Analysis
-
max time kernel
63s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
03-10-2024 21:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
General
-
Target
9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe
-
Size
163KB
-
MD5
b1509426c691de87de2bc6431b8bfed0
-
SHA1
ac02229ebc5ef16f2b2e497c4040c957d0e8defd
-
SHA256
9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265
-
SHA512
c2de33857145c5988eda6417109242c704419a438dd0d8f9ecc5267157e6f73b2cb2670751aa1097c9bd701a550c87992217cd62d22cc2c335ee00d952121dc9
-
SSDEEP
3072:an0lgIK1fJMfGFbFxUzmmmmmmmmmmmmmm5mmmmmmQzmmmmmmVFmp0ltOrWKDBr+E:a0rK1hMOZFxxFu0LOf
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fijnabef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkgbcofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Maocekoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fijnabef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmhqokcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nogmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihdmld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkggnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfebmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbghdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Facfpddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdmbhnjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monjcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncjbba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gamifcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doijcjde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fladmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fladmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgbcofn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkafhnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nejkdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhjpnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahljg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfmbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jclnnmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpqjfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipfkabpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieeqpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbjfcnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlbgkgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glkgcmbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpimbcnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnqkjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmckeidj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhkhgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlhfmqge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Honiikpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddobpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdadadkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mldgbcoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaobkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gamifcmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoipnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kikokf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfceom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpddigo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjdimdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lggbmbfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljjhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciglaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkgcmbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Memlki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaebfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knoaeimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmhdph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nickoldp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnkec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekddck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmabqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clclhmin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkkhmadd.exe -
Executes dropped EXE 64 IoCs
