Analysis
-
max time kernel
120s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/09/2024, 09:00
Behavioral task
behavioral1
Sample
84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe
-
Size
248KB
-
MD5
d21070b912c0c835dae68421c7968fe0
-
SHA1
e6681ea85d695aaaf35c417c2e5aa831c5228054
-
SHA256
84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631d
-
SHA512
db594f60759e80e53956a0077491e40ffe096b4c972d1eeae3ca0e29123ba01b79d1ab4d470bd26834e1d8cc0b8bd12d0cd0021a81833253f3d06cc1da32eb36
-
SSDEEP
3072:or4BdWj0b+2WITkiiVAURfE+HXAB0kCySYo0B:mj5iiRs+HXc0uo0B
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nimcallo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgcflnfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggohlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceablp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opmnle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipenn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncfohel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmnlfhik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbicg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aipickfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khmamhek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbcdhng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnmiegma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jijbnppi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbnjphpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hllkhoaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palgek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgcflnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oldajoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgobkdom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deckeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moedbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oflbmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojompp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inkekelj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjhbic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpagd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhibik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Behpeaqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeafgiai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikneggd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgelbhmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iekdhkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knhnkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oikpbklj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihoefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmhncg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkjpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plhdkhoq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklbed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Encjpebq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhngmnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedeffhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impblnna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cibpoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldajoho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhniijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhmhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpkjjofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coacdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgiln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akoghnnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mckdaojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhhhjhkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiomhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggljqcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhoeqide.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmmmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abjgjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kldofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkdcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knnagehi.exe -
Executes dropped EXE 64 IoCs
