Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
29/09/2024, 23:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
879b78b99cc921f8d1d15de78c6c313ba797d5f9ed97bd8082db3a87a72329cf.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
879b78b99cc921f8d1d15de78c6c313ba797d5f9ed97bd8082db3a87a72329cf.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
879b78b99cc921f8d1d15de78c6c313ba797d5f9ed97bd8082db3a87a72329cf.exe
-
Size
77KB
-
MD5
eeeca96c0eed6328a66d706b23662e9b
-
SHA1
de0cee0a6bdbfd77464c76041da8ee877728f728
-
SHA256
879b78b99cc921f8d1d15de78c6c313ba797d5f9ed97bd8082db3a87a72329cf
-
SHA512
5ed9c2bac4fe83a9a7c65797dc322ef022b39d4fcd3eaeb15a4edbe358f1fed8bedc34f9d0fd3027665e492730ad1d704c48da687f65d17767097ec3a206882a
-
SSDEEP
1536:cQCs+2jqXxrkpbxA3xSBt92LtR9wfi+TjRC/D:cXnBr0xA3xGOtwf1TjYD
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bonjhi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfngdk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmmjjp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbaicf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnnlgkho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdoeaili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnffcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddklgmeg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leihep32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqmjab32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aedfnoii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bepeinol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Degdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Benpndej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cddefn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imekbc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmadepao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmijenkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdoclbla.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjlldiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clakam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpeilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplpmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdfjla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjfqhcei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojbinjbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqijmq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmngcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmngcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdccehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imhhhc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplpmi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pggbnlbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhfqmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecqepd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbncfi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocmjlpfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckfnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cblcngli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caapocpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbaicf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anedfffb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnadadld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degdaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdmaocp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoeaili.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clakam32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbchkfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Homanp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miiman32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npcodf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceihplga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmpmpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfabaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coijcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfifpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hihble32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iehfgeqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpjlngje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehbdcmp.exe -
