Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 06:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe
-
Size
75KB
-
MD5
42a8b61e9e60257e3e2738531dc8c5c0
-
SHA1
5b073a3428169958fc6f017c37aae923c4399fdd
-
SHA256
1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149c
-
SHA512
cb19d5b16a8dfa1dff7deca08ca5bd2fa1722ed30f88a919030973fbc4ba31058ebfc6e8a54edbffe24d2a3fc0e6cc7b9d5bb99eefef9bedefc5b807f3501995
-
SSDEEP
1536:+y/7gC1ZznEBGQWcyrxuTh1cgCe8uvQGYQzlV:L7g4nEfW3yhugCe8uvQa
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgfoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lohjnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhjblpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgmigeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgfqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjicfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beackp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gceailog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpdnbbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbafdlod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompefj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgjccb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdoghdmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdefgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghlndfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obhdcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfeepelg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijqoilii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkion32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkcpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkhngdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjlebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aojabdlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbiaemkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmljgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdaglmcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpicle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnolfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkmqdpce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnpgeopa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmejllia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neqnqofm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicgopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khghgchk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nipdkieg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqlfaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlckbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojomdoof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlckbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcbabpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmpkqklh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpjagfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbknkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okdmjdol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpoolael.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohjnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnoogbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imahkg32.exe -
Executes dropped EXE 64 IoCs
pid Process 1940 Egjbdo32.exe 1844 Eoajel32.exe 2184 Ehjona32.exe 2860 Enfgfh32.exe 2596 Epecbd32.exe 2952 Egokonjc.exe 2592 Ejmhkiig.exe 2156 Elldgehk.exe 2928 Ecfldoph.exe 2340 Ejpdai32.exe 2984 Enkpahon.exe 2948 Eolmip32.exe 1748 Fffefjmi.exe 576 Fheabelm.exe 2396 Foojop32.exe 2096 Fbmfkkbm.exe 1052 Fmcjhdbc.exe 2244 Fkejcq32.exe 1340 Fcmben32.exe 912 Ffkoai32.exe 1716 Fdnolfon.exe 1544 Fmegncpp.exe 832 Fbbofjnh.exe 2524 Ffmkfifa.exe 2844 Fofpoo32.exe 1612 Fbdlkj32.exe 2508 Fdbhge32.exe 2392 Fkmqdpce.exe 3028 Gbfiaj32.exe 2724 Gcheib32.exe 1180 Gmpjagfa.exe 2588 Gegabegc.exe 2440 Ggfnopfg.exe 2924 Gnpflj32.exe 2576 Gcmoda32.exe 2960 Gjfgqk32.exe 2876 Gpcoib32.exe 1556 Gbaken32.exe 2224 Gfmgelil.exe 2300 Gjicfk32.exe 1268 Gpelnb32.exe 3044 Gbdhjm32.exe 2064 Hebdfind.exe 2488 Hllmcc32.exe 840 Hnkion32.exe 712 Heealhla.exe 2288 Hipmmg32.exe 692 Hloiib32.exe 2528 Hpjeialg.exe 2780 Hnmeen32.exe 2460 Hbiaemkk.exe 2732 Hegnahjo.exe 2108 Hibjbgbh.exe 1984 Hlafnbal.exe 2136 Hjdfjo32.exe 1640 Hbknkl32.exe 2912 Hanogipc.exe 1476 Heikgh32.exe 2020 Hdlkcdog.exe 964 Hlccdboi.exe 1376 Hnbopmnm.exe 2452 Hmeolj32.exe 1860 Hapklimq.exe 1736 Hdoghdmd.exe -
Loads dropped DLL 64 IoCs
