkchelci.exe 5012 Lqpamb32.exe 396 Lgjijmin.exe 2012 Lmgabcge.exe 4968 Lenicahg.exe 1372 Mnfnlf32.exe 3104 Mepfiq32.exe 2016 Mkjnfkma.exe 1148 Maggnali.exe 216 Mcecjmkl.exe 704 Meepdp32.exe 936 Mkohaj32.exe 3388 Mcjmel32.exe 2464 Mjdebfnd.exe 3052 Meiioonj.exe 4780 Nlcalieg.exe 3940 Nelfeo32.exe 2688 Nlfnaicd.exe 2148 Nhmofj32.exe 5024 Nmigoagp.exe 4588 Nhokljge.exe 1608 Nmlddqem.exe 5096 Ndflak32.exe 3876 Njpdnedf.exe 1548 Odhifjkg.exe 3624 Ohcegi32.exe 4644 Onnmdcjm.exe 3320 Omqmop32.exe 1920 Ohfami32.exe 4452 Oejbfmpg.exe 8 Oldjcg32.exe 2444 Oelolmnd.exe 2320 Olfghg32.exe 2864 Oeokal32.exe 1764 Olicnfco.exe 4584 Paelfmaf.exe 3316 Pddhbipj.exe 1412 Pknqoc32.exe 1804 Pahilmoc.exe 4896 Pecellgl.exe 4540 Plmmif32.exe 4508 Pajeam32.exe 4356 Pkbjjbda.exe 4760 Pehngkcg.exe 4180 Pmcclm32.exe 976 Paoollik.exe 1440 Pocpfphe.exe 4708 Qemhbj32.exe 4716 Qlgpod32.exe 4828 Qmhlgmmm.exe 2296 Qeodhjmo.exe 1424 Qlimed32.exe 3820 Aafemk32.exe 3848 Anmfbl32.exe 1388 Aednci32.exe 3280 Ahbjoe32.exe 1644 Alnfpcag.exe 2704 Aolblopj.exe 4100 Aajohjon.exe 212 Adikdfna.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fligqhga.exe Feoodn32.exe File created C:\Windows\SysWOW64\Npdopj32.dll Iibccgep.exe File created C:\Windows\SysWOW64\Kfcfimfi.dll Pnkbkk32.exe File created C:\Windows\SysWOW64\Mqnbqh32.dll Bklomh32.exe File created C:\Windows\SysWOW64\Doagjc32.exe Dgjoif32.exe File created C:\Windows\SysWOW64\Nimmifgo.exe Ncpeaoih.exe File created C:\Windows\SysWOW64\Ocdnln32.exe Nmjfodne.exe File created C:\Windows\SysWOW64\Kgffoo32.dll Ickglm32.exe File opened for modification C:\Windows\SysWOW64\Ocohmc32.exe Ofkgcobj.exe File created C:\Windows\SysWOW64\Jnfpnk32.dll Phajna32.exe File created C:\Windows\SysWOW64\Pjdpelnc.exe Phfcipoo.exe File opened for modification C:\Windows\SysWOW64\Pcbkml32.exe Padnaq32.exe File opened for modification C:\Windows\SysWOW64\Aabkbono.exe Qikbaaml.exe File opened for modification C:\Windows\SysWOW64\Lmpkadnm.exe 461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec.exe File opened for modification C:\Windows\SysWOW64\Bhpfqcln.exe Bebjdgmj.exe File created C:\Windows\SysWOW64\Pqindg32.dll Bheplb32.exe File created C:\Windows\SysWOW64\Jcgmgn32.dll Pplobcpp.exe File created C:\Windows\SysWOW64\Pnmopk32.exe Pjbcplpe.exe File opened for modification C:\Windows\SysWOW64\Edeeci32.exe Eohmkb32.exe File created C:\Windows\SysWOW64\Mgccelpk.dll Mfbaalbi.exe File created C:\Windows\SysWOW64\Jdockf32.dll Nmjfodne.exe File created C:\Windows\SysWOW64\Ekfcklij.dll Clchbqoo.exe File created C:\Windows\SysWOW64\Pneall32.dll Phfcipoo.exe File created C:\Windows\SysWOW64\Mnpofk32.dll Cnjdpaki.exe File created C:\Windows\SysWOW64\Clmmco32.dll Ihmfco32.exe File opened for modification C:\Windows\SysWOW64\Mfpell32.exe Mpclce32.exe File created C:\Windows\SysWOW64\Pafpga32.dll Qpbnhl32.exe File opened for modification C:\Windows\SysWOW64\Bpedeiff.exe Biklho32.exe File created C:\Windows\SysWOW64\Lhffmd32.dll Nhmofj32.exe File opened for modification C:\Windows\SysWOW64\Cmbgdl32.exe Cgiohbfi.exe File created C:\Windows\SysWOW64\Qobhkjdi.exe Qjfmkk32.exe File created C:\Windows\SysWOW64\Ilphdlqh.exe Iefphb32.exe File opened for modification C:\Windows\SysWOW64\Oihmedma.exe Obnehj32.exe File created C:\Windows\SysWOW64\Ampaho32.exe Ajaelc32.exe File created C:\Windows\SysWOW64\Khokadah.dll Bphqji32.exe File opened for modification C:\Windows\SysWOW64\Nhokljge.exe Nmigoagp.exe File created C:\Windows\SysWOW64\Mokmqben.dll Aolblopj.exe File created C:\Windows\SysWOW64\Jgbchj32.exe Jgpfbjlo.exe File created C:\Windows\SysWOW64\Oabhfg32.exe Ocohmc32.exe File created C:\Windows\SysWOW64\Hockka32.dll Qodeajbg.exe File created C:\Windows\SysWOW64\Mlcdqdie.dll Qacameaj.exe File opened for modification C:\Windows\SysWOW64\Gicgpelg.exe Gnnccl32.exe File opened for modification C:\Windows\SysWOW64\Ibegfglj.exe Ipgkjlmg.exe File created C:\Windows\SysWOW64\Qlimed32.exe Qeodhjmo.exe File created C:\Windows\SysWOW64\Dbbffdlq.exe Dodjjimm.exe File opened for