Analysis
-
max time kernel
110s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 05:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe
-
Size
82KB
-
MD5
b781f77a29ba2abc56ae022740206760
-
SHA1
c1261395b233c8e66dce2b6441e7c2ba4f34ab31
-
SHA256
8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17
-
SHA512
8781265e604eb025f9ca2eaab42c172506260f8a2de21341fc54695a0255dca5884710f09a31f8483931eb92215335d2d77038f819f68e4f9e91b4c9d3b1f845
-
SSDEEP
1536:P4QFaBLEjzTD+KWuaMLBg9imob7Jw8tv61n2L79pm6+wDSmQFN6TiN1sJtvQu:QQFaBYjiKWq8o7JPB6CBpm6tm7N6TO1y
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfoeqmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljakkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikojfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dalffg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmbpda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocpakg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lijinaed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhikiefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kceijg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfekdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpiakqjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlgodgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnjokphk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coacdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klkmkoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neihmpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baecgdbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnfnik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhnhcnkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfpif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iojoalda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmpeiqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qechbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfmoabnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooaflp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkchahn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cemfnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhhbojn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfnpgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjohoej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpejcnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kchaniho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haafepbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnqeeeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkjemd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdjqinld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldhaaefi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqocej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okomappb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpkpie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjckcbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apnlee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgfpfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpiakqjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdgboe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phghedga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnkgnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jankcafl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kceijg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gioigf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlqao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpphlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mleedphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palincli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbqpgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onplmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkalph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabmef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfbilgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjdkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnogmbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndedhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jllpmlqj.exe -
Executes dropped EXE 64 IoCs