pid Process 620 1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe 620 1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe 1940 Egjbdo32.exe 1940 Egjbdo32.exe 1844 Eoajel32.exe 1844 Eoajel32.exe 2184 Ehjona32.exe 2184 Ehjona32.exe 2860 Enfgfh32.exe 2860 Enfgfh32.exe 2596 Epecbd32.exe 2596 Epecbd32.exe 2952 Egokonjc.exe 2952 Egokonjc.exe 2592 Ejmhkiig.exe 2592 Ejmhkiig.exe 2156 Elldgehk.exe 2156 Elldgehk.exe 2928 Ecfldoph.exe 2928 Ecfldoph.exe 2340 Ejpdai32.exe 2340 Ejpdai32.exe 2984 Enkpahon.exe 2984 Enkpahon.exe 2948 Eolmip32.exe 2948 Eolmip32.exe 1748 Fffefjmi.exe 1748 Fffefjmi.exe 576 Fheabelm.exe 576 Fheabelm.exe 2396 Foojop32.exe 2396 Foojop32.exe 2096 Fbmfkkbm.exe 2096 Fbmfkkbm.exe 1052 Fmcjhdbc.exe 1052 Fmcjhdbc.exe 2244 Fkejcq32.exe 2244 Fkejcq32.exe 1340 Fcmben32.exe 1340 Fcmben32.exe 912 Ffkoai32.exe 912 Ffkoai32.exe 1716 Fdnolfon.exe 1716 Fdnolfon.exe 1544 Fmegncpp.exe 1544 Fmegncpp.exe 832 Fbbofjnh.exe 832 Fbbofjnh.exe 2524 Ffmkfifa.exe 2524 Ffmkfifa.exe 2844 Fofpoo32.exe 2844 Fofpoo32.exe 1612 Fbdlkj32.exe 1612 Fbdlkj32.exe 2508 Fdbhge32.exe 2508 Fdbhge32.exe 2392 Fkmqdpce.exe 2392 Fkmqdpce.exe 3028 Gbfiaj32.exe 3028 Gbfiaj32.exe 2724 Gcheib32.exe 2724 Gcheib32.exe 1180 Gmpjagfa.exe 1180 Gmpjagfa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ndmcdl32.dll Ookpodkj.exe File created C:\Windows\SysWOW64\Hdhkdkaa.dll Hblgnkdh.exe File created C:\Windows\SysWOW64\Mpgobc32.exe Mmicfh32.exe File created C:\Windows\SysWOW64\Cbiiog32.exe Cpkmcldj.exe File created C:\Windows\SysWOW64\Gqdefddb.exe Gneijien.exe File opened for modification C:\Windows\SysWOW64\Kcamjb32.exe Kpcqnf32.exe File opened for modification C:\Windows\SysWOW64\Jhoice32.exe Jdcmbgkj.exe File created C:\Windows\SysWOW64\Aqhhanig.exe Anjlebjc.exe File created C:\Windows\SysWOW64\Behilopf.exe Bbjmpcab.exe File created C:\Windows\SysWOW64\Dkqnoh32.exe Dgeaoinb.exe File opened for modification C:\Windows\SysWOW64\Hcgjmo32.exe Hpkompgg.exe File created C:\Windows\SysWOW64\Jppgpfpi.dll Lnpgeopa.exe File created C:\Windows\SysWOW64\Aobnniji.exe Aqonbm32.exe File created C:\Windows\SysWOW64\Pmeefl32.dll Behilopf.exe File created C:\Windows\SysWOW64\Fjjpjgjj.exe Ffodjh32.exe File created C:\Windows\SysWOW64\Aplpbjee.dll Iimfld32.exe File created C:\Windows\SysWOW64\Llbqfe32.exe Ljddjj32.exe File created C:\Windows\SysWOW64\Jncnhl32.dll Mmdjkhdh.exe File created C:\Windows\SysWOW64\Bjmeiq32.exe Bkjdndjo.exe File created C:\Windows\SysWOW64\Acddagag.dll Fmcjhdbc.exe File opened for modification C:\Windows\SysWOW64\Gfmgelil.exe Gbaken32.exe File opened for modification C:\Windows\SysWOW64\Jckgicnp.exe Jdhgnf32.exe File opened for modification C:\Windows\SysWOW64\Mihdgkpp.exe Mnbpjb32.exe File opened for modification C:\Windows\SysWOW64\Enlidg32.exe Eknmhk32.exe File opened for modification C:\Windows\SysWOW64\Gbjojh32.exe Golbnm32.exe File created C:\Windows\SysWOW64\Adqaqk32.dll Nbjeinje.exe File opened for modification C:\Windows\SysWOW64\Bbbpenco.exe Bjkhdacm.exe File created C:\Windows\SysWOW64\Aqjdgmgd.exe Amohfo32.exe File opened for modification C:\Windows\SysWOW64\Ecbhdi32.exe Eklqcl32.exe File opened for modification C:\Windows\SysWOW64\Flfpabkp.exe Fncpef32.exe File created C:\Windows\SysWOW64\Ffodjh32.exe Fcphnm32.exe File opened for modification C:\Windows\SysWOW64\Hgpjhn32.exe Hcdnhoac.exe File created C:\Windows\SysWOW64\Cddoqj32.dll Mmicfh32.exe File created C:\Windows\SysWOW64\Gbnbjo32.dll Bmpkqklh.exe File created C:\Windows\SysWOW64\Ookpodkj.exe Olmcchlg.exe File created C:\Windows\SysWOW64\Adcdbl32.exe Aqhhanig.exe File opened for modification C:\Windows\SysWOW64\Bcmfmlen.exe Baojapfj.exe File opened for modification C:\Windows\SysWOW64\Lohccp32.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Pcljmdmj.exe Pdjjag32.exe File opened for modification C:\Windows\SysWOW64\Jlckbh32.exe Jjdofm32.exe File created C:\Windows\SysWOW64\Mfglep32.exe Mpmcielb.exe File created C:\Windows\SysWOW64\Palkkl32.dll Anjlebjc.exe File opened for modification C:\Windows\SysWOW64\Fdiogq32.exe Fpmbfbgo.exe File created C:\Windows\SysWOW64\Mgedmb32.exe Mcjhmcok.exe File created C:\Windows\SysWOW64\Fkdhkd32.dll Pmmeon32.exe File created C:\Windows\SysWOW64\Efhjijha.dll Jgfcja32.exe File opened for modification C:\Windows\SysWOW64\Odedge32.exe Opihgfop.exe File created C:\Windows\SysWOW64\Mfakaoam.dll Bcjcme32.exe File opened for modification C:\Windows\SysWOW64\Fdbhge32.exe Fbdlkj32.exe File opened for modification C:\Windows\SysWOW64\Ioooiack.exe Ilabmedg.exe File opened for modification C:\Windows\SysWOW64\Kkmand32.exe Kljabgnh.exe File created C:\Windows\SysWOW64\Bgmdailj.dll Bkjdndjo.exe File created C:\Windows\SysWOW64\Fchook32.dll Bkegah32.exe File created C:\Windows\SysWOW64\Lngnfnji.exe Lfpeeqig.exe File created C:\Windows\SysWOW64\Qqfkln32.exe Qackpado.exe File created C:\Windows\SysWOW64\Jhdlad32.exe Jialfgcc.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Jehlkhig.exe Jampjian.exe File created C:\Windows\SysWOW64\Lgpgbj32.dll Ajpepm32.exe File created C:\Windows\SysWOW64\Anpmdf32.dll Hibjbgbh.exe File created C:\Windows\SysWOW64\Nlfmbibo.exe Nigafnck.exe File created C:\Windows\SysWOW64\Ajnpecbj.exe Agpcihcf.exe File created C:\Windows\SysWOW64\Bbjmpcab.exe Bnnaoe32.exe File created C:\Windows\SysWOW64\Oefmcdfq.dll Hbaaik32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7204 8180 WerFault.exe 787 