Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
27/09/2024, 23:05
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3e91bd0e73b50839e3d4fdb5d73715da454aa43c1aa2affdff8c99835eb71cbeN.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
3e91bd0e73b50839e3d4fdb5d73715da454aa43c1aa2affdff8c99835eb71cbeN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
3e91bd0e73b50839e3d4fdb5d73715da454aa43c1aa2affdff8c99835eb71cbeN.exe
-
Size
76KB
-
MD5
dfd69428d51ad25912e648d24b480460
-
SHA1
be292fb2092c32ac5ed85b09aa5b80a9c3bfcbe3
-
SHA256
3e91bd0e73b50839e3d4fdb5d73715da454aa43c1aa2affdff8c99835eb71cbe
-
SHA512
71796c1275c67e8ce01f95427b3783d4f40ae5147b3cae3b9c891b4bce2e37b6dd251ae876e2c549cc8335caa50716c0a34c8a807d7807bb5c40bf1794631ca5
-
SSDEEP
1536:QuE/d51aw0SAdGqLbm5oLvANlzewHHioQV+/eCeyvCQ:bgd50Jr13mmLAxHHrk+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbgjbkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefhlaie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjlkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljilqnlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhglj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miaboe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmdecbg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgpfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbeapmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difpmfna.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jknfcofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjdebfnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipoheakj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcblpdgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeehkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olfghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omdppiif.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpbfpka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciafbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcnqpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phajna32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnoiqdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moipoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnfpinmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njghbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmbhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lenicahg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkimho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmaffnce.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkegpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemdlj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdlmg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leopnglc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiaoid32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkgcea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adfnofpd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ondljl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obafpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlkgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmcolgbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihnomjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbelcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ombcji32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amcehdod.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glcaambb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqphfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqojclne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkipgpe.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 Lgcjdd32.exe 3504 Lkofdbkj.exe 3624 Lbinam32.exe 1196 Lgffic32.exe 468 Ljdceo32.exe 736 Lejgch32.exe 692 Lldopb32.exe 4956 Lnbklm32.exe 1576 Lelchgne.exe 2856 Lgkpdcmi.exe 2396 Ljilqnlm.exe 2360 Leopnglc.exe 5088 Lhmmjbkf.exe 4976 Mbbagk32.exe 4060 Milidebi.exe 4044 Mniallpq.exe 1984 Mahnhhod.exe 3904 Mhafeb32.exe 1488 Mjpbam32.exe 4068 Mbgjbkfg.exe 3588 Miaboe32.exe 1536 Mjbogmdb.exe 3756 Micoed32.exe 4036 Mlbkap32.exe 3252 Mblcnj32.exe 5104 Mifljdjo.exe 3524 Njghbl32.exe 3292 Nemmoe32.exe 4104 Nbqmiinl.exe 1432 Nklbmllg.exe 2344 Nafjjf32.exe 3208 Nhpbfpka.exe 3288 Najceeoo.exe 2908 Okchnk32.exe 396 Oondnini.exe 4864 Oampjeml.exe 4004 Olbdhn32.exe 4428 Oblmdhdo.exe 4736 Oekiqccc.exe 4432 Oldamm32.exe 2464 Oaajed32.exe 2664 Oihagaji.exe 4840 Okjnnj32.exe 3340 Obafpg32.exe 5016 Ohnohn32.exe 540 Oohgdhfn.exe 3684 Ohpkmn32.exe 3324 Pkogiikb.exe 1712 Pahpfc32.exe 4580 Phbhcmjl.exe 2776 Pkadoiip.exe 3916 Pefhlaie.exe 3900 Pibdmp32.exe 3380 Pkcadhgm.exe 5068 Pcjiff32.exe 640 Phganm32.exe 664 Poajkgnc.exe 4920 Papfgbmg.exe 4100 Phincl32.exe 4568 Pkhjph32.exe 1104 Pemomqcn.exe 2912 Qlggjk32.exe 2872 Qkjgegae.exe 3988 Qepkbpak.