pid Process 2364 Pfpdcm32.exe 2380 Qfbahldf.exe 2732 Qbiamm32.exe 2936 Ahjcqcdm.exe 2840 Aipickfe.exe 984 Biecoj32.exe 2552 Belcck32.exe 2104 Cdejpg32.exe 2416 Ckdlgq32.exe 1324 Cfnmhnhm.exe 1540 Dllnphkd.exe 1140 Ddjpjj32.exe 1556 Dgkike32.exe 2148 Ejkampao.exe 1392 Ejpkho32.exe 1456 Eiehilaa.exe 3016 Efihcpqk.exe 276 Fbbfmqdm.exe 1856 Fjnkac32.exe 1328 Fcfojhhh.exe 2204 Fdkheh32.exe 2036 Gpaikiig.exe 2300 Gpdfph32.exe 2088 Gfpkbbmo.exe 1300 Hincna32.exe 2260 Hgbdge32.exe 2000 Iopeagip.exe 2220 Ihhjjm32.exe 2792 Ifljcanj.exe 2800 Ikkoagjo.exe 2692 Jdfqomom.exe 2648 Jnnehb32.exe 3068 Jjefmc32.exe 1720 Jijbnppi.exe 2888 Jofhqiec.exe 2432 Kmjhjndm.exe 1864 Knnagehi.exe 2932 Kbljmd32.exe 960 Kldofi32.exe 2128 Ljjkgfig.exe 2352 Lfpllg32.exe 2136 Lafpipoa.exe 3028 Liaenblm.exe 2240 Lfeegfkf.exe 1268 Lmondpbc.exe 2860 Lfgbmf32.exe 2012 Lobgah32.exe 1724 Mihkoa32.exe 432 Macpcccp.exe 880 Mmjqhd32.exe 2080 Mgbeqjpd.exe 2708 Mpkjjofe.exe 1688 Mmojcceo.exe 2752 Mggoli32.exe 2568 Ndkoemji.exe 2196 Nlfdjphd.exe 2420 Nglhghgj.exe 1040 Ncbilimn.exe 2680 Nhpadpke.exe 1780 Necandjo.exe 2984 Nolffjap.exe 2176 Ohdkop32.exe 1944 Opoocb32.exe 2468 Ogigpllh.exe -
Loads dropped DLL 64 IoCs
pid Process 2252 84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe 2252 84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe 2364 Pfpdcm32.exe 2364 Pfpdcm32.exe 2380 Qfbahldf.exe 2380 Qfbahldf.exe 2732 Qbiamm32.exe 2732 Qbiamm32.exe 2936 Ahjcqcdm.exe 2936 Ahjcqcdm.exe 2840 Aipickfe.exe 2840 Aipickfe.exe 984 Biecoj32.exe 984 Biecoj32.exe 2552 Belcck32.exe 2552 Belcck32.exe 2104 Cdejpg32.exe 2104 Cdejpg32.exe 2416 Ckdlgq32.exe 2416 Ckdlgq32.exe 1324 Cfnmhnhm.exe 1324 Cfnmhnhm.exe 1540 Dllnphkd.exe 1540 Dllnphkd.exe 1140 Ddjpjj32.exe 1140 Ddjpjj32.exe 1556 Dgkike32.exe 1556 Dgkike32.exe 2148 Ejkampao.exe 2148 Ejkampao.exe 1392 Ejpkho32.exe 1392 Ejpkho32.exe 1456 Eiehilaa.exe 1456 Eiehilaa.exe 3016 Efihcpqk.exe 3016 Efihcpqk.exe 276 Fbbfmqdm.exe 276 Fbbfmqdm.exe 1856 Fjnkac32.exe 1856 Fjnkac32.exe 1328 Fcfojhhh.exe 1328 Fcfojhhh.exe 2204 Fdkheh32.exe 2204 Fdkheh32.exe 2036 Gpaikiig.exe 2036 Gpaikiig.exe 2300 Gpdfph32.exe 2300 Gpdfph32.exe 2088 Gfpkbbmo.exe 2088 Gfpkbbmo.exe 1300 Hincna32.exe 1300 Hincna32.exe 2260 Hgbdge32.exe 2260 Hgbdge32.exe 2000 Iopeagip.exe 2000 Iopeagip.exe 2220 Ihhjjm32.exe 2220 Ihhjjm32.exe 2792 Ifljcanj.exe 2792 Ifljcanj.exe 2800 Ikkoagjo.exe 2800 Ikkoagjo.exe 2692 Jdfqomom.exe 2692 Jdfqomom.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Omfoko32.exe Oaonfncb.exe File opened for modification C:\Windows\SysWOW64\Fhhdoo32.exe Empclg32.exe File created C:\Windows\SysWOW64\Mknigc32.dll Cigijhne.exe File opened for modification C:\Windows\SysWOW64\Lagjhc32.exe Leqjcb32.exe File opened for modification C:\Windows\SysWOW64\Nnpdbg32.exe Mhaodqje.exe File created C:\Windows\SysWOW64\Hpfccdhg.dll Dpocioad.exe File opened for modification C:\Windows\SysWOW64\Hlcimd32.exe Heiaqjhc.exe File opened for modification C:\Windows\SysWOW64\Gmjejafa.exe Geopeoif.exe File created C:\Windows\SysWOW64\Ccokomof.dll Omddohbm.exe File created C:\Windows\SysWOW64\Abfonl32.exe Ajkjij32.exe File created C:\Windows\SysWOW64\Alainbjj.dll Jfeodehe.exe File created C:\Windows\SysWOW64\Onmhogkd.exe Process not Found File created C:\Windows\SysWOW64\Hllkhoaj.exe Haggkf32.exe File created C:\Windows\SysWOW64\Mflnoine.dll Adaeai32.exe File opened for modification C:\Windows\SysWOW64\Dcpagg32.exe Cjgmoahd.exe File created C:\Windows\SysWOW64\Bdgjhp32.exe Bnnblfgm.exe File created C:\Windows\SysWOW64\Fffldg32.dll Heomdbla.exe File created C:\Windows\SysWOW64\Cjopge32.dll Cbhcankf.exe File opened for modification C:\Windows\SysWOW64\Aaqnmbdd.exe Aieihpgi.exe File opened for modification C:\Windows\SysWOW64\Gqmqkn32.exe Fgelbhmg.exe File opened for modification C:\Windows\SysWOW64\Fbqllnco.exe Fbnpfnfa.exe File created C:\Windows\SysWOW64\Qlmngobj.dll Hfanlpff.exe File opened for modification C:\Windows\SysWOW64\Inbbfk32.exe Idjmnecm.exe File created C:\Windows\SysWOW64\Ediggoma.exe Egegnk32.exe File opened for modification C:\Windows\SysWOW64\Jgmnhojl.exe Jndjoi32.exe File opened for modification C:\Windows\SysWOW64\Bajqcqli.exe Apjdin32.exe File created C:\Windows\SysWOW64\Cgicko32.exe Cfjfal32.exe File created C:\Windows\SysWOW64\Kbeccb32.dll Ejleamon.exe File opened for modification C:\Windows\SysWOW64\Hofodokn.exe Hhmfhe32.exe File created C:\Windows\SysWOW64\Ikkoagjo.exe Ifljcanj.exe File created C:\Windows\SysWOW64\Fbibaaia.dll Ndkoemji.exe File opened for modification C:\Windows\SysWOW64\Cibpoi32.exe Ccehgb32.exe File created C:\Windows\SysWOW64\Donmohni.exe Dbjledoo.exe File created C:\Windows\SysWOW64\Ccjkclde.dll Meikpi32.exe File created C:\Windows\SysWOW64\Dllnphkd.exe Cfnmhnhm.exe File opened for modification C:\Windows\SysWOW64\Faanibeh.exe