Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2024 22:08
Behavioral task
behavioral1
Sample
640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
General
-
Target
640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6.exe
-
Size
163KB
-
MD5
fff21188df38bcfa7ba086276686f3c0
-
SHA1
b457fead8fc70b141b5e9ddfabdd5af31575d8d6
-
SHA256
640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6
-
SHA512
4aa786c382e77f50a78ee883eab93e0ec13f2416974b7d6cc23dca33bbd4cf4997816cb6f109aad8fe4e7c571a00e3b31d82c624ba300420f3c6caf58eea8676
-
SSDEEP
1536:PapKLqx3N0vbZH6Th/W20/jyPelProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:ypKL9voTh/WL/uPeltOrWKDBr+yJb
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppigdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afpbpbpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foebfc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iillgdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bijnhleg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcppimfl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmicll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njlcmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgbqldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kflninba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nghflj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oimihe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fleidhfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klddql32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohbfiage.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqhafcoc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liocpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlihoq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phlippoj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njlcmk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhckqh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeokaiei.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfmdfnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofalj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddomlmm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdmpmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplaiqdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iillgdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kijjejae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdgffq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kelaokko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojjgiba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcmlig32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekifdqec.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgqigmnb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olehko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acbfdfqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keoeoa32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckepbgf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anedfffb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjadg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplaiqdg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fccklail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfqpcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocfdlqmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Canlon32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golamlib.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdhfkp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhaoqij.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkpdea.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefjif32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoadoigj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbilhq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbnnjnmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmnmnle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imekbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoeaili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hklehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jilndl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coephhok.exe -