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ekodjiol.exe Eiahnnph.exe File created C:\Windows\SysWOW64\Jgpfbjlo.exe Johnamkm.exe File created C:\Windows\SysWOW64\Glldgljg.exe Gmiclo32.exe File created C:\Windows\SysWOW64\Lgdidgjg.exe Lqkqhm32.exe File created C:\Windows\SysWOW64\Elbhjp32.exe Ejalcgkg.exe File created C:\Windows\SysWOW64\Pioelhgj.dll Iloidijb.exe File created C:\Windows\SysWOW64\Dojqjdbl.exe Dgcihgaj.exe File created C:\Windows\SysWOW64\Nkbjmj32.dll Kckqbj32.exe File created C:\Windows\SysWOW64\Nnahhegq.dll Omdppiif.exe File opened for modification C:\Windows\SysWOW64\Cdpcal32.exe Caageq32.exe File created C:\Windows\SysWOW64\Hgdejd32.exe Hbhijepa.exe File created C:\Windows\SysWOW64\Ogpoeg32.dll Anmfbl32.exe File created C:\Windows\SysWOW64\Gmophg32.dll Iikmbh32.exe File created C:\Windows\SysWOW64\Leifdf32.dll Anobgl32.exe File opened for modification C:\Windows\SysWOW64\Mmfkhmdi.exe Lflbkcll.exe File opened for modification C:\Windows\SysWOW64\Pplobcpp.exe Pmnbfhal.exe File opened for modification C:\Windows\SysWOW64\Lcjcnoej.exe Lqkgbcff.exe File created C:\Windows\SysWOW64\Hkpnbd32.dll Aahbbkaq.exe File opened for modification C:\Windows\SysWOW64\Holfoqcm.exe Hmkigh32.exe File created C:\Windows\SysWOW64\Nkgdfb32.dll Ofmdio32.exe File opened for modification C:\Windows\SysWOW64\Ckgohf32.exe Chiblk32.exe File created C:\Windows\SysWOW64\Anhejhfp.dll Jlgepanl.exe File created C:\Windows\SysWOW64\Bbikhdcm.dll Ppgegd32.exe File opened for modification C:\Windows\SysWOW64\Akqfkp32.exe Ahbjoe32.exe File opened for modification C:\Windows\SysWOW64\Hmdlmg32.exe Hemdlj32.exe File opened for modification C:\Windows\SysWOW64\Ajpqnneo.exe Acfhad32.exe File created C:\Windows\SysWOW64\Aqdjon32.dll Bfgjjm32.exe File created C:\Windows\SysWOW64\Nlfndjhh.dll Gkkgpc32.exe File created C:\Windows\SysWOW64\Abponp32.exe Aoabad32.exe File opened for modification C:\Windows\SysWOW64\Gljgbllj.exe Gikkfqmf.exe File opened for modification C:\Windows\SysWOW64\Hlcjhkdp.exe Hgfapd32.exe File created C:\Windows\SysWOW64\Gjpank32.dll Bemqih32.exe File created C:\Windows\SysWOW64\Fdnnlj32.dll Cbdjeg32.exe File opened for modification C:\Windows\SysWOW64\Fmhdkknd.exe Fbbpmb32.exe File created C:\Windows\SysWOW64\Jgqjbf32.dll Mqfpckhm.exe File created C:\Windows\SysWOW64\Polalahi.dll Jiglnf32.exe File created C:\Windows\SysWOW64\Lgcjdd32.exe 3e91bd0e73b50839e3d4fdb5d73715da454aa43c1aa2affdff8c99835eb71cbeN.exe File created C:\Windows\SysWOW64\Kjmqinmi.dll Mhafeb32.exe File created C:\Windows\SysWOW64\Npodfe32.dll Fjjnifbl.exe File created C:\Windows\SysWOW64\Jjjpnlbd.exe Jkgpbp32.exe File created C:\Windows\SysWOW64\Miongake.dll Ndflak32.exe File created C:\Windows\SysWOW64\Mblcnj32.exe Mlbkap32.exe File opened for modification C:\Windows\SysWOW64\Akcjkfij.exe Ajbmdn32.exe File created C:\Windows\SysWOW64\Ncliqp32.dll Ebjcajjd.exe File created C:\Windows\SysWOW64\Domdjj32.exe Dfdpad32.exe File created C:\Windows\SysWOW64\Jlllhigk.dll Mmfkhmdi.exe File created C:\Windows\SysWOW64\Ieoigp32.dll Akblfj32.exe File opened for modification C:\Windows\SysWOW64\Bgnffj32.exe Bdojjo32.exe File created C:\Windows\SysWOW64\Mjbogmdb.exe Miaboe32.exe File created C:\Windows\SysWOW64\Neqhhf32.dll Dpdaepai.exe File opened for modification C:\Windows\SysWOW64\Oobfob32.exe Ojgjndno.exe File created C:\Windows\SysWOW64\Klfaapbl.exe Kjgeedch.exe File created C:\Windows\SysWOW64\Lnangaoa.exe Lfjfecno.exe File created C:\Windows\SysWOW64\Dafppp32.exe Cklhcfle.exe File created C:\Windows\SysWOW64\Fbqdpi32.dll Imkbnf32.exe File opened for modification C:\Windows\SysWOW64\Bobabg32.exe Bhhiemoj.exe File created C:\Windows\SysWOW64\Fbociolq.dll Blhpqhlh.exe File created C:\Windows\SysWOW64\Ilccoh32.exe Ijegcm32.exe File opened for modification C:\Windows\SysWOW64\Kqmkae32.exe Kjccdkki.exe File opened for modification