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfncpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebmjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foojop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmoda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghpoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfkln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmjdaqgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjqpdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegabegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hndlem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifffkncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcoib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcmbgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegnahjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koddccaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgchgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofadnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgfjhcge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdhif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlidg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhanl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcheib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbepdhgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqahqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahkpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfjnpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnolfon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mijamjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgoime32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmeolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeafjiop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jialfgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdcanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqqpgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmcchlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idicbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opihgfop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfglep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffhkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippdgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgabdlfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmejllia.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bofgii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpgobc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmepgp32.dll" Hpphhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdcagkgd.dll" Hbiaemkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpqbhp32.dll" Odhhgkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Genddmep.dll" Ogiaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgnph32.dll" Kadfkhkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgdibkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmnjkjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aohdmdoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbmfkkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idfnicfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpicle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaijak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmljgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmhnkfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koaqcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeeikk32.dll" Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blangfdh.dll" Nbmaon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmedlk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caifjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkffng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkqmpip.dll" Idicbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngealejo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmeiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnbdko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhmhhmlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goplilpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifampo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdaemiaj.dll" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobgihgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgmaomdn.dll" Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldikdp32.dll" Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pefqie32.dll" Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbhbdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpelnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbgkbdb.dll" Nmlgfnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnkcpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehkhaqpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mclebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opobfpee.dll" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibkkjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pplaki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaijak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdhgnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hipmmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinmfk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 620 wrote to memory of 1940 620 1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe 30 PID 620 wrote to memory of 1940 