Executes dropped EXE 64 IoCs
pid Process 956 Ajbeql32.exe 1156 Aalnmfbi.exe 1748 Ahffjq32.exe 1628 Alaajobo.exe 1280 Abkjgi32.exe 2900 Aanjcfqf.exe 4648 Alcnpopl.exe 1492 Abngmihi.exe 1704 Bdocda32.exe 2692 Blfkeo32.exe 2336 Bbpcbiff.exe 2956 Baccne32.exe 3048 Bjkhgkca.exe 3936 Baepceko.exe 3000 Bbdmmh32.exe 4020 Bhaefo32.exe 3480 Bbgich32.exe 180 Bdhfkp32.exe 656 Calfdd32.exe 816 Cehbdcmp.exe 4364 Chfoqnlc.exe 2416 Caocjd32.exe 540 Chhkfn32.exe 3808 Cldggmbj.exe 4324 Ckghbi32.exe 2676 Cdolkope.exe 2508 Chkhln32.exe 3160 Coephhok.exe 3960 Cacmecno.exe 1520 Cogmng32.exe 1172 Chpagmdi.exe 4448 Dahfpb32.exe 2984 Decbqabb.exe 2916 Dhbnmmaf.exe 1688 Dbgbje32.exe 1660 Defofa32.exe 684 Dhdkbl32.exe 3560 Doncofgp.exe 1320 Dehkkq32.exe 4312 Dhfhhl32.exe 4476 Dlbchkfj.exe 4584 Doqpdf32.exe 4128 Dejhapmj.exe 3040 Dldpnj32.exe 2988 Dcnhjdkd.exe 4644 Demefpjh.exe 4540 Dlgmcj32.exe 1876 Eoeipeah.exe 2324 Eacelapl.exe 4664 Edbbhlop.exe 2432 Ekljdf32.exe 5012 Eafbaqni.exe 892 Eddomlmm.exe 4836 Ekngjf32.exe 220 Edgkcl32.exe 2960 Ehbgcjcc.exe 2468 Echkqcci.exe 456 Eefhmobm.exe 2720 Ekcpeeqd.exe 628 Edkdnkge.exe 1532 Ehgqoj32.exe 2624 Ekemke32.exe 1240 Fclelb32.exe 4232 Fhimdi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mppbnb32.exe Mldfmcfk.exe File created C:\Windows\SysWOW64\Nhpfcp32.dll 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6.exe File created C:\Windows\SysWOW64\Acbmnmdi.exe Adplbp32.exe File created C:\Windows\SysWOW64\Hcbcmlbk.dll Feapngdd.exe File created C:\Windows\SysWOW64\Liapfi32.exe Lbghiocp.exe File created C:\Windows\SysWOW64\Iigqpilk.dll Qgfldf32.exe File opened for modification C:\Windows\SysWOW64\Hooncplh.exe Hmabgdmd.exe File opened for modification C:\Windows\SysWOW64\Ddjemgal.exe Dalhqlbh.exe File created C:\Windows\SysWOW64\Jilndl32.exe Jfnbgp32.exe File created C:\Windows\SysWOW64\Oocdgj32.exe Olehko32.exe File opened for modification C:\Windows\SysWOW64\Bflalped.exe Bobiof32.exe File created C:\Windows\SysWOW64\Kddajffm.dll Idpilp32.exe File opened for modification C:\Windows\SysWOW64\Ifdoaa32.exe Ibicacnc.exe File created C:\Windows\SysWOW64\Gkdfpepb.dll Lpkibcbj.exe File created C:\Windows\SysWOW64\Apfkdnkk.dll Acping32.exe File created C:\Windows\SysWOW64\Eonekn32.exe Eggmjq32.exe File created C:\Windows\SysWOW64\Ihjoek32.dll Afpbpbpa.exe File opened for modification C:\Windows\SysWOW64\Acilde32.exe Aqjphj32.exe File created C:\Windows\SysWOW64\Agbkpdea.exe Aokcngdo.exe File created C:\Windows\SysWOW64\Endaai32.dll Imonhb32.exe File opened for modification C:\Windows\SysWOW64\Llemgj32.exe Lifqkn32.exe File opened for modification C:\Windows\SysWOW64\Kggfknab.dll Ammnmbig.exe File created C:\Windows\SysWOW64\Oncgehgf.dll Lifjahgh.exe File created C:\Windows\SysWOW64\Iillgdoc.exe Ieapgf32.exe File opened for modification C:\Windows\SysWOW64\Jfqegfpj.exe Jpgmkl32.exe File created C:\Windows\SysWOW64\Gpkdonbn.dll Dahfpb32.exe File opened for modification C:\Windows\SysWOW64\Icdmjm32.exe Ipiajndn.exe File created C:\Windows\SysWOW64\Kmogopcb.exe Kehonbbp.exe File opened for modification C:\Windows\SysWOW64\Acgfil32.exe Ammnmbig.exe File opened for modification C:\Windows\SysWOW64\Lnllhp32.exe Llmpld32.exe File created C:\Windows\SysWOW64\Bqfodh32.exe Biogck32.exe File created C:\Windows\SysWOW64\Kdcjed32.dll Cdolkope.exe File created C:\Windows\SysWOW64\Ogbploeb.exe Ocfdlqmi.exe File created C:\Windows\SysWOW64\Nfoedg32.dll Hdiclq32.exe File created C:\Windows\SysWOW64\Ghmenlbm.dll Pfgojchl.exe File opened for modification C:\Windows\SysWOW64\Ajqglpde.exe Agbkpdea.exe File created C:\Windows\SysWOW64\Dcdmfmii.dll Mcabjcoa.exe File created C:\Windows\SysWOW64\Olhbhlpi.dll Mmicll32.exe File created C:\Windows\SysWOW64\Ifdoaa32.exe Ibicacnc.exe File created C:\Windows\SysWOW64\Dhdfbd32.dll Kflninba.exe File created C:\Windows\SysWOW64\Ibpbne32.dll Coephhok.exe File opened for modification C:\Windows\SysWOW64\Bcqipk32.exe Bmfqcqql.exe File