pid Process 2284 Ckilmfke.exe 2896 Dknehe32.exe 2088 Dgefmf32.exe 2660 Dfjcncak.exe 2712 Dpbgghhl.exe 1896 Epinhg32.exe 2188 Enokidgl.exe 2200 Ehgoaiml.exe 904 Fpgmak32.exe 1996 Fianpp32.exe 2524 Foacmg32.exe 1132 Goemhfco.exe 2412 Gdbeqmag.exe 2152 Ggekhhle.exe 696 Hdilalko.exe 2028 Hlijan32.exe 1108 Hhpjfoji.exe 1672 Hdgkkppm.exe 3016 Ijfpif32.exe 1968 Ifoncgpc.exe 2592 Iogbllfc.exe 2380 Iojoalda.exe 880 Jollgl32.exe 1716 Jfhqiegh.exe 2768 Jiiikq32.exe 2772 Jjmchhhe.exe 2800 Kffpcilf.exe 2704 Kclmbm32.exe 2684 Kpcngnob.exe 512 Lhqpqp32.exe 2264 Lbfdnijp.exe 2372 Lkahbkgk.exe 1168 Legmpdga.exe 2004 Looahi32.exe 1148 Ldljqpli.exe 304 Liibigjq.exe 1704 Mlikkbga.exe 2136 Mmigdend.exe 1660 Mcfpmlll.exe 2460 Mhbhecjc.exe 1928 Makmnh32.exe 2996 Mlqakaqi.exe 1680 Mcjihk32.exe 332 Nekbjf32.exe 3000 Nkhkbmco.exe 1408 Nhlkkabh.exe 268 Ndclpb32.exe 1420 Nlnqeeeh.exe 2508 Nlpmjdce.exe 2748 Ofibcj32.exe 2792 Ooaflp32.exe 2880 Okhgaqfj.exe 2824 Obbonk32.exe 2240 Oofpgolq.exe 2620 Oindpd32.exe 2292 Onkmhl32.exe 2972 Okomappb.exe 1956 Pqlfjfni.exe 2696 Pnpfckmc.exe 1972 Pjfghl32.exe 1840 Ppcoqbao.exe 2216 Pbdhbnnp.exe 1228 Qeeadi32.exe 2512 Qnmfmoaa.exe -
Loads dropped DLL 64 IoCs
pid Process 2052 8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe 2052 8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe 2284 Ckilmfke.exe 2284 Ckilmfke.exe 2896 Dknehe32.exe 2896 Dknehe32.exe 2088 Dgefmf32.exe 2088 Dgefmf32.exe 2660 Dfjcncak.exe 2660 Dfjcncak.exe 2712 Dpbgghhl.exe 2712 Dpbgghhl.exe 1896 Epinhg32.exe 1896 Epinhg32.exe 2188 Enokidgl.exe 2188 Enokidgl.exe 2200 Ehgoaiml.exe 2200 Ehgoaiml.exe 904 Fpgmak32.exe 904 Fpgmak32.exe 1996 Fianpp32.exe 1996 Fianpp32.exe 2524 Foacmg32.exe 2524 Foacmg32.exe 1132 Goemhfco.exe 1132 Goemhfco.exe 2412 Gdbeqmag.exe 2412 Gdbeqmag.exe 2152 Ggekhhle.exe 2152 Ggekhhle.exe 696 Hdilalko.exe 696 Hdilalko.exe 2028 Hlijan32.exe 2028 Hlijan32.exe 1108 Hhpjfoji.exe 1108 Hhpjfoji.exe 1672 Hdgkkppm.exe 1672 Hdgkkppm.exe 3016 Ijfpif32.exe 3016 Ijfpif32.exe 1968 Ifoncgpc.exe 1968 Ifoncgpc.exe 2592 Iogbllfc.exe 2592 Iogbllfc.exe 2380 Iojoalda.exe 2380 Iojoalda.exe 880 Jollgl32.exe 880 Jollgl32.exe 1716 Jfhqiegh.exe 1716 Jfhqiegh.exe 2768 Jiiikq32.exe 2768 Jiiikq32.exe 2772 Jjmchhhe.exe 2772 Jjmchhhe.exe 2800 Kffpcilf.exe 2800 Kffpcilf.exe 2704 Kclmbm32.exe 2704 Kclmbm32.exe 2684 Kpcngnob.exe 2684 Kpcngnob.exe 512 Lhqpqp32.exe 512 Lhqpqp32.exe 2264 Lbfdnijp.exe 2264 Lbfdnijp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lnidmi32.dll Anbcio32.exe File opened for modification C:\Windows\SysWOW64\Deckeo32.exe Dmhfpmee.exe File created C:\Windows\SysWOW64\Ogdcnhdo.dll Dmhfpmee.exe File opened for modification C:\Windows\SysWOW64\Iblfcg32.exe Ifeenfjm.exe File created C:\Windows\SysWOW64\Kiepca32.exe Kdhgkk32.exe File created C:\Windows\SysWOW64\Hlleon32.dll Dgefmf32.exe File created C:\Windows\SysWOW64\Oinfah32.dll Nekbjf32.exe File created C:\Windows\SysWOW64\Ppanehoa.dll Njeikpij.exe File opened for modification C:\Windows\SysWOW64\Khfdcgmp.exe Kkbdib32.exe File created C:\Windows\SysWOW64\Pjhcphkf.exe Ppoboj32.exe File created C:\Windows\SysWOW64\Epinhg32.exe Dpbgghhl.exe File opened for modification C:\Windows\SysWOW64\Kefmnp32.exe Kmjhjndm.exe File opened for modification C:\Windows\SysWOW64\Cekihh32.exe Clbdobpc.exe File created C:\Windows\SysWOW64\Ndclpb32.exe Nhlkkabh.exe File created C:\Windows\SysWOW64\Nbmdcf32.dll Bbcjfn32.exe File created C:\Windows\SysWOW64\Eljacalj.dll Jdklcebk.exe File created C:\Windows\SysWOW64\Ccfcic32.dll Fbqllnco.exe File created C:\Windows\SysWOW64\Lpjacd32.dll Gdbeqmag.exe File created C:\Windows\SysWOW64\Hlgodgnk.exe Hemggm32.exe File created C:\Windows\SysWOW64\Anniekgc.dll Hdbmnchk.exe File opened for modification C:\Windows\SysWOW64\Jdoblckh.exe Jkfncn32.exe File opened for modification C:\Windows\SysWOW64\Lkkcmqcn.exe Lodbhp32.exe File created C:\Windows\SysWOW64\Bomlmpgl.exe Bdghpggf.exe File created C:\Windows\SysWOW64\Nngobapl.dll Bdjgnp32.exe File created C:\Windows\SysWOW64\Bbamec32.dll Cemfnh32.exe File created C:\Windows\SysWOW64\Jjhgio32.dll Imokbhjf.exe File created C:\Windows\SysWOW64\Oaaklmao.exe Oaonfncb.exe File opened for modification C:\Windows\SysWOW64\Gdflepqo.exe Goidmibg.exe File opened for modification C:\Windows\SysWOW64\Oeklpeco.exe Onadck32.exe File created C:\Windows\SysWOW64\Dffmgqcp.exe Dpldkf32.exe File opened for modification C:\Windows\SysWOW64\Dffmgqcp.exe Dpldkf32.exe File opened for modification C:\Windows\SysWOW64\Cmabhfca.exe Cbhahigb.exe File created C:\Windows\SysWOW64\Pdjqinld.exe Pkalph32.exe File opened for modification C:\Windows\SysWOW64\Bcqlcj32.exe Bfmlif32.exe File created C:\Windows\SysWOW64\Gnhffghb.dll Fcnmne32.exe File opened for modification C:\Windows\SysWOW64\Angmdoho.exe Aqcmkjje.exe File created C:\Windows\SysWOW64\Beoekl32.exe Bbpioa32.exe File opened for modification