Eopehg32.exe File opened for modification C:\Windows\SysWOW64\Oldajoho.exe Opmpenbj.exe File opened for modification C:\Windows\SysWOW64\Dfambk32.exe Djjlmj32.exe File created C:\Windows\SysWOW64\Ghodnmac.dll Ocakjjok.exe File created C:\Windows\SysWOW64\Behpeaqm.exe Bbjcif32.exe File created C:\Windows\SysWOW64\Ojmkof32.dll Kbppfb32.exe File created C:\Windows\SysWOW64\Ppaimb32.dll Ogqpjd32.exe File created C:\Windows\SysWOW64\Jfpagd32.exe Iilqnp32.exe File opened for modification C:\Windows\SysWOW64\Dlompl32.exe Daelpooi.exe File opened for modification C:\Windows\SysWOW64\Leoaod32.exe Lpbigm32.exe File created C:\Windows\SysWOW64\Ipdldl32.dll Mfnjhj32.exe File opened for modification C:\Windows\SysWOW64\Ldqkqf32.exe Llefld32.exe File opened for modification C:\Windows\SysWOW64\Fpqjeiji.exe Edjjph32.exe File opened for modification C:\Windows\SysWOW64\Kikcjdfd.exe Jgjkhi32.exe File opened for modification C:\Windows\SysWOW64\Fbnpfnfa.exe Ffhoam32.exe File opened for modification C:\Windows\SysWOW64\Iolojejd.exe Ijofbnlm.exe File created C:\Windows\SysWOW64\Geopeoif.exe Gdodllbc.exe File opened for modification C:\Windows\SysWOW64\Mipjbokm.exe Mdcbjhme.exe File created C:\Windows\SysWOW64\Aoqjhiie.exe Ageedflj.exe File opened for modification C:\Windows\SysWOW64\Jegknp32.exe Jeenip32.exe File created C:\Windows\SysWOW64\Pohngd32.exe Ogmjca32.exe File opened for modification C:\Windows\SysWOW64\Mhippbem.exe Mhfckc32.exe File created C:\Windows\SysWOW64\Akoghnnj.exe Qkmjbo32.exe File opened for modification C:\Windows\SysWOW64\Mnqhcc32.exe Lhabemgi.exe File opened for modification C:\Windows\SysWOW64\Kmldajml.exe Kfblep32.exe File opened for modification C:\Windows\SysWOW64\Mcpoicgg.exe Mpacmghc.exe File opened for modification C:\Windows\SysWOW64\Dbjledoo.exe Dojcci32.exe File opened for modification C:\Windows\SysWOW64\Fiomhc32.exe Fkkmoo32.exe File opened for modification C:\Windows\SysWOW64\Ilpaqmkg.exe Ijodiedi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3004 3844 Process not Found 1062 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkohanoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjjoeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepffelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nocfdhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odggfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfadeaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaaab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjidkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pekkga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ociooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcekq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhaokqik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbljmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalcdngp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohacl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpbeecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdmdlaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpehq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjefcgpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inciaamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febgfbhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogckqkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mheqie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Camlpldf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehaleg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqlfpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecpkne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hildollm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhdfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofodokn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkofon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfcbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnqolikm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpejklj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdneohbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmajllkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapbdocn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qagiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafppp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kagnipna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbhpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijofbnlm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibanm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbicg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfokb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccqedfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecdhonoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkebig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpcgji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afnbop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbfmqdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhibik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkheh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolffjap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacmakkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mphhbblp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnmhnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhipcbdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhnlmjie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helnfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biecoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpadpke.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojpedn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhicao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agjjjp32.dll" Ejgkfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmggnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lipneh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmlknocg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdohg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdbgqm32.dll" Bclbhkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghpjfl32.dll" Olkebejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffknjjhh.dll" Bdghpggf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkemhafb.dll" Bloidc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hifejlha.dll" Nkipoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaeikoih.dll" Ioonhm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbbfmqdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmohbln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cliaeofi.dll" Lcihicad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opempcpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmklikob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbakgjmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loaaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdkgcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbhcankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpihog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhoeqide.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdghpggf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alpmep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlbadj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbbdeojc.dll" Ngkhiebk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obqhea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djjanlnn.dll" Eqjepofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klkjbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gokcej32.dll" Omqnfiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipnigl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmpodedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpglhael.dll" Phbhpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eieonq32.dll" Hnapln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdboqo32.dll" Aocdec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckcdof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iapjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqaedc32.dll" Kkechk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqkace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnkjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfoahl32.dll" Hmheai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijodiedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Feaeni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlcngfcn.dll" Inbbfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oikpbklj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oikpbklj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpbkgbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akocmjfk.dll" Jpfjfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcgfcbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojphmfdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfoinl32.dll" Cqmnie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igqjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mapmadjg.dll" Onbhdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgbeqjpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihengqff.dll" Lpcppgff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfpijngn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddcqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfqlcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kenaoojo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgicko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heiaqjhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acjmheap.