opened for modification C:\Windows\SysWOW64\Golamlib.exe Ggeikohp.exe File created C:\Windows\SysWOW64\Kaajlppf.dll Mihffh32.exe File opened for modification C:\Windows\SysWOW64\Cehbdcmp.exe Calfdd32.exe File created C:\Windows\SysWOW64\Dhbgclnj.dll Gefjif32.exe File created C:\Windows\SysWOW64\Afpbpbpa.exe Acbfdfqn.exe File created C:\Windows\SysWOW64\Bfqkgp32.exe Bqdboi32.exe File created C:\Windows\SysWOW64\Eefhmobm.exe Echkqcci.exe File opened for modification C:\Windows\SysWOW64\Cjagmd32.exe Bhckqh32.exe File created C:\Windows\SysWOW64\Hdkbie32.dll Cdcolh32.exe File created C:\Windows\SysWOW64\Golamlib.exe Ggeikohp.exe File opened for modification C:\Windows\SysWOW64\Dlgmcj32.exe Demefpjh.exe File created C:\Windows\SysWOW64\Icigpifa.dll Lpnehb32.exe File opened for modification C:\Windows\SysWOW64\Plagfm32.exe Phekfogp.exe File opened for modification C:\Windows\SysWOW64\Chlngg32.exe Cenakl32.exe File created C:\Windows\SysWOW64\Kpkple32.exe Kgchjh32.exe File created C:\Windows\SysWOW64\Epilpe32.dll Opjnko32.exe File opened for modification C:\Windows\SysWOW64\Qodmnhjg.exe Qleaamkc.exe File created C:\Windows\SysWOW64\Pohnbjdd.exe Pljafneq.exe File created C:\Windows\SysWOW64\Cdolkope.exe Ckghbi32.exe File created C:\Windows\SysWOW64\Jlinanno.dll Faakbipp.exe File created C:\Windows\SysWOW64\Ncafaeom.dll Hhglbo32.exe File opened for modification C:\Windows\SysWOW64\Liapfi32.exe Lbghiocp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 14900 14824 WerFault.exe 777 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfiaibap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fopbqnco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffbpcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khknkgjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aichgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcangbko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnjjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dejafj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifchfhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbbkdmfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghmfqmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggeikohp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkalfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcmahid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhaledo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdjbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieapgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oloidfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cndinalo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaonh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgbij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcnccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqafii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coephhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpemidf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjeojhbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfqgdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alaajobo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiciafgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakiohmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlngg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokcngdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfeobe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emniakno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocqdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oocdgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlippoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgihifml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgbje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipdgoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckfnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfbkbpjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Defofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecmledg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndagjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmifon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigdilaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdmejhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifeflh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahfpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkjcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddonhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikokdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgminggi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdolkope.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chpagmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aceidl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkcabij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekpnebi.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 13724 Acping32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeeqbhoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnlebibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkchikhj.dll" Lfgndmhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgfldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikkhcpng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcppimfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jadcfm32.dll" Pcbdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clpghg32.dll" Dokpoq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnllhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihjnce32.dll" Oheboa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajbeql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baccne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmieg32.dll" Ajqglpde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikagjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpklee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faqbkf32.dll" Anogldng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beeodm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olehko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehmgne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Golamlib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlncijdi.dll" Kemhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocfdlqmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Decbqabb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doqpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kppigdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgihifml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anedfffb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ammnmbig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfabaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fobofmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llfmpo32.dll" Eacelapl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbpnnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aamffmgq.dll" Baicdncn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neegefpb.dll" Pphjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlcci32.dll" Dejhapmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnhmebij.dll" Hmcomdkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbamk.dll" Hfioec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhkpib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opjnko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cogmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjhlpgpk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjehpanb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleqmk32.dll" Iillgdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcqomh32.dll" Jmhaoqij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ageopj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abkjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Facgap32.dll" Imekbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iglhckde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deajocce.dll" Fclelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acbmnmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhdde32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhpceh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbphfh32.dll" Kdiolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olhbhlpi.dll" Mmicll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkcdohbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laemip32.dll" Cldggmbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcjamqcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaiigfip.dll" Iofmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fofcgc32.dll" Jmfdiakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akmgei32.dll" Ndagjd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iglhckde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajiaka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amaqmkaf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4060 wrote to memory of 956 4060 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6.exe 81 PID 4060 wrote to memory of 956 4060 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6.exe 81 PID 4060 wrote to memory of 956 4060 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6.exe 81 PID 956 wrote to memory of 1156 956 Ajbeql32.exe 82 PID 956 wrote to memory of 1156 956 Ajbeql32.exe 82 PID 956 wrote to memory of 1156 956 Ajbeql32.exe 82 PID 1156 wrote to memory of 1748 1156 Aalnmfbi.exe 83 PID 1156 wrote to memory of 1748 1156 Aalnmfbi.exe 83 PID 1156 wrote to memory of 1748 1156 Aalnmfbi.exe 83 PID 1748 wrote to memory of 1628 1748 Ahffjq32.exe 84 PID 1748 wrote to memory of 1628 1748 Ahffjq32.exe 84 PID 1748 wrote to memory of 1628 1748 Ahffjq32.exe 84 PID 1628 wrote to memory of 1280 1628 Alaajobo.exe 85 PID 1628 wrote to memory of 1280 1628 Alaajobo.exe 85 PID 1628 wrote to memory of 1280 1628 Alaajobo.exe 85 PID 1280 wrote to memory of 2900 1280 Abkjgi32.exe 86 PID 1280 wrote to memory of 2900 1280 Abkjgi32.exe 86 PID 1280 wrote to memory of 2900 1280 Abkjgi32.exe 86 PID 2900 wrote to memory of 4648 2900 Aanjcfqf.exe 87 PID 2900 wrote to memory of 4648 2900 Aanjcfqf.exe 87 PID 2900 wrote to memory of 4648 2900 Aanjcfqf.exe 87 PID 4648 wrote to memory of 1492 4648 Alcnpopl.exe 88 PID 4648 wrote to memory of 1492 4648 Alcnpopl.exe 88 PID 4648 wrote to memory of 1492 4648 Alcnpopl.exe 88 PID 1492 wrote to memory of 1704 1492 Abngmihi.exe 89 PID 1492 wrote to memory of 1704 1492 Abngmihi.exe 89 PID 1492 wrote to memory of 1704 1492 Abngmihi.exe 89 PID 1704 wrote to memory of 2692 1704 Bdocda32.exe 90 PID 1704 wrote to memory of 2692 1704 Bdocda32.exe 90 PID 1704 wrote to memory of 2692 1704 Bdocda32.exe 90 PID 2692 wrote to memory of 2336 2692 Blfkeo32.exe 91 PID 2692 wrote to memory of 2336 2692 Blfkeo32.exe 91 PID 2692 wrote to memory of 2336 2692 Blfkeo32.exe 91 PID 2336 wrote to memory of 2956 2336 Bbpcbiff.exe 92 PID 2336 wrote to memory of 2956 2336 Bbpcbiff.exe 92 PID 2336 wrote to memory of 2956 2336 Bbpcbiff.exe 92 PID 2956 wrote to memory of 3048 2956 Baccne32.exe 93 PID 2956 wrote to memory of 3048 2956 Baccne32.exe 93 PID 2956 wrote to memory of 3048 2956 Baccne32.exe 93 PID 3048 wrote to memory of 3936 3048 Bjkhgkca.exe 94 PID 3048 wrote to memory of 3936 3048 Bjkhgkca.exe 94 PID 3048 wrote to memory of 3936 3048 Bjkhgkca.exe 94 PID 3936 wrote to memory of 3000 3936 Baepceko.exe 95 PID 3936 wrote to memory of 3000 3936 Baepceko.exe 95 PID 3936 wrote to memory of 3000 3936 Baepceko.exe 95 PID 3000 wrote to memory of 4020 3000 Bbdmmh32.exe 96 PID 3000 wrote to memory of 4020 3000 Bbdmmh32.exe 96 PID 3000 wrote to memory of 4020 3000 Bbdmmh32.exe 96 PID 4020 wrote to memory of 3480 4020 Bhaefo32.exe 97 PID 4020 wrote to memory of 3480 4020 Bhaefo32.exe 97 PID 4020 wrote to memory of 3480 4020 Bhaefo32.exe 97 PID 3480 wrote to memory of 180 3480 Bbgich32.exe 98 PID 3480 wrote to memory of 180 3480 Bbgich32.exe 98 PID 3480 wrote to memory of 180 3480 Bbgich32.exe 98 PID 180 wrote to memory of 656 180 Bdhfkp32.exe 99 PID 180 wrote to memory of 656 180 Bdhfkp32.exe 99 PID 180 wrote to memory of 656 180 Bdhfkp32.exe 99 PID 656 wrote to memory of 816 656 Calfdd32.exe 100 PID 656 wrote to memory of 816 656 Calfdd32.exe 100 PID 656 wrote to memory of 816 656 Calfdd32.exe 100 PID 816 wrote to memory of 4364 816 Cehbdcmp.exe 101 PID 816 wrote to memory of 4364 816 Cehbdcmp.exe 101 PID 816 wrote to memory of 4364 816 Cehbdcmp.exe 101 PID 4364 wrote to memory of 2416 4364 Chfoqnlc.