620 1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe 30 PID 620 wrote to memory of 1940 620 1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe 30 PID 620 wrote to memory of 1940 620 1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe 30 PID 1940 wrote to memory of 1844 1940 Egjbdo32.exe 31 PID 1940 wrote to memory of 1844 1940 Egjbdo32.exe 31 PID 1940 wrote to memory of 1844 1940 Egjbdo32.exe 31 PID 1940 wrote to memory of 1844 1940 Egjbdo32.exe 31 PID 1844 wrote to memory of 2184 1844 Eoajel32.exe 32 PID 1844 wrote to memory of 2184 1844 Eoajel32.exe 32 PID 1844 wrote to memory of 2184 1844 Eoajel32.exe 32 PID 1844 wrote to memory of 2184 1844 Eoajel32.exe 32 PID 2184 wrote to memory of 2860 2184 Ehjona32.exe 33 PID 2184 wrote to memory of 2860 2184 Ehjona32.exe 33 PID 2184 wrote to memory of 2860 2184 Ehjona32.exe 33 PID 2184 wrote to memory of 2860 2184 Ehjona32.exe 33 PID 2860 wrote to memory of 2596 2860 Enfgfh32.exe 34 PID 2860 wrote to memory of 2596 2860 Enfgfh32.exe 34 PID 2860 wrote to memory of 2596 2860 Enfgfh32.exe 34 PID 2860 wrote to memory of 2596 2860 Enfgfh32.exe 34 PID 2596 wrote to memory of 2952 2596 Epecbd32.exe 35 PID 2596 wrote to memory of 2952 2596 Epecbd32.exe 35 PID 2596 wrote to memory of 2952 2596 Epecbd32.exe 35 PID 2596 wrote to memory of 2952 2596 Epecbd32.exe 35 PID 2952 wrote to memory of 2592 2952 Egokonjc.exe 36 PID 2952 wrote to memory of 2592 2952 Egokonjc.exe 36 PID 2952 wrote to memory of 2592 2952 Egokonjc.exe 36 PID 2952 wrote to memory of 2592 2952 Egokonjc.exe 36 PID 2592 wrote to memory of 2156 2592 Ejmhkiig.exe 37 PID 2592 wrote to memory of 2156 2592 Ejmhkiig.exe 37 PID 2592 wrote to memory of 2156 2592 Ejmhkiig.exe 37 PID 2592 wrote to memory of 2156 2592 Ejmhkiig.exe 37 PID 2156 wrote to memory of 2928 2156 Elldgehk.exe 38 PID 2156 wrote to memory of 2928 2156 Elldgehk.exe 38 PID 2156 wrote to memory of 2928 2156 Elldgehk.exe 38 PID 2156 wrote to memory of 2928 2156 Elldgehk.exe 38 PID 2928 wrote to memory of 2340 2928 Ecfldoph.exe 39 PID 2928 wrote to memory of 2340 2928 Ecfldoph.exe 39 PID 2928 wrote to memory of 2340 2928 Ecfldoph.exe 39 PID 2928 wrote to memory of 2340 2928 Ecfldoph.exe 39 PID 2340 wrote to memory of 2984 2340 Ejpdai32.exe 40 PID 2340 wrote to memory of 2984 2340 Ejpdai32.exe 40 PID 2340 wrote to memory of 2984 2340 Ejpdai32.exe 40 PID 2340 wrote to memory of 2984 2340 Ejpdai32.exe 40 PID 2984 wrote to memory of 2948 2984 Enkpahon.exe 41 PID 2984 wrote to memory of 2948 2984 Enkpahon.exe 41 PID 2984 wrote to memory of 2948 2984 Enkpahon.exe 41 PID 2984 wrote to memory of 2948 2984 Enkpahon.exe 41 PID 2948 wrote to memory of 1748 2948 Eolmip32.exe 42 PID 2948 wrote to memory of 1748 2948 Eolmip32.exe 42 PID 2948 wrote to memory of 1748 2948 Eolmip32.exe 42 PID 2948 wrote to memory of 1748 2948 Eolmip32.exe 42 PID 1748 wrote to memory of 576 1748 Fffefjmi.exe 43 PID 1748 wrote to memory of 576 1748 Fffefjmi.exe 43 PID 1748 wrote to memory of 576 1748 Fffefjmi.exe 43 PID 1748 wrote to memory of 576 1748 Fffefjmi.exe 43 PID 576 wrote to memory of 2396 576 Fheabelm.exe 44 PID 576 wrote to memory of 2396 576 Fheabelm.exe 44 PID 576 wrote to memory of 2396 576 Fheabelm.exe 44 PID 576 wrote to memory of 2396 576 Fheabelm.exe 44 PID 2396 wrote to memory of 2096 2396 Foojop32.exe 45 PID 2396 wrote to memory of 2096 2396 Foojop32.exe 45 PID 2396 wrote to memory of 2096 2396 Foojop32.exe 45 PID 2396 wrote to memory of 2096 2396 Foojop32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe"C:\Users\Admin\AppData\Local\Temp\1a6d9999afdce8c539eede32ecd99460c1c9dda7dac4c94af33948798160149cN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Egokonjc.exeC:\Windows\system32\Egokonjc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Elldgehk.exeC:\Windows\system32\Elldgehk.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ejpdai32.exeC:\Windows\system32\Ejpdai32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Enkpahon.exeC:\Windows\system32\Enkpahon.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Fffefjmi.exeC:\Windows\system32\Fffefjmi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1052 -
C:\Windows\SysWOW64\Fkejcq32.exeC:\Windows\system32\Fkejcq32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Fcmben32.exeC:\Windows\system32\Fcmben32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Fdnolfon.exeC:\Windows\system32\Fdnolfon.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Fmegncpp.exeC:\Windows\system32\Fmegncpp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Gbfiaj32.exeC:\Windows\system32\Gbfiaj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1180 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe34⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe37⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Gpcoib32.exeC:\Windows\system32\Gpcoib32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2876 -
C:\Windows\SysWOW64\Gbaken32.exeC:\Windows\system32\Gbaken32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe40⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1268 -