C:\Windows\SysWOW64\Ahpmjejp.exe Aeaanjkl.exe File created C:\Windows\SysWOW64\Kaofbcjo.dll Eiahnnph.exe File created C:\Windows\SysWOW64\Ncofplba.exe Nelfeo32.exe File created C:\Windows\SysWOW64\Imiehfao.exe Iebngial.exe File created C:\Windows\SysWOW64\Pickil32.dll Okkdic32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14548 14468 WerFault.exe 762 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milidebi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkoigdom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdepgkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpqjglii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncoikmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnepna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaenbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiblk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leopnglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbeapmll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmlddqem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeehkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pecellgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeelnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmfplibd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpchib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klahfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkjgegae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkeekk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaalblgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidnkkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoaglhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmeandma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoabad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmbee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alkijdci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olfghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbelcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlkedai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnplfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknfcofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodjjimm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmbbejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemmoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihagaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcddcbab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjecpkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcepgmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgiimng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjnfkma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddhbipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclmamod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbofcghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllokajf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnfohmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplobcpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknlbhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oobfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdecgbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moipoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npepkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahaceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnlhncgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcinna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgjopal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfoiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiaoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfiddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhhpop32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfngdn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Manmoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qikoka32.dll" Gmfplibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcjqc32.dll" Kjblje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgdidgjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmdml32.dll" Qfmmplad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhlkdj32.dll" Popbpqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhogopn.dll" Bhnikc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfpffeaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpdihki.dll" Flmqlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilpobpd.dll" Mmpmnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeokal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckjbhmad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deqcbpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpcbhji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgloefco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqdjon32.dll" Bfgjjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofecami.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjnifbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chglab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehnaq32.dll" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achnlqjp.dll" Ahjgjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibdlakbf.dll" Hehkajig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppceehj.dll" Nfohgqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnhmnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chiblk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkjnfkma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemqih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcokoohi.dll" Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kloeol32.dll" Oaajed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlkipgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbopphio.dll" Plbfdekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egbcih32.dll" Ifmqfm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipoheakj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oghghb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgccinoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plbfdekd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnmhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnlkedai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoigi32.dll" Pahpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clgbhl32.dll" Cohkokgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fijkdmhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiglnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqjgbadl.dll" Lenicahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahbohd32.dll" Gidnkkpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjeiodek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akblfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbnla32.dll" Bdfpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmeal32.dll" Njghbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdfjld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekhop32.dll" Oblmdhdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idcepgmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejkmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Accailfj.dll" Idhnkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anhejhfp.dll" Jlgepanl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdaniq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ciafbg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1308 wrote to memory of 2700 1308 3e91bd0e73b50839e3d4fdb5d73715da454aa43c1aa2affdff8c99835eb71cbeN.exe 82 PID 1308 wrote to memory of 2700 1308 3e91bd0e73b50839e3d4fdb5d73715da454aa43c1aa2affdff8c99835eb71cbeN.exe 82 PID 1308 wrote to memory of 2700 1308 3e91bd0e73b50839e3d4fdb5d73715da454aa43c1aa2affdff8c99835eb71cbeN.exe 82 PID 2700 wrote to memory of 3504 2700 Lgcjdd32.exe 83 PID 2700 wrote to memory of 3504 2700 Lgcjdd32.exe 83 PID 2700 wrote to memory of 3504 2700 Lgcjdd32.exe 83 PID 3504 wrote to memory of 3624 3504 Lkofdbkj.exe 84 PID 3504 wrote to memory of 3624 3504 Lkofdbkj.exe 84 PID 3504 wrote to memory of 3624 3504 Lkofdbkj.exe 84 PID 3624 wrote to memory of 1196 3624 Lbinam32.exe 85 PID 3624 wrote to memory of 1196 3624 Lbinam32.exe 85 PID 3624 wrote to memory of 1196 3624 Lbinam32.exe 85 PID 1196 wrote to memory of 468 1196 Lgffic32.exe 86 PID 1196 wrote to memory of 468 1196 Lgffic32.exe 86 PID 1196 wrote to memory of 468 1196 Lgffic32.exe 86 PID 468 wrote to memory of 736 468 Ljdceo32.exe 87 PID 468 wrote to memory of 736 468 Ljdceo32.exe 87 PID 468 wrote to memory of 736 468 Ljdceo32.exe 87 PID 736 wrote to memory of 692 736 Lejgch32.exe 88 PID 736 