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6.exe"C:\Users\Admin\AppData\Local\Temp\640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\SysWOW64\Ajbeql32.exeC:\Windows\system32\Ajbeql32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Aalnmfbi.exeC:\Windows\system32\Aalnmfbi.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\SysWOW64\Ahffjq32.exeC:\Windows\system32\Ahffjq32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Alaajobo.exeC:\Windows\system32\Alaajobo.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Abkjgi32.exeC:\Windows\system32\Abkjgi32.exe6⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Aanjcfqf.exeC:\Windows\system32\Aanjcfqf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Alcnpopl.exeC:\Windows\system32\Alcnpopl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648 -
C:\Windows\SysWOW64\Abngmihi.exeC:\Windows\system32\Abngmihi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Bdocda32.exeC:\Windows\system32\Bdocda32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Blfkeo32.exeC:\Windows\system32\Blfkeo32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Bbpcbiff.exeC:\Windows\system32\Bbpcbiff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Baccne32.exeC:\Windows\system32\Baccne32.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Bjkhgkca.exeC:\Windows\system32\Bjkhgkca.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Baepceko.exeC:\Windows\system32\Baepceko.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3936 -
C:\Windows\SysWOW64\Bbdmmh32.exeC:\Windows\system32\Bbdmmh32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Bhaefo32.exeC:\Windows\system32\Bhaefo32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Bbgich32.exeC:\Windows\system32\Bbgich32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Windows\SysWOW64\Bdhfkp32.exeC:\Windows\system32\Bdhfkp32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:180 -
C:\Windows\SysWOW64\Calfdd32.exeC:\Windows\system32\Calfdd32.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:656 -
C:\Windows\SysWOW64\Cehbdcmp.exeC:\Windows\system32\Cehbdcmp.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:816 -
C:\Windows\SysWOW64\Chfoqnlc.exeC:\Windows\system32\Chfoqnlc.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Caocjd32.exeC:\Windows\system32\Caocjd32.exe23⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Chhkfn32.exeC:\Windows\system32\Chhkfn32.exe24⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Cldggmbj.exeC:\Windows\system32\Cldggmbj.exe25⤵
- Executes dropped EXE
- Modifies registry class
PID:3808 -
C:\Windows\SysWOW64\Ckghbi32.exeC:\Windows\system32\Ckghbi32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4324 -
C:\Windows\SysWOW64\Cdolkope.exeC:\Windows\system32\Cdolkope.exe27⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Chkhln32.exeC:\Windows\system32\Chkhln32.exe28⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Coephhok.exeC:\Windows\system32\Coephhok.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3160 -
C:\Windows\SysWOW64\Cacmecno.exeC:\Windows\system32\Cacmecno.exe30⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Cogmng32.exeC:\Windows\system32\Cogmng32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Chpagmdi.exeC:\Windows\system32\Chpagmdi.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1172 -
C:\Windows\SysWOW64\Dahfpb32.exeC:\Windows\system32\Dahfpb32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4448 -