C:\Windows\SysWOW64\Gbdhjm32.exeC:\Windows\system32\Gbdhjm32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe44⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe45⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Hnkion32.exeC:\Windows\system32\Hnkion32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe47⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe50⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe51⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Hegnahjo.exeC:\Windows\system32\Hegnahjo.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe55⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe56⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe58⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe59⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Hdlkcdog.exeC:\Windows\system32\Hdlkcdog.exe60⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe61⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe62⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Hmeolj32.exeC:\Windows\system32\Hmeolj32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe64⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Hhjcic32.exeC:\Windows\system32\Hhjcic32.exe66⤵PID:1284
-
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe67⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe68⤵PID:1600
-
C:\Windows\SysWOW64\Ipehmebh.exeC:\Windows\system32\Ipehmebh.exe69⤵PID:1948
-
C:\Windows\SysWOW64\Idadnd32.exeC:\Windows\system32\Idadnd32.exe70⤵PID:2196
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe71⤵PID:2796
-
C:\Windows\SysWOW64\Iinmfk32.exeC:\Windows\system32\Iinmfk32.exe72⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe73⤵PID:2668
-
C:\Windows\SysWOW64\Iphecepe.exeC:\Windows\system32\Iphecepe.exe74⤵PID:2888
-
C:\Windows\SysWOW64\Ifampo32.exeC:\Windows\system32\Ifampo32.exe75⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe76⤵PID:1304
-
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe77⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe78⤵
- Modifies registry class
PID:2296 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe79⤵PID:1540
-
C:\Windows\SysWOW64\Iibfajdc.exeC:\Windows\system32\Iibfajdc.exe80⤵PID:1664
-
C:\Windows\SysWOW64\Ilabmedg.exeC:\Windows\system32\Ilabmedg.exe81⤵
- Drops file in System32 directory
PID:600 -
C:\Windows\SysWOW64\Ioooiack.exeC:\Windows\system32\Ioooiack.exe82⤵PID:1720
-
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe83⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe84⤵
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe85⤵PID:2248
-
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe86⤵PID:2804
-
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe87⤵PID:2956
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe88⤵PID:2160
-
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe89⤵PID:2864
-
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe90⤵PID:1004
-
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe91⤵PID:1788
-
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe92⤵PID:2084
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe93⤵PID:2140
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe94⤵PID:1976
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe95⤵PID:1792
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe96⤵PID:2364
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe97⤵PID:2380
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe99⤵PID:2824
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe100⤵PID:2892
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe101⤵PID:2404
-
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe102⤵PID:2992
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe103⤵PID:2660
-
C:\Windows\SysWOW64\Jgdfdbhk.exeC:\Windows\system32\Jgdfdbhk.exe104⤵PID:2068
-
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe105⤵PID:572
-
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe106⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe107⤵
- Drops file in System32 directory
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Jckgicnp.exeC:\Windows\system32\Jckgicnp.exe108⤵PID:884
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe109⤵
- Drops file in System32 directory
PID:1864 -
C:\Windows\SysWOW64\Jkbojpna.exeC:\Windows\system32\Jkbojpna.exe110⤵PID:2720
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe111⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Jlckbh32.exeC:\Windows\system32\Jlckbh32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe113⤵PID:2164
-
C:\Windows\SysWOW64\Kdjccf32.exeC:\Windows\system32\Kdjccf32.exe114⤵PID:1592
-
C:\Windows\SysWOW64\Kghpoa32.exeC:\Windows\system32\Kghpoa32.exe115⤵
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Kjglkm32.exeC:\Windows\system32\Kjglkm32.exe116⤵PID:2076
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe117⤵PID:1144
-
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe118⤵PID:1088
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe119⤵
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe120⤵PID:1704
-
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe121⤵PID:2624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-