C:\Windows\SysWOW64\Ckkjmf32.exe Beaaplbg.exe File created C:\Windows\SysWOW64\Onkmhl32.exe Oindpd32.exe File opened for modification C:\Windows\SysWOW64\Glefpd32.exe Gnaffpoi.exe File created C:\Windows\SysWOW64\Nhhkhfbh.dll Adgihkmf.exe File opened for modification C:\Windows\SysWOW64\Qnmfmoaa.exe Qeeadi32.exe File opened for modification C:\Windows\SysWOW64\Goohckob.exe Fdicfbpl.exe File opened for modification C:\Windows\SysWOW64\Hnapln32.exe Hgggpded.exe File created C:\Windows\SysWOW64\Bejeka32.dll Lodbhp32.exe File opened for modification C:\Windows\SysWOW64\Lohlcoid.exe Lfpgkicd.exe File created C:\Windows\SysWOW64\Nkfaqkcq.exe Ndmidq32.exe File created C:\Windows\SysWOW64\Lbmllgcc.dll Oqnfbo32.exe File created C:\Windows\SysWOW64\Ekjjebed.exe Dfmbmkgm.exe File created C:\Windows\SysWOW64\Pfmclold.exe Pdnfalea.exe File created C:\Windows\SysWOW64\Jdoblckh.exe Jkfncn32.exe File created C:\Windows\SysWOW64\Jbhfko32.dll Pbmlbmfg.exe File created C:\Windows\SysWOW64\Oindpd32.exe Oofpgolq.exe File created C:\Windows\SysWOW64\Nkcpdekf.dll Epchbm32.exe File opened for modification C:\Windows\SysWOW64\Immqeq32.exe Ipipllec.exe File opened for modification C:\Windows\SysWOW64\Nekbjf32.exe Mcjihk32.exe File created C:\Windows\SysWOW64\Qddkie32.dll Fhkffl32.exe File opened for modification C:\Windows\SysWOW64\Mdpqec32.exe Mhippbem.exe File created C:\Windows\SysWOW64\Dcmfioph.dll Bdemcpqm.exe File opened for modification C:\Windows\SysWOW64\Eohedi32.exe Ehnmgo32.exe File created C:\Windows\SysWOW64\Lnpejklj.exe Ldhaaefi.exe File created C:\Windows\SysWOW64\Nipbpe32.exe Nllafq32.exe File created C:\Windows\SysWOW64\Gcaqle32.dll Hilbfc32.exe File created C:\Windows\SysWOW64\Ajidnp32.exe Anbcio32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2720 2848 WerFault.exe 1019 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmpeiqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbbndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifoncgpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjofljho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdicfbpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goagaded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apheke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhkka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnglekch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncblo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlqao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgdonkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqhffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledplq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnmfmoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhlmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfajgbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dffmgqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkahbkgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflanc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekifcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokbhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddijbeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Holcka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdhbnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fieiephm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhgge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpppifii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimgmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbbig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gefjlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kooimpao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifeenfjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmidq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhippbem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdgboe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodolf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdekjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glimdgmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndjei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemggm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haafepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgkqeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchpeebo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqqqokla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijeinphf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgnhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhabemgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqkammo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgggpded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofibcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnlfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlajdpoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhibik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdgkkppm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidjml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poldnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljinncb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkfncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gogipbln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bccihj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfklgape.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daedpf32.dll" Pbcahgjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnkgjif.dll" Bjphff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kljgohme.dll" Amdkam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofoemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcedfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcfpmlll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emlkoknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghdolen.dll" Ppogahko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdlmdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddeia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehfjbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkgfkl32.dll" Khakhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kboill32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcjpcmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acabmpem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aejkhj32.dll" Jeldiolb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkbbqjgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eggajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdlfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adoafo32.dll" Adeadmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcbcdfpo.dll" Impdeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajindjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaiehjfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bojogp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmccnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chkbjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doqmjaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mphfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiccbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkgbek32.dll" Kcebpqcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glhjpjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkbbqjgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfbnmckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhoqolhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnocg32.dll" Hmeaaboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cflanc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnboonmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdlpnnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjicnk32.dll" Mbgdonkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jankcafl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mleedphf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olijen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnmfmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqmobelc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhombc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibolep32.dll" Dlblmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlblmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omgcmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdmcqp32.dll" Ggjmhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilohnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjohgkb.dll" Okomappb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljakkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oamaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emjbophb.dll" Adhbkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oefcef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Appikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbinipg.dll" Cbhhbojn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhibik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbfdnijp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhkjpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kniaap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmphfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olcoaf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 