Executes dropped EXE 64 IoCs
pid Process 412 Acjjibbm.exe 2380 Ajdbfl32.exe 2516 Abkjgi32.exe 3256 Adlfoapj.exe 4336 Anbklj32.exe 4596 Belcidgm.exe 5112 Blfkeo32.exe 5016 Bndgaj32.exe 1392 Benpndej.exe 4724 Blhhkn32.exe 2520 Bngdgj32.exe 2440 Baepceko.exe 4272 Bhohpo32.exe 2056 Bagmiehl.exe 892 Blmafnhb.exe 772 Bbgich32.exe 2656 Blonlm32.exe 212 Bonjhi32.exe 4800 Cehbdcmp.exe 3260 Clakam32.exe 2536 Cblcngli.exe 1836 Cejojb32.exe 2720 Chhkfn32.exe 3808 Cobcchan.exe 4324 Caapocpa.exe 2676 Chkhln32.exe 3920 Clfdllpg.exe 3444 Cbplif32.exe 4232 Ceoheb32.exe 1340 Cdaiaonb.exe 3228 Cklanieo.exe 4496 Ceaekade.exe 4588 Cddefn32.exe 1936 Clkngl32.exe 2816 Coijcg32.exe 1780 Decbqabb.exe 3188 Dolfigic.exe 1724 Ddhoangj.exe 2040 Doncofgp.exe 3860 Ddklgmeg.exe 3400 Dlbchkfj.exe 3596 Daolqa32.exe 1748 Ddmhmm32.exe 2240 Dldpnj32.exe 452 Dcnhjdkd.exe 644 Ddpebm32.exe 2596 Dhkackjk.exe 4540 Ecqepd32.exe 2136 Eeoalp32.exe 4668 Ehnnhk32.exe 3048 Eogfeeoe.exe 1224 Eccbed32.exe 4012 Eeanao32.exe 4140 Elkfnino.exe 1256 Edgkcl32.exe 4936 Elncdi32.exe 2304 Eolopd32.exe 4364 Eefhmobm.exe 2228 Ehddijaq.exe 628 Ekcpeeqd.exe 3088 Eehdbn32.exe 4980 Elbmohhg.exe 2968 Fclelb32.exe 1844 Fekahn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ejpimhhm.dll Pqmjab32.exe File created C:\Windows\SysWOW64\Epfkjf32.dll Blonlm32.exe File opened for modification C:\Windows\SysWOW64\Foceqceh.exe Fdnackeb.exe File opened for modification C:\Windows\SysWOW64\Kpeilj32.exe Kmfmpo32.exe File created C:\Windows\SysWOW64\Aemgbbfa.dll Pjlldiji.exe File created C:\Windows\SysWOW64\Phdpggpc.dll Bhohpo32.exe File created C:\Windows\SysWOW64\Mbbipipp.dll Iioimd32.exe File opened for modification C:\Windows\SysWOW64\Fclelb32.exe Elbmohhg.exe File created C:\Windows\SysWOW64\Jnhmebij.dll Hihble32.exe File opened for modification C:\Windows\SysWOW64\Qdmpmp32.exe Qmfhlcoo.exe File opened for modification C:\Windows\SysWOW64\Dmpmpm32.exe Domldpcd.exe File opened for modification C:\Windows\SysWOW64\Hkfohq32.exe Hihble32.exe File opened for modification C:\Windows\SysWOW64\Ipiajndn.exe Ilmeip32.exe File opened for modification C:\Windows\SysWOW64\Dolfigic.exe Decbqabb.exe File created C:\Windows\SysWOW64\Bjdcpmng.dll Jeainchg.exe File opened for modification C:\Windows\SysWOW64\Cmgjjn32.exe Cfmamdkm.exe File opened for modification C:\Windows\SysWOW64\Ddklgmeg.exe Doncofgp.exe File created C:\Windows\SysWOW64\Daolqa32.exe Dlbchkfj.exe File created C:\Windows\SysWOW64\Klkgii32.dll Gkalfc32.exe File opened for modification C:\Windows\SysWOW64\Ibbckj32.exe Icpconql.exe File created C:\Windows\SysWOW64\Eefhmobm.exe Eolopd32.exe File created C:\Windows\SysWOW64\Gmbeic32.dll Jimenb32.exe File created C:\Windows\SysWOW64\Jonfbg32.dll Ndagjd32.exe File created C:\Windows\SysWOW64\Iijobeaf.exe Hbpgekii.exe File opened for modification C:\Windows\SysWOW64\Lmmcqn32.exe Lefkpq32.exe File opened for modification C:\Windows\SysWOW64\Pnghdh32.exe Pjlldiji.exe File created C:\Windows\SysWOW64\Hoicjp32.dll Pjnijihf.exe File created C:\Windows\SysWOW64\Aphcpenl.dll Anbklj32.exe File opened for modification C:\Windows\SysWOW64\Chhkfn32.exe Cejojb32.exe File opened for modification C:\Windows\SysWOW64\Dldpnj32.exe Ddmhmm32.exe File created C:\Windows\SysWOW64\Dhkackjk.exe Ddpebm32.exe File created C:\Windows\SysWOW64\Mbaohc32.dll Pqhafcoc.exe File opened for modification C:\Windows\SysWOW64\Djpcnbmn.exe Ddekah32.exe File created C:\Windows\SysWOW64\Icpconql.exe Imekbc32.exe File created C:\Windows\SysWOW64\Minglmdk.exe Mgokpbeh.exe File created C:\Windows\SysWOW64\Hafonb32.dll Ojbinjbc.exe File opened for modification C:\Windows\SysWOW64\Pggbnlbj.exe Pckfnn32.exe File opened for modification C:\Windows\SysWOW64\Jlkajnpd.exe Jimenb32.exe File created C:\Windows\SysWOW64\Illiam32.dll Ldlehg32.exe File created C:\Windows\SysWOW64\Mgokpbeh.exe Mccooc32.exe File created C:\Windows\SysWOW64\Cqijbj32.dll Mpjlngje.exe File created C:\Windows\SysWOW64\Pnakkf32.exe Pggbnlbj.exe File opened for modification C:\Windows\SysWOW64\Bmkjnp32.exe Bfabaf32.exe