modification C:\Windows\SysWOW64\Mcelpggq.exe Mjlhgaqp.exe File opened for modification C:\Windows\SysWOW64\Nmlddqem.exe Nhokljge.exe File opened for modification C:\Windows\SysWOW64\Hfjdqmng.exe Hekgfj32.exe File opened for modification C:\Windows\SysWOW64\Jgmjmjnb.exe Jpcapp32.exe File opened for modification C:\Windows\SysWOW64\Pcpnhl32.exe Omfekbdh.exe File created C:\Windows\SysWOW64\Nppbddqg.dll Cmedjl32.exe File created C:\Windows\SysWOW64\Cncijina.dll Omqmop32.exe File created C:\Windows\SysWOW64\Cghane32.dll Cleegp32.exe File opened for modification C:\Windows\SysWOW64\Pjdpelnc.exe Phfcipoo.exe File opened for modification C:\Windows\SysWOW64\Bknlbhhe.exe Bklomh32.exe File opened for modification C:\Windows\SysWOW64\Likhem32.exe Kcapicdj.exe File created C:\Windows\SysWOW64\Ckjfdocc.dll Aabkbono.exe File created C:\Windows\SysWOW64\Gmdcfidg.exe Gppcmeem.exe File created C:\Windows\SysWOW64\Ibdlakbf.dll Hplbickp.exe File created C:\Windows\SysWOW64\Ibegfglj.exe Ipgkjlmg.exe File created C:\Windows\SysWOW64\Oelolmnd.exe Oldjcg32.exe File created C:\Windows\SysWOW64\Ifolcq32.dll Mcpcdg32.exe File opened for modification C:\Windows\SysWOW64\Pciqnk32.exe Pakdbp32.exe File opened for modification C:\Windows\SysWOW64\Pahilmoc.exe Pknqoc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 12156 12032 WerFault.exe 587 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boihcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbemgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfmgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmmboed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbcfbjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpcdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geldkfpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kakmna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplfcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhfoebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgpeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqmpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piocecgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelfmaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmhaold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekajec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjfdfbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pakdbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfgkffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocohmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amjbbfgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbejloe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmeha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olicnfco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clchbqoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aagdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goglcahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakgoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkmkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eofgpikj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobhkjdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpgmhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfogbjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpeahb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfiokmkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcgjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcclm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ickglm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kodnmkap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmjjoig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkffkhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknbkjfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcpoedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehgnied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eppjfgcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipmfjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqkqhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngqagcag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphnnafb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkofga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkohaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpccmhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amikgpcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqafhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmohno32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlllhigk.dll" Lqojclne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngqagcag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlgcp32.dll" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepjbf32.dll" Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afcmfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpljehpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkjiao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ongbqjjf.dll" Dooaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phfcipoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpdbcaok.dll" Kakmna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqkplq32.dll" Pcpnhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dndnpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfipab32.dll" Eiokinbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmhocd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Focanl32.dll" Eghkjdoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pddhbipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dokgdkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkjfaikb.dll" Objkmkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Almoijfo.dll" Kfnfjehl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcpcdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qlimed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nchcpi32.dll" Cnkkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dejncidp.dll" Dmennnni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlglnp32.dll" Jbojlfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgldbkn.dll" Qppaclio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkalplel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leilnmkp.dll" Mnmmboed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phcgcqab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnfmbmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Objkmkjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omfekbdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbonoghb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjldplpd.dll" Bnfihkqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpgpgfmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfmmaj32.dll" Goglcahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilgonc32.dll" Pfdjinjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmnbfhal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajqda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jihbip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdlhkf32.dll" Cbbnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amjbbfgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlikkkhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlkppnab.dll" Daeifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edommp32.dll" Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbjgbff.dll" Pfandnla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlikkkhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbafoge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmeemdg.dll" Ocdnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmnajl32.dll" Meiioonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhihhecc.dll" Bnkbcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figfoijn.dll" Mgbefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqgmmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Camddhoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmocfo32.dll" Qfkqjmdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfccogfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfdocc.dll" Aabkbono.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1144 wrote to memory of 4808 1144 461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec.exe 85 PID 1144 wrote to memory of 4808 1144 461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec.exe 85 PID 1144 wrote to memory of 4808 1144 461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec.exe 85 PID 4808 wrote to memory of 960 4808 Lmpkadnm.exe 86 PID 4808 wrote to memory of 960 4808 Lmpkadnm.exe 86 PID 4808 wrote to memory of 960 4808 Lmpkadnm.exe 86 PID 960 wrote to memory of 4308 960 Lkalplel.exe 87 PID 960 wrote to memory of 4308 960 Lkalplel.exe 87 PID 960 wrote to memory of 4308 960 Lkalplel.exe 87 PID 4308 wrote to memory of 4836 4308 Lnohlgep.exe 88 PID 4308 wrote to memory of 4836 4308 Lnohlgep.exe 88 PID 4308 wrote to memory of 4836 4308 Lnohlgep.exe 88 PID 4836 wrote to memory of 1604 4836 Lmbhgd32.exe 89 PID 4836 wrote to memory of 1604 4836 Lmbhgd32.exe 89 PID 4836 wrote to memory of 1604 4836 Lmbhgd32.exe 89 PID 1604 wrote to memory of 5012 1604 Lkchelci.exe 90 PID 1604 wrote to memory of 5012 1604 Lkchelci.exe 90 PID 1604 wrote to memory of 5012 1604 Lkchelci.exe 90 PID 5012 wrote to memory of 396 5012 Lqpamb32.exe 91 PID 5012 wrote to memory of 396 5012 Lqpamb32.exe 91 PID 5012 wrote to memory of 396 5012 Lqpamb32.exe 91 PID 396 wrote to memory of 2012 396 Lgjijmin.exe 93 PID 396 wrote to memory of 2012 396 Lgjijmin.exe 93 PID 396 wrote to memory of 2012 396 Lgjijmin.exe 93 PID 2012 wrote to memory of 4968 2012 Lmgabcge.exe 94 PID 2012 wrote to memory of 4968 2012 Lmgabcge.exe 94 PID 2012 wrote to memory of 4968 2012 Lmgabcge.exe 94 PID 4968 wrote to memory of 1372 4968 Lenicahg.exe 95 PID 4968 wrote to memory of 1372 4968 Lenicahg.exe 95 PID 4968 wrote to memory of 1372 4968 Lenicahg.exe 95 PID 1372 wrote to memory of 3104 1372 Mnfnlf32.exe 96 PID 1372 wrote to memory of 3104 1372 Mnfnlf32.exe 96 PID 1372 wrote to memory of 3104 1372 Mnfnlf32.exe 96 PID 3104 wrote to memory of 2016 3104 Mepfiq32.exe 97 PID 3104 wrote to memory of 2016 3104 Mepfiq32.exe 97 PID 3104 wrote to memory of 2016 3104 Mepfiq32.exe 97 PID 2016 wrote to memory of 1148 2016 Mkjnfkma.exe 98 PID 2016 wrote to memory of 1148 2016 Mkjnfkma.exe 98 PID 2016 wrote to memory of 1148 2016 Mkjnfkma.exe 98 PID 1148 wrote to memory of 216 1148 Maggnali.exe 99 PID 1148 wrote to memory of 216 1148 Maggnali.exe 99 PID 1148 wrote to memory of 216 1148 Maggnali.exe 99 PID 216 wrote to memory of 704 216 Mcecjmkl.exe 100 PID 216 wrote to memory of 704 216 Mcecjmkl.exe 100 PID 216 wrote to memory of 704 216 Mcecjmkl.exe 100 PID 704 wrote to memory of 936 704 Meepdp32.exe 101 PID 704 wrote to memory of 936 704 Meepdp32.exe 101 PID 704 wrote to memory of 936 704 Meepdp32.exe 101 PID 936 wrote to memory of 3388 936 Mkohaj32.exe 103 PID 936 wrote to memory of 3388 936 Mkohaj32.exe 103 PID 936 wrote to memory of 3388 936 Mkohaj32.exe 103 PID 3388 wrote to memory of 2464 3388 Mcjmel32.exe 104 PID 3388 wrote to memory of 2464 3388 Mcjmel32.exe 104 PID 3388 wrote to memory of 2464 3388 Mcjmel32.exe 104 PID 2464 wrote to memory of 3052 2464 Mjdebfnd.exe 105 PID 2464 wrote to memory of 3052 2464 Mjdebfnd.exe 105 PID 2464 wrote to memory of 3052 2464 Mjdebfnd.exe 105 PID 3052 wrote to memory of 4780 3052 Meiioonj.exe 106 PID 3052 wrote to memory of 4780 3052 Meiioonj.exe 106 PID 3052 wrote to memory of 4780 3052 Meiioonj.exe 106 PID 4780 wrote to memory of 3940 4780 Nlcalieg.exe 107 PID 4780 wrote to memory of 3940 4780 Nlcalieg.exe 107 PID 4780 wrote to memory of 3940 4780 Nlcalieg.exe 107 PID 3940 wrote to memory of 2688 3940 Nelfeo32.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec.exe"C:\Users\Admin\AppData\Local\Temp\461a512503c2b847aeeab033173edfd253d85ebd509fd2ff77fbd2ad830120ec.