C:\Windows\SysWOW64\Decbqabb.exeC:\Windows\system32\Decbqabb.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Dhbnmmaf.exeC:\Windows\system32\Dhbnmmaf.exe35⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Dbgbje32.exeC:\Windows\system32\Dbgbje32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Defofa32.exeC:\Windows\system32\Defofa32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Dhdkbl32.exeC:\Windows\system32\Dhdkbl32.exe38⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Doncofgp.exeC:\Windows\system32\Doncofgp.exe39⤵
- Executes dropped EXE
PID:3560 -
C:\Windows\SysWOW64\Dehkkq32.exeC:\Windows\system32\Dehkkq32.exe40⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Dhfhhl32.exeC:\Windows\system32\Dhfhhl32.exe41⤵
- Executes dropped EXE
PID:4312 -
C:\Windows\SysWOW64\Dlbchkfj.exeC:\Windows\system32\Dlbchkfj.exe42⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Doqpdf32.exeC:\Windows\system32\Doqpdf32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4584 -
C:\Windows\SysWOW64\Dejhapmj.exeC:\Windows\system32\Dejhapmj.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:4128 -
C:\Windows\SysWOW64\Dldpnj32.exeC:\Windows\system32\Dldpnj32.exe45⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Dcnhjdkd.exeC:\Windows\system32\Dcnhjdkd.exe46⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Demefpjh.exeC:\Windows\system32\Demefpjh.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4644 -
C:\Windows\SysWOW64\Dlgmcj32.exeC:\Windows\system32\Dlgmcj32.exe48⤵
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Eoeipeah.exeC:\Windows\system32\Eoeipeah.exe49⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Eacelapl.exeC:\Windows\system32\Eacelapl.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Edbbhlop.exeC:\Windows\system32\Edbbhlop.exe51⤵
- Executes dropped EXE
PID:4664 -
C:\Windows\SysWOW64\Ekljdf32.exeC:\Windows\system32\Ekljdf32.exe52⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Eafbaqni.exeC:\Windows\system32\Eafbaqni.exe53⤵
- Executes dropped EXE
PID:5012 -
C:\Windows\SysWOW64\Eddomlmm.exeC:\Windows\system32\Eddomlmm.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Ekngjf32.exeC:\Windows\system32\Ekngjf32.exe55⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Edgkcl32.exeC:\Windows\system32\Edgkcl32.exe56⤵
- Executes dropped EXE
PID:220 -
C:\Windows\SysWOW64\Ehbgcjcc.exeC:\Windows\system32\Ehbgcjcc.exe57⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Echkqcci.exeC:\Windows\system32\Echkqcci.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Eefhmobm.exeC:\Windows\system32\Eefhmobm.exe59⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Ekcpeeqd.exeC:\Windows\system32\Ekcpeeqd.exe60⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Edkdnkge.exeC:\Windows\system32\Edkdnkge.exe61⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Ehgqoj32.exeC:\Windows\system32\Ehgqoj32.exe62⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ekemke32.exeC:\Windows\system32\Ekemke32.exe63⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Fclelb32.exeC:\Windows\system32\Fclelb32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Fhimdi32.exeC:\Windows\system32\Fhimdi32.exe65⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Fleidhfd.exeC:\Windows\system32\Fleidhfd.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1664 -
C:\Windows\SysWOW64\Fcoaab32.exeC:\Windows\system32\Fcoaab32.exe67⤵PID:4920
-
C:\Windows\SysWOW64\Ffmnmnle.exeC:\Windows\system32\Ffmnmnle.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4652 -
C:\Windows\SysWOW64\Fhljjiki.exeC:\Windows\system32\Fhljjiki.exe69⤵PID:1284
-
C:\Windows\SysWOW64\Foebfc32.exeC:\Windows\system32\Foebfc32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4088 -
C:\Windows\SysWOW64\Fcangbko.exeC:\Windows\system32\Fcangbko.exe71⤵
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Windows\SysWOW64\Ffpjcmjb.exeC:\Windows\system32\Ffpjcmjb.exe72⤵PID:1984
-
C:\Windows\SysWOW64\Fhngoiif.exeC:\Windows\system32\Fhngoiif.exe73⤵PID:4464
-
C:\Windows\SysWOW64\Fccklail.exeC:\Windows\system32\Fccklail.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3504 -
C:\Windows\SysWOW64\Fhpceh32.exeC:\Windows\system32\Fhpceh32.exe75⤵
- Modifies registry class
PID:4708 -
C:\Windows\SysWOW64\Fllpegpl.exeC:\Windows\system32\Fllpegpl.exe76⤵PID:2532