File opened for modification C:\Windows\SysWOW64\Dopijpab.exe Dhfqmf32.exe File created C:\Windows\SysWOW64\Hkoihahd.exe Hfbppkjm.exe File created C:\Windows\SysWOW64\Cggahk32.dll Kbjcbgcl.exe File opened for modification C:\Windows\SysWOW64\Bjhdgeai.exe Bcnljkjl.exe File created C:\Windows\SysWOW64\Bldpaojj.dll Cehbdcmp.exe File created C:\Windows\SysWOW64\Djgkabec.dll Goabba32.exe File created C:\Windows\SysWOW64\Mmdiamqj.exe Miiman32.exe File created C:\Windows\SysWOW64\Ndjajeni.exe Nlciih32.exe File opened for modification C:\Windows\SysWOW64\Gbmaim32.exe Ghemph32.exe File opened for modification C:\Windows\SysWOW64\Pjnijihf.exe Pcdqmo32.exe File created C:\Windows\SysWOW64\Cdoeaili.exe Capiemme.exe File created C:\Windows\SysWOW64\Gdccehcj.exe Gfpcjk32.exe File opened for modification C:\Windows\SysWOW64\Ipfddo32.exe Imhhhc32.exe File created C:\Windows\SysWOW64\Jfqegfpj.exe Jlkajnpd.exe File created C:\Windows\SysWOW64\Hmkpbinn.dll Cdoeaili.exe File opened for modification C:\Windows\SysWOW64\Bndgaj32.exe Blfkeo32.exe File opened for modification C:\Windows\SysWOW64\Pcbdgo32.exe Pdoclbla.exe File created C:\Windows\SysWOW64\Jhlqjb32.dll Cnopcb32.exe File opened for modification C:\Windows\SysWOW64\Eolopd32.exe Elncdi32.exe File opened for modification C:\Windows\SysWOW64\Bfoelf32.exe Bcqipk32.exe File created C:\Windows\SysWOW64\Aakfcp32.exe Anmjfe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9124 8992 WerFault.exe 414 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmcgcamo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjcbgcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmogopcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgjmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npekjeph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnadadld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmngcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkjgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amhdab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afaijhcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baicdncn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmifon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnilcjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdqemjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbaicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhkackjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmaim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckjdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkajnpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onneoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofijckhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhlkeko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfabaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhljjiki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daolqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkdcnla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmebkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhbgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhhhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbebneio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlqlch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djpcnbmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dailkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdiamqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fekahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqoggb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkfnino.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohhbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfifpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpgekii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iillgdoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlldiji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anedfffb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnnhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcqipk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefbcogf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfngdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flibpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffhjcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ophhpene.