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Lmpkadnm.exeC:\Windows\system32\Lmpkadnm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Lkalplel.exeC:\Windows\system32\Lkalplel.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Lnohlgep.exeC:\Windows\system32\Lnohlgep.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Lmbhgd32.exeC:\Windows\system32\Lmbhgd32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Windows\SysWOW64\Lkchelci.exeC:\Windows\system32\Lkchelci.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\Lqpamb32.exeC:\Windows\system32\Lqpamb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Lgjijmin.exeC:\Windows\system32\Lgjijmin.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Lmgabcge.exeC:\Windows\system32\Lmgabcge.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Lenicahg.exeC:\Windows\system32\Lenicahg.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\Mnfnlf32.exeC:\Windows\system32\Mnfnlf32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Mepfiq32.exeC:\Windows\system32\Mepfiq32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Mkjnfkma.exeC:\Windows\system32\Mkjnfkma.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Maggnali.exeC:\Windows\system32\Maggnali.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Mcecjmkl.exeC:\Windows\system32\Mcecjmkl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\SysWOW64\Meepdp32.exeC:\Windows\system32\Meepdp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\SysWOW64\Mkohaj32.exeC:\Windows\system32\Mkohaj32.exe17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Mcjmel32.exeC:\Windows\system32\Mcjmel32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Windows\SysWOW64\Mjdebfnd.exeC:\Windows\system32\Mjdebfnd.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Meiioonj.exeC:\Windows\system32\Meiioonj.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Nlcalieg.exeC:\Windows\system32\Nlcalieg.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Windows\SysWOW64\Nelfeo32.exeC:\Windows\system32\Nelfeo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Nlfnaicd.exeC:\Windows\system32\Nlfnaicd.exe23⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Nhmofj32.exeC:\Windows\system32\Nhmofj32.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Nmigoagp.exeC:\Windows\system32\Nmigoagp.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5024 -
C:\Windows\SysWOW64\Nhokljge.exeC:\Windows\system32\Nhokljge.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4588 -
C:\Windows\SysWOW64\Nmlddqem.exeC:\Windows\system32\Nmlddqem.exe27⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Ndflak32.exeC:\Windows\system32\Ndflak32.exe28⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Njpdnedf.exeC:\Windows\system32\Njpdnedf.exe29⤵
- Executes dropped EXE
PID:3876 -
C:\Windows\SysWOW64\Odhifjkg.exeC:\Windows\system32\Odhifjkg.exe30⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Ohcegi32.exeC:\Windows\system32\Ohcegi32.exe31⤵
- Executes dropped EXE
PID:3624 -
C:\Windows\SysWOW64\Onnmdcjm.exeC:\Windows\system32\Onnmdcjm.exe32⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Omqmop32.exeC:\Windows\system32\Omqmop32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3320 -
C:\Windows\SysWOW64\Ohfami32.exeC:\Windows\system32\Ohfami32.exe34⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Oejbfmpg.exeC:\Windows\system32\Oejbfmpg.exe35⤵
- Executes dropped EXE
PID:4452 -
C:\Windows\SysWOW64\Oldjcg32.exeC:\Windows\system32\Oldjcg32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:8 -
C:\Windows\SysWOW64\Oelolmnd.exeC:\Windows\system32\Oelolmnd.exe37⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Olfghg32.exeC:\Windows\system32\Olfghg32.exe38⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Oeokal32.exeC:\Windows\system32\Oeokal32.exe39⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Olicnfco.exeC:\Windows\system32\Olicnfco.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Paelfmaf.exeC:\Windows\system32\Paelfmaf.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4584 -