wrote to memory of 692 736 Lejgch32.exe 88 PID 736 wrote to memory of 692 736 Lejgch32.exe 88 PID 692 wrote to memory of 4956 692 Lldopb32.exe 89 PID 692 wrote to memory of 4956 692 Lldopb32.exe 89 PID 692 wrote to memory of 4956 692 Lldopb32.exe 89 PID 4956 wrote to memory of 1576 4956 Lnbklm32.exe 90 PID 4956 wrote to memory of 1576 4956 Lnbklm32.exe 90 PID 4956 wrote to memory of 1576 4956 Lnbklm32.exe 90 PID 1576 wrote to memory of 2856 1576 Lelchgne.exe 91 PID 1576 wrote to memory of 2856 1576 Lelchgne.exe 91 PID 1576 wrote to memory of 2856 1576 Lelchgne.exe 91 PID 2856 wrote to memory of 2396 2856 Lgkpdcmi.exe 92 PID 2856 wrote to memory of 2396 2856 Lgkpdcmi.exe 92 PID 2856 wrote to memory of 2396 2856 Lgkpdcmi.exe 92 PID 2396 wrote to memory of 2360 2396 Ljilqnlm.exe 93 PID 2396 wrote to memory of 2360 2396 Ljilqnlm.exe 93 PID 2396 wrote to memory of 2360 2396 Ljilqnlm.exe 93 PID 2360 wrote to memory of 5088 2360 Leopnglc.exe 94 PID 2360 wrote to memory of 5088 2360 Leopnglc.exe 94 PID 2360 wrote to memory of 5088 2360 Leopnglc.exe 94 PID 5088 wrote to memory of 4976 5088 Lhmmjbkf.exe 95 PID 5088 wrote to memory of 4976 5088 Lhmmjbkf.exe 95 PID 5088 wrote to memory of 4976 5088 Lhmmjbkf.exe 95 PID 4976 wrote to memory of 4060 4976 Mbbagk32.exe 96 PID 4976 wrote to memory of 4060 4976 Mbbagk32.exe 96 PID 4976 wrote to memory of 4060 4976 Mbbagk32.exe 96 PID 4060 wrote to memory of 4044 4060 Milidebi.exe 97 PID 4060 wrote to memory of 4044 4060 Milidebi.exe 97 PID 4060 wrote to memory of 4044 4060 Milidebi.exe 97 PID 4044 wrote to memory of 1984 4044 Mniallpq.exe 98 PID 4044 wrote to memory of 1984 4044 Mniallpq.exe 98 PID 4044 wrote to memory of 1984 4044 Mniallpq.exe 98 PID 1984 wrote to memory of 3904 1984 Mahnhhod.exe 99 PID 1984 wrote to memory of 3904 1984 Mahnhhod.exe 99 PID 1984 wrote to memory of 3904 1984 Mahnhhod.exe 99 PID 3904 wrote to memory of 1488 3904 Mhafeb32.exe 100 PID 3904 wrote to memory of 1488 3904 Mhafeb32.exe 100 PID 3904 wrote to memory of 1488 3904 Mhafeb32.exe 100 PID 1488 wrote to memory of 4068 1488 Mjpbam32.exe 101 PID 1488 wrote to memory of 4068 1488 Mjpbam32.exe 101 PID 1488 wrote to memory of 4068 1488 Mjpbam32.exe 101 PID 4068 wrote to memory of 3588 4068 Mbgjbkfg.exe 102 PID 4068 wrote to memory of 3588 4068 Mbgjbkfg.exe 102 PID 4068 wrote to memory of 3588 4068 Mbgjbkfg.exe 102 PID 3588 wrote to memory of 1536 3588 Miaboe32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e91bd0e73b50839e3d4fdb5d73715da454aa43c1aa2affdff8c99835eb71cbeN.exe"C:\Users\Admin\AppData\Local\Temp\3e91bd0e73b50839e3d4fdb5d73715da454aa43c1aa2affdff8c99835eb71cbeN.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Lgcjdd32.exeC:\Windows\system32\Lgcjdd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Lkofdbkj.exeC:\Windows\system32\Lkofdbkj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\Lbinam32.exeC:\Windows\system32\Lbinam32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Lgffic32.exeC:\Windows\system32\Lgffic32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Ljdceo32.exeC:\Windows\system32\Ljdceo32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Lejgch32.exeC:\Windows\system32\Lejgch32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Lldopb32.exeC:\Windows\system32\Lldopb32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\Lnbklm32.exeC:\Windows\system32\Lnbklm32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\SysWOW64\Lelchgne.exeC:\Windows\system32\Lelchgne.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Lgkpdcmi.exeC:\Windows\system32\Lgkpdcmi.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ljilqnlm.exeC:\Windows\system32\Ljilqnlm.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Leopnglc.exeC:\Windows\system32\Leopnglc.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5088 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4976 -
C:\Windows\SysWOW64\Milidebi.exeC:\Windows\system32\Milidebi.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Mniallpq.exeC:\Windows\system32\Mniallpq.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4044 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Mbgjbkfg.exeC:\Windows\system32\Mbgjbkfg.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Miaboe32.exeC:\Windows\system32\Miaboe32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe23⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Micoed32.exeC:\Windows\system32\Micoed32.exe24⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Mlbkap32.exeC:\Windows\system32\Mlbkap32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4036 -