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqijmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eehdbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkopad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbgdol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeolhdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcnccm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dopijpab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdegdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehbdcmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caapocpa.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmgjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coijcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfgfdikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcmgin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcmfckd.dll" Ibeqpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clakam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkfohq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocmjlpfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqijmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqafqf32.dll" Edgkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kianiamk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imhhhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jakijnkc.dll" Kidkoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odjjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hccbkfjj.dll" Dhfqmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okhbpe32.dll" Elbmohhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffpjcmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdeikd32.dll" Ofncnkcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlkack32.dll" Hohhbq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Minglmdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iioimd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jifoncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jececc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bccfej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cejojb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fccklail.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hohhbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdpemidf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pggbnlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfpcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpgoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blonlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqoggb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkafloa.dll" Capiemme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deckfkof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iillgdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jifoncgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afaijhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgfmdj32.dll" Bngdgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eccbed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbcmahid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenjgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bndgaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeoalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nconka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdoeaili.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbiadl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfakhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofcdeela.dll" Ajdbfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dolfigic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moeghieq.dll" Iillgdoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colpjg32.dll" Ddekah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbknjkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fiaeni32.dll" Pgbicm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdjdgonh.dll" Benpndej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbmaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbpchile.dll" Ofeqhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eogfeeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkoihahd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnghdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefpnh32.dll" Hegmqg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmdiamqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agglej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkaejn32.dll" Cmifon32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3940 wrote to memory of 412 3940 879b78b99cc921f8d1d15de78c6c313ba797d5f9ed97bd8082db3a87a72329cf.exe 81 PID 3940 wrote to memory of 412 3940 879b78b99cc921f8d1d15de78c6c313ba797d5f9ed97bd8082db3a87a72329cf.exe 81 PID 3940 wrote to memory of 412 3940 879b78b99cc921f8d1d15de78c6c313ba797d5f9ed97bd8082db3a87a72329cf.exe 81 PID 412 wrote to memory of 2380 412 Acjjibbm.exe 82 PID 412 wrote to memory of 2380 412 Acjjibbm.exe 82 PID 412 wrote to memory of 2380 412 Acjjibbm.exe 82 PID 2380 wrote to memory of 2516 2380 Ajdbfl32.exe 83 PID 2380 wrote to memory of 2516 2380 Ajdbfl32.exe 83 PID 2380 wrote to memory of 2516 2380 Ajdbfl32.exe 83 PID 2516 wrote to memory of 3256 2516 Abkjgi32.exe 84 PID 2516 wrote to memory of 3256 2516 Abkjgi32.exe 84 PID 2516 wrote to memory of 3256 2516 Abkjgi32.exe 84 PID 3256 wrote to memory of 4336 3256 Adlfoapj.exe 85 PID 3256 wrote to memory of 4336 3256 Adlfoapj.exe 85 PID 3256 wrote to memory of 4336 3256 Adlfoapj.exe 85 PID 4336 wrote to memory of 4596 4336 Anbklj32.exe 86 PID 4336 wrote to memory of 4596 4336 Anbklj32.exe 86 PID 4336 wrote to memory of 4596 4336 Anbklj32.exe 86 PID 4596 wrote to memory of 5112 4596 Belcidgm.exe 87 PID 4596 wrote to memory of 5112 4596 Belcidgm.exe 87 PID 4596 wrote to memory of 5112 4596 Belcidgm.exe 87 PID 5112 wrote to memory of 5016 5112 Blfkeo32.exe 88 PID 5112 wrote to memory of 5016 5112 Blfkeo32.exe 88 PID 5112 wrote to memory of 5016 5112 Blfkeo32.exe 88 PID 5016 wrote to memory of 1392 5016 Bndgaj32.exe 89 PID 5016 wrote to memory of 1392 5016 Bndgaj32.exe 89 PID 5016 wrote to memory of 1392 5016 Bndgaj32.exe 89 PID 1392 wrote to memory of 4724 1392 Benpndej.exe 90 PID 1392 wrote to memory of 4724 1392 Benpndej.exe 90 PID 1392 wrote to memory of 4724 1392 Benpndej.exe 90 PID 4724 wrote to memory of 2520 4724 Blhhkn32.exe 91 PID 4724 wrote to memory of 2520 4724 Blhhkn32.exe 91 PID 4724 wrote to memory of 2520 4724 Blhhkn32.exe 91 PID 2520 wrote to memory of 2440 2520 Bngdgj32.exe 92 PID 2520 wrote to memory of 2440 2520 Bngdgj32.exe 92 PID 2520 wrote to memory of 2440 2520 Bngdgj32.exe 92 PID 2440 wrote to memory of 4272 2440 Baepceko.exe 93 PID 2440 wrote to memory of 4272 2440 Baepceko.exe 93 PID 2440 wrote to memory of 4272 2440 Baepceko.exe 93 PID 4272 wrote to memory of 2056 4272 Bhohpo32.exe 94 PID 4272 wrote to memory of 2056 4272 Bhohpo32.exe 94 PID 4272 wrote to memory of 2056 4272 Bhohpo32.exe 94 PID 2056 wrote to memory of 892 2056 Bagmiehl.exe 95 PID 2056 wrote to memory of 892 2056 Bagmiehl.exe 95 PID 2056 wrote to memory of 892 2056 Bagmiehl.exe 95 PID 892 wrote to memory of 772 892 Blmafnhb.exe 96 PID 892 wrote to memory of 772 892 Blmafnhb.exe 96 PID 892 wrote to memory of 772 892 Blmafnhb.exe 96 PID 772 wrote to memory of 2656 772 Bbgich32.exe 97 PID 772 wrote to memory of 2656 772 Bbgich32.exe 97 PID 772 wrote to memory of 2656 772 Bbgich32.exe 97 PID 2656 wrote to memory of 212 2656 Blonlm32.exe 98 PID 2656 wrote to memory of 212 2656 Blonlm32.exe 98 PID 2656 wrote to memory of 212 2656 Blonlm32.exe 98 PID 212 wrote to memory of 4800 212 Bonjhi32.exe 99 PID 212 wrote to memory of 4800 212 Bonjhi32.exe 99 PID 212 wrote to memory of 4800 212 Bonjhi32.exe 99 PID 4800 wrote to memory of 3260 4800 Cehbdcmp.exe 100 PID 4800 wrote to memory of 3260 4800 Cehbdcmp.exe 100 PID 4800 wrote to memory of 3260 4800 Cehbdcmp.exe 100 PID 3260 wrote to memory of 2536 3260 Clakam32.exe 101 PID 3260 wrote to memory of 2536 3260 Clakam32.exe 101 PID 3260 wrote to memory of 2536 3260 Clakam32.exe 101 PID 2536 wrote to memory of 1836 2536 Cblcngli.exe 102
Processes