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2252 wrote to memory of 2364 2252 84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe 29 PID 2252 wrote to memory of 2364 2252 84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe 29 PID 2252 wrote to memory of 2364 2252 84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe 29 PID 2252 wrote to memory of 2364 2252 84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe 29 PID 2364 wrote to memory of 2380 2364 Pfpdcm32.exe 30 PID 2364 wrote to memory of 2380 2364 Pfpdcm32.exe 30 PID 2364 wrote to memory of 2380 2364 Pfpdcm32.exe 30 PID 2364 wrote to memory of 2380 2364 Pfpdcm32.exe 30 PID 2380 wrote to memory of 2732 2380 Qfbahldf.exe 31 PID 2380 wrote to memory of 2732 2380 Qfbahldf.exe 31 PID 2380 wrote to memory of 2732 2380 Qfbahldf.exe 31 PID 2380 wrote to memory of 2732 2380 Qfbahldf.exe 31 PID 2732 wrote to memory of 2936 2732 Qbiamm32.exe 32 PID 2732 wrote to memory of 2936 2732 Qbiamm32.exe 32 PID 2732 wrote to memory of 2936 2732 Qbiamm32.exe 32 PID 2732 wrote to memory of 2936 2732 Qbiamm32.exe 32 PID 2936 wrote to memory of 2840 2936 Ahjcqcdm.exe 33 PID 2936 wrote to memory of 2840 2936 Ahjcqcdm.exe 33 PID 2936 wrote to memory of 2840 2936 Ahjcqcdm.exe 33 PID 2936 wrote to memory of 2840 2936 Ahjcqcdm.exe 33 PID 2840 wrote to memory of 984 2840 Aipickfe.exe 34 PID 2840 wrote to memory of 984 2840 Aipickfe.exe 34 PID 2840 wrote to memory of 984 2840 Aipickfe.exe 34 PID 2840 wrote to memory of 984 2840 Aipickfe.exe 34 PID 984 wrote to memory of 2552 984 Biecoj32.exe 35 PID 984 wrote to memory of 2552 984 Biecoj32.exe 35 PID 984 wrote to memory of 2552 984 Biecoj32.exe 35 PID 984 wrote to memory of 2552 984 Biecoj32.exe 35 PID 2552 wrote to memory of 2104 2552 Belcck32.exe 36 PID 2552 wrote to memory of 2104 2552 Belcck32.exe 36 PID 2552 wrote to memory of 2104 2552 Belcck32.exe 36 PID 2552 wrote to memory of 2104 2552 Belcck32.exe 36 PID 2104 wrote to memory of 2416 2104 Cdejpg32.exe 37 PID 2104 wrote to memory of 2416 2104 Cdejpg32.exe 37 PID 2104 wrote to memory of 2416 2104 Cdejpg32.exe 37 PID 2104 wrote to memory of 2416 2104 Cdejpg32.exe 37 PID 2416 wrote to memory of 1324 2416 Ckdlgq32.exe 38 PID 2416 wrote to memory of 1324 2416 Ckdlgq32.exe 38 PID 2416 wrote to memory of 1324 2416 Ckdlgq32.exe 38 PID 2416 wrote to memory of 1324 2416 Ckdlgq32.exe 38 PID 1324 wrote to memory of 1540 1324 Cfnmhnhm.exe 39 PID 1324 wrote to memory of 1540 1324 Cfnmhnhm.exe 39 PID 1324 wrote to memory of 1540 1324 Cfnmhnhm.exe 39 PID 1324 wrote to memory of 1540 1324 Cfnmhnhm.exe 39 PID 1540 wrote to memory of 1140 1540 Dllnphkd.exe 40 PID 1540 wrote to memory of 1140 1540 Dllnphkd.exe 40 PID 1540 wrote to memory of 1140 1540 Dllnphkd.exe 40 PID 1540 wrote to memory of 1140 1540 Dllnphkd.exe 40 PID 1140 wrote to memory of 1556 1140 Ddjpjj32.exe 41 PID 1140 wrote to memory of 1556 1140 Ddjpjj32.exe 41 PID 1140 wrote to memory of 1556 1140 Ddjpjj32.exe 41 PID 1140 wrote to memory of 1556 1140 Ddjpjj32.exe 41 PID 1556 wrote to memory of 2148 1556 Dgkike32.exe 42 PID 1556 wrote to memory of 2148 1556 Dgkike32.exe 42 PID 1556 wrote to memory of 2148 1556 Dgkike32.exe 42 PID 1556 wrote to memory of 2148 1556 Dgkike32.exe 42 PID 2148 wrote to memory of 1392 2148 Ejkampao.exe 43 PID 2148 wrote to memory of 1392 2148 Ejkampao.exe 43 PID 2148 wrote to memory of 1392 2148 Ejkampao.exe 43 PID 2148 wrote to memory of 1392 2148 Ejkampao.exe 43 PID 1392 wrote to memory of 1456 1392 Ejpkho32.exe 44 PID 1392 wrote to memory of 1456 1392 Ejpkho32.exe 44 PID 1392 wrote to memory of 1456 1392 Ejpkho32.exe 44 PID 1392 wrote to memory of 1456 1392 Ejpkho32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe"C:\Users\Admin\AppData\Local\Temp\84d3a33b70b24744b4a0773cef92f13fe8cd4d10cc2a1fc780f16f1b6699631dN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Pfpdcm32.exeC:\Windows\system32\Pfpdcm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Qfbahldf.exeC:\Windows\system32\Qfbahldf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Ahjcqcdm.exeC:\Windows\system32\Ahjcqcdm.