C:\Windows\SysWOW64\Mblcnj32.exeC:\Windows\system32\Mblcnj32.exe26⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Mifljdjo.exeC:\Windows\system32\Mifljdjo.exe27⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Njghbl32.exeC:\Windows\system32\Njghbl32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3524 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3292 -
C:\Windows\SysWOW64\Nbqmiinl.exeC:\Windows\system32\Nbqmiinl.exe30⤵
- Executes dropped EXE
PID:4104 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe31⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Nafjjf32.exeC:\Windows\system32\Nafjjf32.exe32⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3208 -
C:\Windows\SysWOW64\Najceeoo.exeC:\Windows\system32\Najceeoo.exe34⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Okchnk32.exeC:\Windows\system32\Okchnk32.exe35⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Oondnini.exeC:\Windows\system32\Oondnini.exe36⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Oampjeml.exeC:\Windows\system32\Oampjeml.exe37⤵
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Olbdhn32.exeC:\Windows\system32\Olbdhn32.exe38⤵
- Executes dropped EXE
PID:4004 -
C:\Windows\SysWOW64\Oblmdhdo.exeC:\Windows\system32\Oblmdhdo.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:4428 -
C:\Windows\SysWOW64\Oekiqccc.exeC:\Windows\system32\Oekiqccc.exe40⤵
- Executes dropped EXE
PID:4736 -
C:\Windows\SysWOW64\Oldamm32.exeC:\Windows\system32\Oldamm32.exe41⤵
- Executes dropped EXE
PID:4432 -
C:\Windows\SysWOW64\Oaajed32.exeC:\Windows\system32\Oaajed32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Oihagaji.exeC:\Windows\system32\Oihagaji.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe44⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Obafpg32.exeC:\Windows\system32\Obafpg32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3340 -
C:\Windows\SysWOW64\Ohnohn32.exeC:\Windows\system32\Ohnohn32.exe46⤵
- Executes dropped EXE
PID:5016 -
C:\Windows\SysWOW64\Oohgdhfn.exeC:\Windows\system32\Oohgdhfn.exe47⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Ohpkmn32.exeC:\Windows\system32\Ohpkmn32.exe48⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Pkogiikb.exeC:\Windows\system32\Pkogiikb.exe49⤵
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Pahpfc32.exeC:\Windows\system32\Pahpfc32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1712 -
C:\Windows\SysWOW64\Phbhcmjl.exeC:\Windows\system32\Phbhcmjl.exe51⤵
- Executes dropped EXE
PID:4580 -
C:\Windows\SysWOW64\Pkadoiip.exeC:\Windows\system32\Pkadoiip.exe52⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Pefhlaie.exeC:\Windows\system32\Pefhlaie.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3916 -
C:\Windows\SysWOW64\Pibdmp32.exeC:\Windows\system32\Pibdmp32.exe54⤵
- Executes dropped EXE
PID:3900 -
C:\Windows\SysWOW64\Pkcadhgm.exeC:\Windows\system32\Pkcadhgm.exe55⤵
- Executes dropped EXE
PID:3380 -
C:\Windows\SysWOW64\Pcjiff32.exeC:\Windows\system32\Pcjiff32.exe56⤵
- Executes dropped EXE
PID:5068 -
C:\Windows\SysWOW64\Phganm32.exeC:\Windows\system32\Phganm32.exe57⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Poajkgnc.exeC:\Windows\system32\Poajkgnc.exe58⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Papfgbmg.exeC:\Windows\system32\Papfgbmg.exe59⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe60⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Pkhjph32.exeC:\Windows\system32\Pkhjph32.exe61⤵
- Executes dropped EXE
PID:4568 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe62⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Qlggjk32.exeC:\Windows\system32\Qlggjk32.exe63⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2872 -
C:\Windows\SysWOW64\Qepkbpak.exeC:\Windows\system32\Qepkbpak.exe65⤵
- Executes dropped EXE
PID:3988 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe66⤵PID:1076
-
C:\Windows\SysWOW64\Qcclld32.exeC:\Windows\system32\Qcclld32.exe67⤵PID:964
-
C:\Windows\SysWOW64\Qaflgago.exeC:\Windows\system32\Qaflgago.exe68⤵PID:4244
-
C:\Windows\SysWOW64\Ahqddk32.exeC:\Windows\system32\Ahqddk32.exe69⤵PID:4252
-