-
C:\Users\Admin\AppData\Local\Temp\879b78b99cc921f8d1d15de78c6c313ba797d5f9ed97bd8082db3a87a72329cf.exe"C:\Users\Admin\AppData\Local\Temp\879b78b99cc921f8d1d15de78c6c313ba797d5f9ed97bd8082db3a87a72329cf.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3940 -
C:\Windows\SysWOW64\Acjjibbm.exeC:\Windows\system32\Acjjibbm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:412 -
C:\Windows\SysWOW64\Ajdbfl32.exeC:\Windows\system32\Ajdbfl32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Abkjgi32.exeC:\Windows\system32\Abkjgi32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Adlfoapj.exeC:\Windows\system32\Adlfoapj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\Anbklj32.exeC:\Windows\system32\Anbklj32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4336 -
C:\Windows\SysWOW64\Belcidgm.exeC:\Windows\system32\Belcidgm.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Windows\SysWOW64\Blfkeo32.exeC:\Windows\system32\Blfkeo32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5112 -
C:\Windows\SysWOW64\Bndgaj32.exeC:\Windows\system32\Bndgaj32.exe9⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\Benpndej.exeC:\Windows\system32\Benpndej.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Blhhkn32.exeC:\Windows\system32\Blhhkn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Windows\SysWOW64\Bngdgj32.exeC:\Windows\system32\Bngdgj32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Baepceko.exeC:\Windows\system32\Baepceko.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Bhohpo32.exeC:\Windows\system32\Bhohpo32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4272 -
C:\Windows\SysWOW64\Bagmiehl.exeC:\Windows\system32\Bagmiehl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Blmafnhb.exeC:\Windows\system32\Blmafnhb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\Bbgich32.exeC:\Windows\system32\Bbgich32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Blonlm32.exeC:\Windows\system32\Blonlm32.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Bonjhi32.exeC:\Windows\system32\Bonjhi32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:212 -
C:\Windows\SysWOW64\Cehbdcmp.exeC:\Windows\system32\Cehbdcmp.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\SysWOW64\Clakam32.exeC:\Windows\system32\Clakam32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3260 -
C:\Windows\SysWOW64\Cblcngli.exeC:\Windows\system32\Cblcngli.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Cejojb32.exeC:\Windows\system32\Cejojb32.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Chhkfn32.exeC:\Windows\system32\Chhkfn32.exe24⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Cobcchan.exeC:\Windows\system32\Cobcchan.exe25⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Caapocpa.exeC:\Windows\system32\Caapocpa.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\SysWOW64\Chkhln32.exeC:\Windows\system32\Chkhln32.exe27⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Clfdllpg.exeC:\Windows\system32\Clfdllpg.exe28⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\SysWOW64\Cbplif32.exeC:\Windows\system32\Cbplif32.exe29⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Ceoheb32.exeC:\Windows\system32\Ceoheb32.exe30⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Cdaiaonb.exeC:\Windows\system32\Cdaiaonb.exe31⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Cklanieo.exeC:\Windows\system32\Cklanieo.exe32⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Ceaekade.exeC:\Windows\system32\Ceaekade.exe33⤵
- Executes dropped EXE
PID:4496 -
C:\Windows\SysWOW64\Cddefn32.exeC:\Windows\system32\Cddefn32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4588 -
C:\Windows\SysWOW64\Clkngl32.exeC:\Windows\system32\Clkngl32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Coijcg32.exeC:\Windows\system32\Coijcg32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Decbqabb.exeC:\Windows\system32\Decbqabb.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Dolfigic.exeC:\Windows\system32\Dolfigic.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Ddhoangj.exeC:\Windows\system32\Ddhoangj.exe39⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Doncofgp.exeC:\Windows\system32\Doncofgp.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Ddklgmeg.exeC:\Windows\system32\Ddklgmeg.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3860 -