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Aipickfe.exeC:\Windows\system32\Aipickfe.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Cdejpg32.exeC:\Windows\system32\Cdejpg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Ckdlgq32.exeC:\Windows\system32\Ckdlgq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Cfnmhnhm.exeC:\Windows\system32\Cfnmhnhm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Dllnphkd.exeC:\Windows\system32\Dllnphkd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Dgkike32.exeC:\Windows\system32\Dgkike32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Ejkampao.exeC:\Windows\system32\Ejkampao.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Eiehilaa.exeC:\Windows\system32\Eiehilaa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1456 -
C:\Windows\SysWOW64\Efihcpqk.exeC:\Windows\system32\Efihcpqk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:276 -
C:\Windows\SysWOW64\Fjnkac32.exeC:\Windows\system32\Fjnkac32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Fcfojhhh.exeC:\Windows\system32\Fcfojhhh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\Fdkheh32.exeC:\Windows\system32\Fdkheh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Gpaikiig.exeC:\Windows\system32\Gpaikiig.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Gpdfph32.exeC:\Windows\system32\Gpdfph32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Gfpkbbmo.exeC:\Windows\system32\Gfpkbbmo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Hincna32.exeC:\Windows\system32\Hincna32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Hgbdge32.exeC:\Windows\system32\Hgbdge32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2260 -
C:\Windows\SysWOW64\Iopeagip.exeC:\Windows\system32\Iopeagip.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Ifljcanj.exeC:\Windows\system32\Ifljcanj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Ikkoagjo.exeC:\Windows\system32\Ikkoagjo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Jdfqomom.exeC:\Windows\system32\Jdfqomom.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Jnnehb32.exeC:\Windows\system32\Jnnehb32.exe33⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Jjefmc32.exeC:\Windows\system32\Jjefmc32.exe34⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Jofhqiec.exeC:\Windows\system32\Jofhqiec.exe36⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Kmjhjndm.exeC:\Windows\system32\Kmjhjndm.exe37⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Kbljmd32.exeC:\Windows\system32\Kbljmd32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Kldofi32.exeC:\Windows\system32\Kldofi32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ljjkgfig.exeC:\Windows\system32\Ljjkgfig.exe41⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe42⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe43⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe44⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe45⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Lmondpbc.exeC:\Windows\system32\Lmondpbc.exe46⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Lfgbmf32.exeC:\Windows\system32\Lfgbmf32.exe47⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe48⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe50⤵
- Executes dropped EXE
PID:432 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe51⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Mgbeqjpd.exeC:\Windows\system32\Mgbeqjpd.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Mpkjjofe.exeC:\Windows\system32\Mpkjjofe.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe54⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe55⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ndkoemji.exeC:\Windows\system32\Ndkoemji.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Nlfdjphd.exeC:\Windows\system32\Nlfdjphd.exe57⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe58⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Ncbilimn.exeC:\Windows\system32\Ncbilimn.exe59⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe61⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Nolffjap.exeC:\Windows\system32\Nolffjap.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Ohdkop32.exeC:\Windows\system32\Ohdkop32.exe63⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Opoocb32.exeC:\Windows\system32\Opoocb32.exe64⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe65⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Odmhjp32.exeC:\Windows\system32\Odmhjp32.exe66⤵PID:2032