2284 2052 8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe 29 PID 2052 wrote to memory of 2284 2052 8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe 29 PID 2052 wrote to memory of 2284 2052 8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe 29 PID 2052 wrote to memory of 2284 2052 8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe 29 PID 2284 wrote to memory of 2896 2284 Ckilmfke.exe 30 PID 2284 wrote to memory of 2896 2284 Ckilmfke.exe 30 PID 2284 wrote to memory of 2896 2284 Ckilmfke.exe 30 PID 2284 wrote to memory of 2896 2284 Ckilmfke.exe 30 PID 2896 wrote to memory of 2088 2896 Dknehe32.exe 31 PID 2896 wrote to memory of 2088 2896 Dknehe32.exe 31 PID 2896 wrote to memory of 2088 2896 Dknehe32.exe 31 PID 2896 wrote to memory of 2088 2896 Dknehe32.exe 31 PID 2088 wrote to memory of 2660 2088 Dgefmf32.exe 32 PID 2088 wrote to memory of 2660 2088 Dgefmf32.exe 32 PID 2088 wrote to memory of 2660 2088 Dgefmf32.exe 32 PID 2088 wrote to memory of 2660 2088 Dgefmf32.exe 32 PID 2660 wrote to memory of 2712 2660 Dfjcncak.exe 33 PID 2660 wrote to memory of 2712 2660 Dfjcncak.exe 33 PID 2660 wrote to memory of 2712 2660 Dfjcncak.exe 33 PID 2660 wrote to memory of 2712 2660 Dfjcncak.exe 33 PID 2712 wrote to memory of 1896 2712 Dpbgghhl.exe 34 PID 2712 wrote to memory of 1896 2712 Dpbgghhl.exe 34 PID 2712 wrote to memory of 1896 2712 Dpbgghhl.exe 34 PID 2712 wrote to memory of 1896 2712 Dpbgghhl.exe 34 PID 1896 wrote to memory of 2188 1896 Epinhg32.exe 35 PID 1896 wrote to memory of 2188 1896 Epinhg32.exe 35 PID 1896 wrote to memory of 2188 1896 Epinhg32.exe 35 PID 1896 wrote to memory of 2188 1896 Epinhg32.exe 35 PID 2188 wrote to memory of 2200 2188 Enokidgl.exe 36 PID 2188 wrote to memory of 2200 2188 Enokidgl.exe 36 PID 2188 wrote to memory of 2200 2188 Enokidgl.exe 36 PID 2188 wrote to memory of 2200 2188 Enokidgl.exe 36 PID 2200 wrote to memory of 904 2200 Ehgoaiml.exe 37 PID 2200 wrote to memory of 904 2200 Ehgoaiml.exe 37 PID 2200 wrote to memory of 904 2200 Ehgoaiml.exe 37 PID 2200 wrote to memory of 904 2200 Ehgoaiml.exe 37 PID 904 wrote to memory of 1996 904 Fpgmak32.exe 38 PID 904 wrote to memory of 1996 904 Fpgmak32.exe 38 PID 904 wrote to memory of 1996 904 Fpgmak32.exe 38 PID 904 wrote to memory of 1996 904 Fpgmak32.exe 38 PID 1996 wrote to memory of 2524 1996 Fianpp32.exe 39 PID 1996 wrote to memory of 2524 1996 Fianpp32.exe 39 PID 1996 wrote to memory of 2524 1996 Fianpp32.exe 39 PID 1996 wrote to memory of 2524 1996 Fianpp32.exe 39 PID 2524 wrote to memory of 1132 2524 Foacmg32.exe 40 PID 2524 wrote to memory of 1132 2524 Foacmg32.exe 40 PID 2524 wrote to memory of 1132 2524 Foacmg32.exe 40 PID 2524 wrote to memory of 1132 2524 Foacmg32.exe 40 PID 1132 wrote to memory of 2412 1132 Goemhfco.exe 41 PID 1132 wrote to memory of 2412 1132 Goemhfco.exe 41 PID 1132 wrote to memory of 2412 1132 Goemhfco.exe 41 PID 1132 wrote to memory of 2412 1132 Goemhfco.exe 41 PID 2412 wrote to memory of 2152 2412 Gdbeqmag.exe 42 PID 2412 wrote to memory of 2152 2412 Gdbeqmag.exe 42 PID 2412 wrote to memory of 2152 2412 Gdbeqmag.exe 42 PID 2412 wrote to memory of 2152 2412 Gdbeqmag.exe 42 PID 2152 wrote to memory of 696 2152 Ggekhhle.exe 43 PID 2152 wrote to memory of 696 2152 Ggekhhle.exe 43 PID 2152 wrote to memory of 696 2152 Ggekhhle.exe 43 PID 2152 wrote to memory of 696 2152 Ggekhhle.exe 43 PID 696 wrote to memory of 2028 696 Hdilalko.exe 44 PID 696 wrote to memory of 2028 696 Hdilalko.exe 44 PID 696 wrote to memory of 2028 696 Hdilalko.exe 44 PID 696 wrote to memory of 2028 696 Hdilalko.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe"C:\Users\Admin\AppData\Local\Temp\8ebb272e9f5d67c35071cb708f927576bbe744333340f59c13a13b3011a89c17N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Ckilmfke.exeC:\Windows\system32\Ckilmfke.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Dgefmf32.exeC:\Windows\system32\Dgefmf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Dpbgghhl.exeC:\Windows\system32\Dpbgghhl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Epinhg32.exeC:\Windows\system32\Epinhg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Enokidgl.exeC:\Windows\system32\Enokidgl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Ehgoaiml.exeC:\Windows\system32\Ehgoaiml.