C:\Windows\SysWOW64\Pddhbipj.exeC:\Windows\system32\Pddhbipj.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:3316 -
C:\Windows\SysWOW64\Pknqoc32.exeC:\Windows\system32\Pknqoc32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1412 -
C:\Windows\SysWOW64\Pahilmoc.exeC:\Windows\system32\Pahilmoc.exe44⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Pecellgl.exeC:\Windows\system32\Pecellgl.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\Plmmif32.exeC:\Windows\system32\Plmmif32.exe46⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Pajeam32.exeC:\Windows\system32\Pajeam32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4508 -
C:\Windows\SysWOW64\Pkbjjbda.exeC:\Windows\system32\Pkbjjbda.exe48⤵
- Executes dropped EXE
PID:4356 -
C:\Windows\SysWOW64\Pehngkcg.exeC:\Windows\system32\Pehngkcg.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4760 -
C:\Windows\SysWOW64\Pmcclm32.exeC:\Windows\system32\Pmcclm32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4180 -
C:\Windows\SysWOW64\Paoollik.exeC:\Windows\system32\Paoollik.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Pocpfphe.exeC:\Windows\system32\Pocpfphe.exe52⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Qemhbj32.exeC:\Windows\system32\Qemhbj32.exe53⤵
- Executes dropped EXE
PID:4708 -
C:\Windows\SysWOW64\Qlgpod32.exeC:\Windows\system32\Qlgpod32.exe54⤵
- Executes dropped EXE
PID:4716 -
C:\Windows\SysWOW64\Qmhlgmmm.exeC:\Windows\system32\Qmhlgmmm.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4828 -
C:\Windows\SysWOW64\Qeodhjmo.exeC:\Windows\system32\Qeodhjmo.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Qlimed32.exeC:\Windows\system32\Qlimed32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Aafemk32.exeC:\Windows\system32\Aafemk32.exe58⤵
- Executes dropped EXE
PID:3820 -
C:\Windows\SysWOW64\Anmfbl32.exeC:\Windows\system32\Anmfbl32.exe59⤵
- Executes dropped EXE
PID:3848 -
C:\Windows\SysWOW64\Aednci32.exeC:\Windows\system32\Aednci32.exe60⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Ahbjoe32.exeC:\Windows\system32\Ahbjoe32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3280 -
C:\Windows\SysWOW64\Alnfpcag.exeC:\Windows\system32\Alnfpcag.exe62⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Aolblopj.exeC:\Windows\system32\Aolblopj.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Aajohjon.exeC:\Windows\system32\Aajohjon.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Adikdfna.exeC:\Windows\system32\Adikdfna.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:212 -
C:\Windows\SysWOW64\Alpbecod.exeC:\Windows\system32\Alpbecod.exe66⤵PID:4800
-
C:\Windows\SysWOW64\Aehgnied.exeC:\Windows\system32\Aehgnied.exe67⤵
- System Location Discovery: System Language Discovery
PID:3928 -
C:\Windows\SysWOW64\Albpkc32.exeC:\Windows\system32\Albpkc32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Aoalgn32.exeC:\Windows\system32\Aoalgn32.exe69⤵PID:4416
-
C:\Windows\SysWOW64\Aaohcj32.exeC:\Windows\system32\Aaohcj32.exe70⤵PID:2380
-
C:\Windows\SysWOW64\Alelqb32.exeC:\Windows\system32\Alelqb32.exe71⤵PID:3800
-
C:\Windows\SysWOW64\Bnfihkqm.exeC:\Windows\system32\Bnfihkqm.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3540 -
C:\Windows\SysWOW64\Bemqih32.exeC:\Windows\system32\Bemqih32.exe73⤵PID:2348
-
C:\Windows\SysWOW64\Bdpaeehj.exeC:\Windows\system32\Bdpaeehj.exe74⤵PID:3568
-
C:\Windows\SysWOW64\Blgifbil.exeC:\Windows\system32\Blgifbil.exe75⤵PID:3992
-
C:\Windows\SysWOW64\Bkjiao32.exeC:\Windows\system32\Bkjiao32.exe76⤵
- Modifies registry class
PID:60 -
C:\Windows\SysWOW64\Bnhenj32.exeC:\Windows\system32\Bnhenj32.exe77⤵PID:3440
-
C:\Windows\SysWOW64\Bepmoh32.exeC:\Windows\system32\Bepmoh32.exe78⤵PID:4580
-
C:\Windows\SysWOW64\Bhnikc32.exeC:\Windows\system32\Bhnikc32.exe79⤵PID:5148
-
C:\Windows\SysWOW64\Bklfgo32.exeC:\Windows\system32\Bklfgo32.exe80⤵PID:5192
-
C:\Windows\SysWOW64\Bnkbcj32.exeC:\Windows\system32\Bnkbcj32.exe81⤵
- Modifies registry class
PID:5260 -
C:\Windows\SysWOW64\Bebjdgmj.exeC:\Windows\system32\Bebjdgmj.exe82⤵