C:\Windows\SysWOW64\Dlbchkfj.exeC:\Windows\system32\Dlbchkfj.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3400 -
C:\Windows\SysWOW64\Daolqa32.exeC:\Windows\system32\Daolqa32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Windows\SysWOW64\Ddmhmm32.exeC:\Windows\system32\Ddmhmm32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1748 -
C:\Windows\SysWOW64\Dldpnj32.exeC:\Windows\system32\Dldpnj32.exe45⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Dcnhjdkd.exeC:\Windows\system32\Dcnhjdkd.exe46⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Ddpebm32.exeC:\Windows\system32\Ddpebm32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:644 -
C:\Windows\SysWOW64\Dhkackjk.exeC:\Windows\system32\Dhkackjk.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Ecqepd32.exeC:\Windows\system32\Ecqepd32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4540 -
C:\Windows\SysWOW64\Eeoalp32.exeC:\Windows\system32\Eeoalp32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Ehnnhk32.exeC:\Windows\system32\Ehnnhk32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4668 -
C:\Windows\SysWOW64\Eogfeeoe.exeC:\Windows\system32\Eogfeeoe.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Eccbed32.exeC:\Windows\system32\Eccbed32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1224 -
C:\Windows\SysWOW64\Eeanao32.exeC:\Windows\system32\Eeanao32.exe54⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Elkfnino.exeC:\Windows\system32\Elkfnino.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4140 -
C:\Windows\SysWOW64\Edgkcl32.exeC:\Windows\system32\Edgkcl32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Elncdi32.exeC:\Windows\system32\Elncdi32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4936 -
C:\Windows\SysWOW64\Eolopd32.exeC:\Windows\system32\Eolopd32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Eefhmobm.exeC:\Windows\system32\Eefhmobm.exe59⤵
- Executes dropped EXE
PID:4364 -
C:\Windows\SysWOW64\Ehddijaq.exeC:\Windows\system32\Ehddijaq.exe60⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ekcpeeqd.exeC:\Windows\system32\Ekcpeeqd.exe61⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Eehdbn32.exeC:\Windows\system32\Eehdbn32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\Elbmohhg.exeC:\Windows\system32\Elbmohhg.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4980 -
C:\Windows\SysWOW64\Fclelb32.exeC:\Windows\system32\Fclelb32.exe64⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Fekahn32.exeC:\Windows\system32\Fekahn32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1844 -
C:\Windows\SysWOW64\Fdnackeb.exeC:\Windows\system32\Fdnackeb.exe66⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Foceqceh.exeC:\Windows\system32\Foceqceh.exe67⤵PID:512
-
C:\Windows\SysWOW64\Faabmodl.exeC:\Windows\system32\Faabmodl.exe68⤵PID:4652
-
C:\Windows\SysWOW64\Ffmnmnle.exeC:\Windows\system32\Ffmnmnle.exe69⤵PID:1752
-
C:\Windows\SysWOW64\Fhljjiki.exeC:\Windows\system32\Fhljjiki.exe70⤵
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Fcangbko.exeC:\Windows\system32\Fcangbko.exe71⤵PID:2364
-
C:\Windows\SysWOW64\Ffpjcmjb.exeC:\Windows\system32\Ffpjcmjb.exe72⤵
- Modifies registry class
PID:760 -
C:\Windows\SysWOW64\Flibpg32.exeC:\Windows\system32\Flibpg32.exe73⤵
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Windows\SysWOW64\Fccklail.exeC:\Windows\system32\Fccklail.exe74⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Fdegdj32.exeC:\Windows\system32\Fdegdj32.exe75⤵
- System Location Discovery: System Language Discovery
PID:4376 -
C:\Windows\SysWOW64\Fkopad32.exeC:\Windows\system32\Fkopad32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Fbihnnnd.exeC:\Windows\system32\Fbihnnnd.exe77⤵PID:2316
-
C:\Windows\SysWOW64\Ffddnm32.exeC:\Windows\system32\Ffddnm32.exe78⤵PID:2324
-
C:\Windows\SysWOW64\Gkalfc32.exeC:\Windows\system32\Gkalfc32.exe79⤵
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Gchdga32.exeC:\Windows\system32\Gchdga32.exe80⤵PID:1516
-
C:\Windows\SysWOW64\Gbkdcnla.exeC:\Windows\system32\Gbkdcnla.exe81⤵