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Fpgmak32.exeC:\Windows\system32\Fpgmak32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\Fianpp32.exeC:\Windows\system32\Fianpp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Foacmg32.exeC:\Windows\system32\Foacmg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Goemhfco.exeC:\Windows\system32\Goemhfco.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Ggekhhle.exeC:\Windows\system32\Ggekhhle.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Hdilalko.exeC:\Windows\system32\Hdilalko.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Hlijan32.exeC:\Windows\system32\Hlijan32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Hhpjfoji.exeC:\Windows\system32\Hhpjfoji.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1108 -
C:\Windows\SysWOW64\Hdgkkppm.exeC:\Windows\system32\Hdgkkppm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Ijfpif32.exeC:\Windows\system32\Ijfpif32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Ifoncgpc.exeC:\Windows\system32\Ifoncgpc.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Iogbllfc.exeC:\Windows\system32\Iogbllfc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Iojoalda.exeC:\Windows\system32\Iojoalda.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Jollgl32.exeC:\Windows\system32\Jollgl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Jfhqiegh.exeC:\Windows\system32\Jfhqiegh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Jiiikq32.exeC:\Windows\system32\Jiiikq32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Jjmchhhe.exeC:\Windows\system32\Jjmchhhe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Kffpcilf.exeC:\Windows\system32\Kffpcilf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Kclmbm32.exeC:\Windows\system32\Kclmbm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2704 -
C:\Windows\SysWOW64\Kpcngnob.exeC:\Windows\system32\Kpcngnob.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Lhqpqp32.exeC:\Windows\system32\Lhqpqp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:512 -
C:\Windows\SysWOW64\Lbfdnijp.exeC:\Windows\system32\Lbfdnijp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Legmpdga.exeC:\Windows\system32\Legmpdga.exe34⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Looahi32.exeC:\Windows\system32\Looahi32.exe35⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Ldljqpli.exeC:\Windows\system32\Ldljqpli.exe36⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Liibigjq.exeC:\Windows\system32\Liibigjq.exe37⤵
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Mlikkbga.exeC:\Windows\system32\Mlikkbga.exe38⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe39⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Mcfpmlll.exeC:\Windows\system32\Mcfpmlll.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Mhbhecjc.exeC:\Windows\system32\Mhbhecjc.exe41⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Makmnh32.exeC:\Windows\system32\Makmnh32.exe42⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe43⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Mcjihk32.exeC:\Windows\system32\Mcjihk32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Nekbjf32.exeC:\Windows\system32\Nekbjf32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:332 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe46⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Nhlkkabh.exeC:\Windows\system32\Nhlkkabh.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\Ndclpb32.exeC:\Windows\system32\Ndclpb32.exe48⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Nlnqeeeh.exeC:\Windows\system32\Nlnqeeeh.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe50⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ofibcj32.exeC:\Windows\system32\Ofibcj32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Ooaflp32.exeC:\Windows\system32\Ooaflp32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe53⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Obbonk32.exeC:\Windows\system32\Obbonk32.exe54⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Oofpgolq.exeC:\Windows\system32\Oofpgolq.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe57⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Okomappb.exeC:\Windows\system32\Okomappb.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Pqlfjfni.exeC:\Windows\system32\Pqlfjfni.exe59⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe60⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Pjfghl32.exeC:\Windows\system32\Pjfghl32.exe61⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Ppcoqbao.exeC:\Windows\system32\Ppcoqbao.exe62⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Pbdhbnnp.exeC:\Windows\system32\Pbdhbnnp.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1228 -