-
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe67⤵PID:2404
-
C:\Windows\SysWOW64\Ognakk32.exeC:\Windows\system32\Ognakk32.exe68⤵PID:1260
-
C:\Windows\SysWOW64\Oqfeda32.exeC:\Windows\system32\Oqfeda32.exe69⤵PID:2528
-
C:\Windows\SysWOW64\Ofcnmh32.exeC:\Windows\system32\Ofcnmh32.exe70⤵PID:2496
-
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe71⤵PID:1604
-
C:\Windows\SysWOW64\Pkbcjn32.exeC:\Windows\system32\Pkbcjn32.exe72⤵PID:2808
-
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe73⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Pncllifp.exeC:\Windows\system32\Pncllifp.exe74⤵PID:2744
-
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe75⤵PID:952
-
C:\Windows\SysWOW64\Pqdend32.exeC:\Windows\system32\Pqdend32.exe76⤵PID:1064
-
C:\Windows\SysWOW64\Pnhegi32.exeC:\Windows\system32\Pnhegi32.exe77⤵PID:2896
-
C:\Windows\SysWOW64\Pafacd32.exeC:\Windows\system32\Pafacd32.exe78⤵PID:2008
-
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe79⤵PID:2900
-
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe80⤵PID:2132
-
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe81⤵PID:1820
-
C:\Windows\SysWOW64\Anlkakqa.exeC:\Windows\system32\Anlkakqa.exe82⤵PID:844
-
C:\Windows\SysWOW64\Bjclfmfe.exeC:\Windows\system32\Bjclfmfe.exe83⤵PID:1096
-
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe84⤵PID:2868
-
C:\Windows\SysWOW64\Boadlk32.exeC:\Windows\system32\Boadlk32.exe85⤵PID:1284
-
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe86⤵PID:1804
-
C:\Windows\SysWOW64\Bpdnjb32.exeC:\Windows\system32\Bpdnjb32.exe87⤵PID:2212
-
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:272 -
C:\Windows\SysWOW64\Beccgi32.exeC:\Windows\system32\Beccgi32.exe89⤵PID:2988
-
C:\Windows\SysWOW64\Cbhcankf.exeC:\Windows\system32\Cbhcankf.exe90⤵
- Drops file in System32 directory
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe91⤵PID:2944
-
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe92⤵PID:2244
-
C:\Windows\SysWOW64\Cleaebna.exeC:\Windows\system32\Cleaebna.exe93⤵PID:940
-
C:\Windows\SysWOW64\Chkbjc32.exeC:\Windows\system32\Chkbjc32.exe94⤵PID:2908
-
C:\Windows\SysWOW64\Cnhjbjam.exeC:\Windows\system32\Cnhjbjam.exe95⤵PID:1532
-
C:\Windows\SysWOW64\Dafchi32.exeC:\Windows\system32\Dafchi32.exe96⤵PID:1716
-
C:\Windows\SysWOW64\Dkohanoc.exeC:\Windows\system32\Dkohanoc.exe97⤵
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Dlpdifda.exeC:\Windows\system32\Dlpdifda.exe98⤵PID:2548
-
C:\Windows\SysWOW64\Dcjleq32.exeC:\Windows\system32\Dcjleq32.exe99⤵PID:832
-
C:\Windows\SysWOW64\Dlbanfbo.exeC:\Windows\system32\Dlbanfbo.exe100⤵PID:1776
-
C:\Windows\SysWOW64\Dhiacg32.exeC:\Windows\system32\Dhiacg32.exe101⤵PID:2500
-
C:\Windows\SysWOW64\Djhnmj32.exeC:\Windows\system32\Djhnmj32.exe102⤵PID:2780
-
C:\Windows\SysWOW64\Eoefea32.exeC:\Windows\system32\Eoefea32.exe103⤵PID:2124
-
C:\Windows\SysWOW64\Efoobkej.exeC:\Windows\system32\Efoobkej.exe104⤵PID:2832
-
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe105⤵
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Ehphdf32.exeC:\Windows\system32\Ehphdf32.exe106⤵PID:3048
-
C:\Windows\SysWOW64\Enmplm32.exeC:\Windows\system32\Enmplm32.exe107⤵PID:2064
-
C:\Windows\SysWOW64\Eqklhh32.exeC:\Windows\system32\Eqklhh32.exe108⤵PID:2904
-
C:\Windows\SysWOW64\Enomam32.exeC:\Windows\system32\Enomam32.exe109⤵PID:2864
-
C:\Windows\SysWOW64\Eggajb32.exeC:\Windows\system32\Eggajb32.exe110⤵PID:2488
-
C:\Windows\SysWOW64\Ejfnfn32.exeC:\Windows\system32\Ejfnfn32.exe111⤵PID:3024
-
C:\Windows\SysWOW64\Ecnbpcje.exeC:\Windows\system32\Ecnbpcje.exe112⤵PID:2452
-
C:\Windows\SysWOW64\Fndfmljk.exeC:\Windows\system32\Fndfmljk.exe113⤵PID:2408
-
C:\Windows\SysWOW64\Ffokan32.exeC:\Windows\system32\Ffokan32.exe114⤵PID:2424
-
C:\Windows\SysWOW64\Fcckjb32.exeC:\Windows\system32\Fcckjb32.exe115⤵PID:2852
-
C:\Windows\SysWOW64\Fjmdgmnl.exeC:\Windows\system32\Fjmdgmnl.exe116⤵PID:2672
-
C:\Windows\SysWOW64\Fcehpbdm.exeC:\Windows\system32\Fcehpbdm.exe117⤵PID:2716
-
C:\Windows\SysWOW64\Fefdhj32.exeC:\Windows\system32\Fefdhj32.exe118⤵PID:2256
-
C:\Windows\SysWOW64\Feiamj32.exeC:\Windows\system32\Feiamj32.exe119⤵PID:2396
-
C:\Windows\SysWOW64\Fpnekc32.exeC:\Windows\system32\Fpnekc32.exe120⤵PID:1816
-
C:\Windows\SysWOW64\Gbmbgngb.exeC:\Windows\system32\Gbmbgngb.exe121⤵PID:2892
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-