- Drops file in System32 directory
PID:5324 -
C:\Windows\SysWOW64\Bhpfqcln.exeC:\Windows\system32\Bhpfqcln.exe83⤵PID:5392
-
C:\Windows\SysWOW64\Bkobmnka.exeC:\Windows\system32\Bkobmnka.exe84⤵PID:5440
-
C:\Windows\SysWOW64\Bnmoijje.exeC:\Windows\system32\Bnmoijje.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5484 -
C:\Windows\SysWOW64\Bahkih32.exeC:\Windows\system32\Bahkih32.exe86⤵PID:5528
-
C:\Windows\SysWOW64\Bhbcfbjk.exeC:\Windows\system32\Bhbcfbjk.exe87⤵
- System Location Discovery: System Language Discovery
PID:5576 -
C:\Windows\SysWOW64\Blnoga32.exeC:\Windows\system32\Blnoga32.exe88⤵PID:5624
-
C:\Windows\SysWOW64\Bomkcm32.exeC:\Windows\system32\Bomkcm32.exe89⤵PID:5672
-
C:\Windows\SysWOW64\Bakgoh32.exeC:\Windows\system32\Bakgoh32.exe90⤵
- System Location Discovery: System Language Discovery
PID:5724 -
C:\Windows\SysWOW64\Bdickcpo.exeC:\Windows\system32\Bdickcpo.exe91⤵PID:5768
-
C:\Windows\SysWOW64\Bheplb32.exeC:\Windows\system32\Bheplb32.exe92⤵
- Drops file in System32 directory
PID:5812 -
C:\Windows\SysWOW64\Coohhlpe.exeC:\Windows\system32\Coohhlpe.exe93⤵PID:5856
-
C:\Windows\SysWOW64\Camddhoi.exeC:\Windows\system32\Camddhoi.exe94⤵
- Modifies registry class
PID:5900 -
C:\Windows\SysWOW64\Chglab32.exeC:\Windows\system32\Chglab32.exe95⤵PID:5948
-
C:\Windows\SysWOW64\Clchbqoo.exeC:\Windows\system32\Clchbqoo.exe96⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5992 -
C:\Windows\SysWOW64\Coadnlnb.exeC:\Windows\system32\Coadnlnb.exe97⤵PID:6036
-
C:\Windows\SysWOW64\Cfkmkf32.exeC:\Windows\system32\Cfkmkf32.exe98⤵
- System Location Discovery: System Language Discovery
PID:6080 -
C:\Windows\SysWOW64\Cdnmfclj.exeC:\Windows\system32\Cdnmfclj.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6124 -
C:\Windows\SysWOW64\Cleegp32.exeC:\Windows\system32\Cleegp32.exe100⤵
- Drops file in System32 directory
PID:5132 -
C:\Windows\SysWOW64\Cocacl32.exeC:\Windows\system32\Cocacl32.exe101⤵PID:5240
-
C:\Windows\SysWOW64\Cbbnpg32.exeC:\Windows\system32\Cbbnpg32.exe102⤵
- Modifies registry class
PID:5308 -
C:\Windows\SysWOW64\Cfnjpfcl.exeC:\Windows\system32\Cfnjpfcl.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5412 -
C:\Windows\SysWOW64\Cfpffeaj.exeC:\Windows\system32\Cfpffeaj.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5496 -
C:\Windows\SysWOW64\Cdbfab32.exeC:\Windows\system32\Cdbfab32.exe105⤵PID:5572
-
C:\Windows\SysWOW64\Cljobphg.exeC:\Windows\system32\Cljobphg.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5656 -
C:\Windows\SysWOW64\Cnkkjh32.exeC:\Windows\system32\Cnkkjh32.exe107⤵
- Modifies registry class
PID:5736 -
C:\Windows\SysWOW64\Cbfgkffn.exeC:\Windows\system32\Cbfgkffn.exe108⤵
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Windows\SysWOW64\Cfbcke32.exeC:\Windows\system32\Cfbcke32.exe109⤵PID:5872
-
C:\Windows\SysWOW64\Chqogq32.exeC:\Windows\system32\Chqogq32.exe110⤵PID:5940
-
C:\Windows\SysWOW64\Dkokcl32.exeC:\Windows\system32\Dkokcl32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5976 -
C:\Windows\SysWOW64\Dokgdkeh.exeC:\Windows\system32\Dokgdkeh.exe112⤵
- Modifies registry class
PID:6088 -
C:\Windows\SysWOW64\Dbicpfdk.exeC:\Windows\system32\Dbicpfdk.exe113⤵PID:5144
-
C:\Windows\SysWOW64\Ddgplado.exeC:\Windows\system32\Ddgplado.exe114⤵PID:5256
-
C:\Windows\SysWOW64\Dmohno32.exeC:\Windows\system32\Dmohno32.exe115⤵
- System Location Discovery: System Language Discovery
PID:5416 -
C:\Windows\SysWOW64\Domdjj32.exeC:\Windows\system32\Domdjj32.exe116⤵PID:5560
-
C:\Windows\SysWOW64\Dbkqfe32.exeC:\Windows\system32\Dbkqfe32.exe117⤵PID:5664
-
C:\Windows\SysWOW64\Dmadco32.exeC:\Windows\system32\Dmadco32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5796 -
C:\Windows\SysWOW64\Dooaoj32.exeC:\Windows\system32\Dooaoj32.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5892 -
C:\Windows\SysWOW64\Dbnmke32.exeC:\Windows\system32\Dbnmke32.exe120⤵PID:6004
-
C:\Windows\SysWOW64\Ddligq32.exeC:\Windows\system32\Ddligq32.exe121⤵PID:6132
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-