C:\Windows\SysWOW64\Qnmfmoaa.exeC:\Windows\system32\Qnmfmoaa.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe66⤵PID:556
-
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe67⤵PID:2492
-
C:\Windows\SysWOW64\Aiegpg32.exeC:\Windows\system32\Aiegpg32.exe68⤵PID:1984
-
C:\Windows\SysWOW64\Anbohn32.exeC:\Windows\system32\Anbohn32.exe69⤵PID:2392
-
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe70⤵PID:3020
-
C:\Windows\SysWOW64\Amglij32.exeC:\Windows\system32\Amglij32.exe71⤵PID:1576
-
C:\Windows\SysWOW64\Ahmpfc32.exeC:\Windows\system32\Ahmpfc32.exe72⤵PID:1188
-
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Afamgpga.exeC:\Windows\system32\Afamgpga.exe74⤵PID:2668
-
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe75⤵PID:1752
-
C:\Windows\SysWOW64\Bmnbjill.exeC:\Windows\system32\Bmnbjill.exe76⤵PID:2208
-
C:\Windows\SysWOW64\Bmpooiji.exeC:\Windows\system32\Bmpooiji.exe77⤵PID:960
-
C:\Windows\SysWOW64\Bgichoqj.exeC:\Windows\system32\Bgichoqj.exe78⤵PID:2032
-
C:\Windows\SysWOW64\Blelpeoa.exeC:\Windows\system32\Blelpeoa.exe79⤵PID:3012
-
C:\Windows\SysWOW64\Bbpdmp32.exeC:\Windows\system32\Bbpdmp32.exe80⤵PID:1460
-
C:\Windows\SysWOW64\Bcbabodk.exeC:\Windows\system32\Bcbabodk.exe81⤵PID:848
-
C:\Windows\SysWOW64\Bdcmjg32.exeC:\Windows\system32\Bdcmjg32.exe82⤵PID:2472
-
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe83⤵PID:608
-
C:\Windows\SysWOW64\Cgdflb32.exeC:\Windows\system32\Cgdflb32.exe84⤵PID:2540
-
C:\Windows\SysWOW64\Cjdonndl.exeC:\Windows\system32\Cjdonndl.exe85⤵PID:1500
-
C:\Windows\SysWOW64\Cdjckfda.exeC:\Windows\system32\Cdjckfda.exe86⤵PID:924
-
C:\Windows\SysWOW64\Ccoplcii.exeC:\Windows\system32\Ccoplcii.exe87⤵PID:2580
-
C:\Windows\SysWOW64\Cjlenm32.exeC:\Windows\system32\Cjlenm32.exe88⤵PID:2912
-
C:\Windows\SysWOW64\Dbighojl.exeC:\Windows\system32\Dbighojl.exe89⤵PID:2332
-
C:\Windows\SysWOW64\Dhcoei32.exeC:\Windows\system32\Dhcoei32.exe90⤵PID:2968
-
C:\Windows\SysWOW64\Dnpgmp32.exeC:\Windows\system32\Dnpgmp32.exe91⤵PID:2796
-
C:\Windows\SysWOW64\Dheljhof.exeC:\Windows\system32\Dheljhof.exe92⤵PID:2636
-
C:\Windows\SysWOW64\Dqqqokla.exeC:\Windows\system32\Dqqqokla.exe93⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Dgkike32.exeC:\Windows\system32\Dgkike32.exe94⤵PID:2104
-
C:\Windows\SysWOW64\Dcaiqfib.exeC:\Windows\system32\Dcaiqfib.exe95⤵PID:592
-
C:\Windows\SysWOW64\Engnno32.exeC:\Windows\system32\Engnno32.exe96⤵PID:1728
-
C:\Windows\SysWOW64\Ecdffe32.exeC:\Windows\system32\Ecdffe32.exe97⤵PID:1204
-
C:\Windows\SysWOW64\Emlkoknp.exeC:\Windows\system32\Emlkoknp.exe98⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Epkgkfmd.exeC:\Windows\system32\Epkgkfmd.exe99⤵PID:956
-
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe100⤵PID:2948
-
C:\Windows\SysWOW64\Efglmpbn.exeC:\Windows\system32\Efglmpbn.exe101⤵PID:1816
-
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe102⤵PID:1360
-
C:\Windows\SysWOW64\Eiheok32.exeC:\Windows\system32\Eiheok32.exe103⤵PID:2976
-
C:\Windows\SysWOW64\Endmgb32.exeC:\Windows\system32\Endmgb32.exe104⤵PID:3064
-
C:\Windows\SysWOW64\Fgmaphdg.exeC:\Windows\system32\Fgmaphdg.exe105⤵PID:2096
-
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe106⤵PID:2844
-
C:\Windows\SysWOW64\Fcfojhhh.exeC:\Windows\system32\Fcfojhhh.exe107⤵PID:2652
-
C:\Windows\SysWOW64\Fnkchahn.exeC:\Windows\system32\Fnkchahn.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2616 -
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe109⤵PID:2340
-
C:\Windows\SysWOW64\Fallil32.exeC:\Windows\system32\Fallil32.exe110⤵PID:940
-
C:\Windows\SysWOW64\Gmcmomjc.exeC:\Windows\system32\Gmcmomjc.exe111⤵PID:1616
-
C:\Windows\SysWOW64\Gbpegdik.exeC:\Windows\system32\Gbpegdik.exe112⤵PID:2320
-
C:\Windows\SysWOW64\Gijncn32.exeC:\Windows\system32\Gijncn32.exe113⤵PID:1156
-
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe114⤵
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Gfnnmboa.exeC:\Windows\system32\Gfnnmboa.exe115⤵PID:2484
-
C:\Windows\SysWOW64\Gpfbfh32.exeC:\Windows\system32\Gpfbfh32.exe116⤵PID:2124
-
C:\Windows\SysWOW64\Gfpkbbmo.exeC:\Windows\system32\Gfpkbbmo.exe117⤵PID:2080
-
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe118⤵PID:2360
-
C:\Windows\SysWOW64\Gloppi32.exeC:\Windows\system32\Gloppi32.exe119⤵PID:2848
-
C:\Windows\SysWOW64\Galhhp32.exeC:\Windows\system32\Galhhp32.exe120⤵PID:3036
-
C:\Windows\SysWOW64\Hmcimq32.exeC:\Windows\system32\Hmcimq32.exe121⤵PID:2212
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-