-
C:\Windows\SysWOW64\Fojlabop.exeC:\Windows\system32\Fojlabop.exe77⤵PID:3956
-
C:\Windows\SysWOW64\Fdgdjimg.exeC:\Windows\system32\Fdgdjimg.exe78⤵PID:4424
-
C:\Windows\SysWOW64\Gkalfc32.exeC:\Windows\system32\Gkalfc32.exe79⤵
- System Location Discovery: System Language Discovery
PID:3932 -
C:\Windows\SysWOW64\Gomhgbmn.exeC:\Windows\system32\Gomhgbmn.exe80⤵PID:3256
-
C:\Windows\SysWOW64\Ghemph32.exeC:\Windows\system32\Ghemph32.exe81⤵PID:4012
-
C:\Windows\SysWOW64\Gooemb32.exeC:\Windows\system32\Gooemb32.exe82⤵PID:2608
-
C:\Windows\SysWOW64\Gcjamqcd.exeC:\Windows\system32\Gcjamqcd.exe83⤵
- Modifies registry class
PID:5020 -
C:\Windows\SysWOW64\Ghgiegak.exeC:\Windows\system32\Ghgiegak.exe84⤵PID:2448
-
C:\Windows\SysWOW64\Gmceff32.exeC:\Windows\system32\Gmceff32.exe85⤵PID:3088
-
C:\Windows\SysWOW64\Gbpnnm32.exeC:\Windows\system32\Gbpnnm32.exe86⤵
- Modifies registry class
PID:3444 -
C:\Windows\SysWOW64\Gdnjjh32.exeC:\Windows\system32\Gdnjjh32.exe87⤵
- System Location Discovery: System Language Discovery
PID:4616 -
C:\Windows\SysWOW64\Ghjfkgoi.exeC:\Windows\system32\Ghjfkgoi.exe88⤵PID:2232
-
C:\Windows\SysWOW64\Gbbkdmfi.exeC:\Windows\system32\Gbbkdmfi.exe89⤵
- System Location Discovery: System Language Discovery
PID:4492 -
C:\Windows\SysWOW64\Gmgoaeeo.exeC:\Windows\system32\Gmgoaeeo.exe90⤵PID:4788
-
C:\Windows\SysWOW64\Gkjomb32.exeC:\Windows\system32\Gkjomb32.exe91⤵PID:4728
-
C:\Windows\SysWOW64\Gcagnp32.exeC:\Windows\system32\Gcagnp32.exe92⤵PID:1620
-
C:\Windows\SysWOW64\Hmjlfecl.exeC:\Windows\system32\Hmjlfecl.exe93⤵PID:2184
-
C:\Windows\SysWOW64\Hohhbq32.exeC:\Windows\system32\Hohhbq32.exe94⤵PID:4872
-
C:\Windows\SysWOW64\Hcddcoki.exeC:\Windows\system32\Hcddcoki.exe95⤵PID:2932
-
C:\Windows\SysWOW64\Hfbppkjm.exeC:\Windows\system32\Hfbppkjm.exe96⤵PID:208
-
C:\Windows\SysWOW64\Hiqllfiq.exeC:\Windows\system32\Hiqllfiq.exe97⤵PID:2536
-
C:\Windows\SysWOW64\Hmlhle32.exeC:\Windows\system32\Hmlhle32.exe98⤵PID:2144
-
C:\Windows\SysWOW64\Hokdhp32.exeC:\Windows\system32\Hokdhp32.exe99⤵PID:4048
-
C:\Windows\SysWOW64\Hcfqioif.exeC:\Windows\system32\Hcfqioif.exe100⤵PID:3664
-
C:\Windows\SysWOW64\Hfdmejhj.exeC:\Windows\system32\Hfdmejhj.exe101⤵
- System Location Discovery: System Language Discovery
PID:2284 -
C:\Windows\SysWOW64\Hiciafgn.exeC:\Windows\system32\Hiciafgn.exe102⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Hkaemafa.exeC:\Windows\system32\Hkaemafa.exe103⤵PID:3272
-
C:\Windows\SysWOW64\Homanp32.exeC:\Windows\system32\Homanp32.exe104⤵PID:5080
-
C:\Windows\SysWOW64\Hbknjkno.exeC:\Windows\system32\Hbknjkno.exe105⤵PID:1564
-
C:\Windows\SysWOW64\Hfgjjj32.exeC:\Windows\system32\Hfgjjj32.exe106⤵PID:2228
-
C:\Windows\SysWOW64\Hmabgdmd.exeC:\Windows\system32\Hmabgdmd.exe107⤵
- Drops file in System32 directory
PID:368 -
C:\Windows\SysWOW64\Hooncplh.exeC:\Windows\system32\Hooncplh.exe108⤵PID:4488
-
C:\Windows\SysWOW64\Hbnjpkll.exeC:\Windows\system32\Hbnjpkll.exe109⤵PID:1580
-
C:\Windows\SysWOW64\Helflfkp.exeC:\Windows\system32\Helflfkp.exe110⤵PID:1840
-
C:\Windows\SysWOW64\Hmcomdkb.exeC:\Windows\system32\Hmcomdkb.exe111⤵
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Hkfohq32.exeC:\Windows\system32\Hkfohq32.exe112⤵PID:2788
-
C:\Windows\SysWOW64\Hcmgin32.exeC:\Windows\system32\Hcmgin32.exe113⤵PID:1928
-
C:\Windows\SysWOW64\Hbpgekii.exeC:\Windows\system32\Hbpgekii.exe114⤵PID:4984
-
C:\Windows\SysWOW64\Iijobeaf.exeC:\Windows\system32\Iijobeaf.exe115⤵PID:4000
-
C:\Windows\SysWOW64\Imekbc32.exeC:\Windows\system32\Imekbc32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Ipdgoo32.exeC:\Windows\system32\Ipdgoo32.exe117⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Ibbckj32.exeC:\Windows\system32\Ibbckj32.exe118⤵PID:3152
-
C:\Windows\SysWOW64\Ieapgf32.exeC:\Windows\system32\Ieapgf32.exe119⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Iillgdoc.exeC:\Windows\system32\Iillgdoc.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:5148 -
C:\Windows\SysWOW64\Ikkhcpng.exeC:\Windows\system32\Ikkhcpng.exe121⤵
- Modifies registry class
PID:5192
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-