C:\Windows\SysWOW64\Acfhad32.exeC:\Windows\system32\Acfhad32.exe70⤵
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe71⤵PID:4732
-
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe72⤵PID:916
-
C:\Windows\SysWOW64\Aomifecf.exeC:\Windows\system32\Aomifecf.exe73⤵PID:116
-
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe74⤵
- Drops file in System32 directory
PID:3376 -
C:\Windows\SysWOW64\Akcjkfij.exeC:\Windows\system32\Akcjkfij.exe75⤵PID:3652
-
C:\Windows\SysWOW64\Aanbhp32.exeC:\Windows\system32\Aanbhp32.exe76⤵PID:436
-
C:\Windows\SysWOW64\Ahgjejhd.exeC:\Windows\system32\Ahgjejhd.exe77⤵PID:1232
-
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Abponp32.exeC:\Windows\system32\Abponp32.exe79⤵PID:3968
-
C:\Windows\SysWOW64\Ahjgjj32.exeC:\Windows\system32\Ahjgjj32.exe80⤵
- Modifies registry class
PID:3536 -
C:\Windows\SysWOW64\Abbkcpma.exeC:\Windows\system32\Abbkcpma.exe81⤵PID:4148
-
C:\Windows\SysWOW64\Bfngdn32.exeC:\Windows\system32\Bfngdn32.exe82⤵
- Modifies registry class
PID:4820 -
C:\Windows\SysWOW64\Blhpqhlh.exeC:\Windows\system32\Blhpqhlh.exe83⤵
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Bbdhiojo.exeC:\Windows\system32\Bbdhiojo.exe84⤵PID:748
-
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe85⤵PID:3880
-
C:\Windows\SysWOW64\Bkmmaeap.exeC:\Windows\system32\Bkmmaeap.exe86⤵PID:740
-
C:\Windows\SysWOW64\Bcddcbab.exeC:\Windows\system32\Bcddcbab.exe87⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Bkoigdom.exeC:\Windows\system32\Bkoigdom.exe88⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Bfendmoc.exeC:\Windows\system32\Bfendmoc.exe89⤵PID:3932
-
C:\Windows\SysWOW64\Bhcjqinf.exeC:\Windows\system32\Bhcjqinf.exe90⤵PID:3944
-
C:\Windows\SysWOW64\Bmofagfp.exeC:\Windows\system32\Bmofagfp.exe91⤵PID:4420
-
C:\Windows\SysWOW64\Bcinna32.exeC:\Windows\system32\Bcinna32.exe92⤵
- System Location Discovery: System Language Discovery
PID:4516 -
C:\Windows\SysWOW64\Bfgjjm32.exeC:\Windows\system32\Bfgjjm32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Bkdcbd32.exeC:\Windows\system32\Bkdcbd32.exe95⤵PID:2380
-
C:\Windows\SysWOW64\Bbnkonbd.exeC:\Windows\system32\Bbnkonbd.exe96⤵PID:700
-
C:\Windows\SysWOW64\Cjecpkcg.exeC:\Windows\system32\Cjecpkcg.exe97⤵
- System Location Discovery: System Language Discovery
PID:4592 -
C:\Windows\SysWOW64\Cmcolgbj.exeC:\Windows\system32\Cmcolgbj.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4968 -
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe99⤵PID:764
-
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe100⤵PID:1192
-
C:\Windows\SysWOW64\Cjgpfk32.exeC:\Windows\system32\Cjgpfk32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe102⤵PID:5032
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe103⤵
- System Location Discovery: System Language Discovery
PID:4772 -
C:\Windows\SysWOW64\Cjjlkk32.exeC:\Windows\system32\Cjjlkk32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:448 -
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe105⤵PID:4436
-
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe106⤵
- Modifies registry class
PID:3092 -
C:\Windows\SysWOW64\Cbeapmll.exeC:\Windows\system32\Cbeapmll.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:4532 -
C:\Windows\SysWOW64\Cfqmpl32.exeC:\Windows\system32\Cfqmpl32.exe108⤵PID:1492
-
C:\Windows\SysWOW64\Coiaiakf.exeC:\Windows\system32\Coiaiakf.exe109⤵PID:3708
-
C:\Windows\SysWOW64\Cbgnemjj.exeC:\Windows\system32\Cbgnemjj.exe110⤵PID:868
-
C:\Windows\SysWOW64\Ciafbg32.exeC:\Windows\system32\Ciafbg32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3600 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe112⤵
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Windows\SysWOW64\Ccgjopal.exeC:\Windows\system32\Ccgjopal.exe113⤵
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe114⤵PID:2312
-
C:\Windows\SysWOW64\Djqblj32.exeC:\Windows\system32\Djqblj32.exe115⤵PID:2612
-
C:\Windows\SysWOW64\Dmoohe32.exeC:\Windows\system32\Dmoohe32.exe116⤵PID:5092
-
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe117⤵PID:3688
-
C:\Windows\SysWOW64\Dfgcakon.exeC:\Windows\system32\Dfgcakon.exe118⤵PID:4168
-
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4836 -
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe120⤵PID:840
-
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe121⤵PID:4496
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-