- System Location Discovery: System Language Discovery
PID:4720 -
C:\Windows\SysWOW64\Ghemph32.exeC:\Windows\system32\Ghemph32.exe82⤵
- Drops file in System32 directory
PID:3540 -
C:\Windows\SysWOW64\Gbmaim32.exeC:\Windows\system32\Gbmaim32.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1424 -
C:\Windows\SysWOW64\Ghgiegak.exeC:\Windows\system32\Ghgiegak.exe84⤵PID:3500
-
C:\Windows\SysWOW64\Goabba32.exeC:\Windows\system32\Goabba32.exe85⤵
- Drops file in System32 directory
PID:1532 -
C:\Windows\SysWOW64\Gcmnbpaa.exeC:\Windows\system32\Gcmnbpaa.exe86⤵PID:3496
-
C:\Windows\SysWOW64\Gmebkf32.exeC:\Windows\system32\Gmebkf32.exe87⤵
- System Location Discovery: System Language Discovery
PID:4784 -
C:\Windows\SysWOW64\Gkhbgb32.exeC:\Windows\system32\Gkhbgb32.exe88⤵
- System Location Discovery: System Language Discovery
PID:4288 -
C:\Windows\SysWOW64\Gcojhp32.exeC:\Windows\system32\Gcojhp32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:924 -
C:\Windows\SysWOW64\Gfngdk32.exeC:\Windows\system32\Gfngdk32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Gkjomb32.exeC:\Windows\system32\Gkjomb32.exe91⤵PID:2844
-
C:\Windows\SysWOW64\Gcagnp32.exeC:\Windows\system32\Gcagnp32.exe92⤵PID:3040
-
C:\Windows\SysWOW64\Gfpcjk32.exeC:\Windows\system32\Gfpcjk32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:4136 -
C:\Windows\SysWOW64\Gdccehcj.exeC:\Windows\system32\Gdccehcj.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3656 -
C:\Windows\SysWOW64\Hmjlfecl.exeC:\Windows\system32\Hmjlfecl.exe95⤵PID:2216
-
C:\Windows\SysWOW64\Hohhbq32.exeC:\Windows\system32\Hohhbq32.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4204 -
C:\Windows\SysWOW64\Hbgdol32.exeC:\Windows\system32\Hbgdol32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Hfbppkjm.exeC:\Windows\system32\Hfbppkjm.exe98⤵
- Drops file in System32 directory
PID:3160 -
C:\Windows\SysWOW64\Hkoihahd.exeC:\Windows\system32\Hkoihahd.exe99⤵
- Modifies registry class
PID:4388 -
C:\Windows\SysWOW64\Hokdhp32.exeC:\Windows\system32\Hokdhp32.exe100⤵PID:3320
-
C:\Windows\SysWOW64\Hbiadl32.exeC:\Windows\system32\Hbiadl32.exe101⤵
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Hegmqg32.exeC:\Windows\system32\Hegmqg32.exe102⤵
- Modifies registry class
PID:3872 -
C:\Windows\SysWOW64\Hmoead32.exeC:\Windows\system32\Hmoead32.exe103⤵PID:2524
-
C:\Windows\SysWOW64\Homanp32.exeC:\Windows\system32\Homanp32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4576 -
C:\Windows\SysWOW64\Hbknjkno.exeC:\Windows\system32\Hbknjkno.exe105⤵
- Modifies registry class
PID:4412 -
C:\Windows\SysWOW64\Hejjfgmb.exeC:\Windows\system32\Hejjfgmb.exe106⤵PID:4756
-
C:\Windows\SysWOW64\Hkdbca32.exeC:\Windows\system32\Hkdbca32.exe107⤵PID:2488
-
C:\Windows\SysWOW64\Hckjdn32.exeC:\Windows\system32\Hckjdn32.exe108⤵
- System Location Discovery: System Language Discovery
PID:4148 -
C:\Windows\SysWOW64\Hfifpj32.exeC:\Windows\system32\Hfifpj32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Hihble32.exeC:\Windows\system32\Hihble32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Hkfohq32.exeC:\Windows\system32\Hkfohq32.exe111⤵
- Modifies registry class
PID:4828 -
C:\Windows\SysWOW64\Hcmgin32.exeC:\Windows\system32\Hcmgin32.exe112⤵
- Modifies registry class
PID:4976 -
C:\Windows\SysWOW64\Hbpgekii.exeC:\Windows\system32\Hbpgekii.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4820 -
C:\Windows\SysWOW64\Iijobeaf.exeC:\Windows\system32\Iijobeaf.exe114⤵PID:5020
-
C:\Windows\SysWOW64\Imekbc32.exeC:\Windows\system32\Imekbc32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4896 -
C:\Windows\SysWOW64\Icpconql.exeC:\Windows\system32\Icpconql.exe116⤵
- Drops file in System32 directory
PID:4508 -
C:\Windows\SysWOW64\Ibbckj32.exeC:\Windows\system32\Ibbckj32.exe117⤵PID:1584
-
C:\Windows\SysWOW64\Iillgdoc.exeC:\Windows\system32\Iillgdoc.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Imhhhc32.exeC:\Windows\system32\Imhhhc32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5128 -
C:\Windows\SysWOW64\Ipfddo32.exeC:\Windows\system32\Ipfddo32.exe120⤵PID:5172
-
C:\Windows\SysWOW64\Ibeqpj32.exeC:\Windows\system32\Ibeqpj32.exe121⤵
- Modifies registry class
PID:5216
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-