pid Process 1300 Bhjpnj32.exe 2836 Bjiljf32.exe 2864 Bmgifa32.exe 2740 Bpfebmia.exe 3000 Bdaabk32.exe 2752 Blobmm32.exe 1524 Beggec32.exe 1744 Bpmkbl32.exe 2276 Ciepkajj.exe 2120 Clclhmin.exe 2280 Ciglaa32.exe 1796 Ckiiiine.exe 1760 Ccpqjfnh.exe 1144 Ckkenikc.exe 2556 Cdcjgnbc.exe 2324 Cgbfcjag.exe 2644 Cgdciiod.exe 2452 Dnnkec32.exe 1512 Dgfpni32.exe 1852 Djeljd32.exe 1640 Dcmpcjcf.exe 1664 Dgildi32.exe 988 Dpaqmnap.exe 2456 Dcpmijqc.exe 2608 Dofnnkfg.exe 1976 Dbejjfek.exe 3068 Doijcjde.exe 2984 Dcdfdi32.exe 2760 Elmkmo32.exe 656 Efeoedjo.exe 2568 Eqopfbfn.exe 2552 Ehfhgogp.exe 1520 Ekddck32.exe 2132 Eqamla32.exe 2176 Egkehllh.exe 2916 Ejiadgkl.exe 1860 Emhnqbjo.exe 2260 Edofbpja.exe 264 Egmbnkie.exe 2396 Engjkeab.exe 2428 Fqffgapf.exe 2364 Fjnkpf32.exe 2544 Fmlglb32.exe 580 Fcfohlmg.exe 1516 Fladmn32.exe 1788 Fblljhbo.exe 1884 Fihalb32.exe 1064 Fhkagonc.exe 576 Fpbihl32.exe 1672 Facfpddd.exe 2852 Fijnabef.exe 2708 Glijnmdj.exe 1668 Gbbbjg32.exe 2468 Gaebfdba.exe 2684 Gddobpbe.exe 3036 Glkgcmbg.exe 2524 Gnicoh32.exe 2184 Gahpkd32.exe 2188 Ghbhhnhk.exe 2192 Gjpddigo.exe 1484 Gnlpeh32.exe 1080 Gpmllpef.exe 2572 Gdihmo32.exe 1408 Gjbqjiem.exe -
Loads dropped DLL 64 IoCs
pid Process 2004 9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe 2004 9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe 1300 Bhjpnj32.exe 1300 Bhjpnj32.exe 2836 Bjiljf32.exe 2836 Bjiljf32.exe 2864 Bmgifa32.exe 2864 Bmgifa32.exe 2740 Bpfebmia.exe 2740 Bpfebmia.exe 3000 Bdaabk32.exe 3000 Bdaabk32.exe 2752 Blobmm32.exe 2752 Blobmm32.exe 1524 Beggec32.exe 1524 Beggec32.exe 1744 Bpmkbl32.exe 1744 Bpmkbl32.exe 2276 Ciepkajj.exe 2276 Ciepkajj.exe 2120 Clclhmin.exe 2120 Clclhmin.exe 2280 Ciglaa32.exe 2280 Ciglaa32.exe 1796 Ckiiiine.exe 1796 Ckiiiine.exe 1760 Ccpqjfnh.exe 1760 Ccpqjfnh.exe 1144 Ckkenikc.exe 1144 Ckkenikc.exe 2556 Cdcjgnbc.exe 2556 Cdcjgnbc.exe 2324 Cgbfcjag.exe 2324 Cgbfcjag.exe 2644 Cgdciiod.exe 2644 Cgdciiod.exe 2452 Dnnkec32.exe 2452 Dnnkec32.exe 1512 Dgfpni32.exe 1512 Dgfpni32.exe 1852 Djeljd32.exe 1852 Djeljd32.exe 1640 Dcmpcjcf.exe 1640 Dcmpcjcf.exe 1664 Dgildi32.exe 1664 Dgildi32.exe 988 Dpaqmnap.exe 988 Dpaqmnap.exe 2456 Dcpmijqc.exe 2456 Dcpmijqc.exe 2608 Dofnnkfg.exe 2608 Dofnnkfg.exe 1976 Dbejjfek.exe 1976 Dbejjfek.exe 3068 Doijcjde.exe 3068 Doijcjde.exe 2984 Dcdfdi32.exe 2984 Dcdfdi32.exe 2760 Elmkmo32.exe 2760 Elmkmo32.exe 656 Efeoedjo.exe 656 Efeoedjo.exe 2568 Eqopfbfn.exe 2568 Eqopfbfn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iialocke.dll Gdmbhnjj.exe File created C:\Windows\SysWOW64\Ejiadgkl.exe Egkehllh.exe File opened for modification C:\Windows\SysWOW64\Gnicoh32.exe Glkgcmbg.exe File opened for modification C:\Windows\SysWOW64\Gnlpeh32.exe Gjpddigo.exe File created C:\Windows\SysWOW64\Iopeoknn.exe Hkejnl32.exe File opened for modification C:\Windows\SysWOW64\Kfgjdlme.exe Kgdiho32.exe File opened for modification C:\Windows\SysWOW64\Llbnnq32.exe Lggbmbfc.exe File opened for modification C:\Windows\SysWOW64\Fcfohlmg.exe Fmlglb32.exe File created C:\Windows\SysWOW64\Hfnkji32.exe Hogcil32.exe File created C:\Windows\SysWOW64\Kcngcp32.exe Kobkbaac.exe File created C:\Windows\SysWOW64\Hknpkfec.dll Hlpmmpam.exe File created C:\Windows\SysWOW64\Qbbbol32.dll Kgdiho32.exe File opened for modification C:\Windows\SysWOW64\Mddibb32.exe Mpimbcnf.exe File created C:\Windows\SysWOW64\Naflocji.dll Monjcp32.exe File created C:\Windows\SysWOW64\Emhnqbjo.exe Ejiadgkl.exe File opened for modification C:\Windows\SysWOW64\Egmbnkie.exe Edofbpja.exe File created C:\Windows\SysWOW64\Hihpflaf.dll Icbkhnan.exe File created C:\Windows\SysWOW64\Mkggnp32.exe Mldgbcoe.exe File created C:\Windows\SysWOW64\Oemhjlha.exe Ncnlnaim.exe File created C:\Windows\SysWOW64\Lpqafeln.dll Bmgifa32.exe File created C:\Windows\SysWOW64\Fblljhbo.exe Fladmn32.exe File created C:\Windows\SysWOW64\Joekimld.exe Jdogldmo.exe File opened for modification C:\Windows\SysWOW64\Hogcil32.exe Hlhfmqge.exe File opened for modification C:\Windows\SysWOW64\Monjcp32.exe Mlpngd32.exe File opened for modification C:\Windows\SysWOW64\Nmhqokcq.exe Mlgdhcmb.exe File created C:\Windows\SysWOW64\Nhnemdbf.exe Ndbile32.exe File created C:\Windows\SysWOW64\Gcjajedk.dll Npppaejj.exe File created C:\Windows\SysWOW64\Olgpff32.exe Oihdjk32.exe File opened for modification C:\Windows\SysWOW64\Elmkmo32.exe Dcdfdi32.exe File created C:\Windows\SysWOW64\Oinpjm32.dll Efeoedjo.exe File created C:\Windows\SysWOW64\Oijehm32.dll Gihnkejd.exe File opened for modification C:\Windows\SysWOW64\Hlhfmqge.exe Hflndjin.exe File opened for modification C:\Windows\SysWOW64\Kimlqfeq.exe Keappgmg.exe File created C:\Windows\SysWOW64\Jdbmjldj.dll Nmogpj32.exe File opened for modification C:\Windows\SysWOW64\Fjnkpf32.exe Fqffgapf.exe File created C:\Windows\SysWOW64\Fijnabef.exe Facfpddd.exe File created C:\Windows\SysWOW64\Oefkcp32.dll Kfaljjdj.exe File opened for modification C:\Windows\SysWOW64\Ncjbba32.exe Npkfff32.exe File created C:\Windows\SysWOW64\Gaegla32.dll Nejkdm32.exe File created C:\Windows\SysWOW64\Oifcqnkn.dll Ghbhhnhk.exe File created C:\Windows\SysWOW64\Hdkaabnh.exe Haleefoe.exe File created C:\Windows\SysWOW64\Injlkf32.exe Iecdji32.exe File opened for modification C:\Windows\SysWOW64\Jbakpi32.exe Jkgbcofn.exe File opened for modification C:\Windows\SysWOW64\Npiiafpa.exe Nmjmekan.exe File opened for modification C:\Windows\SysWOW64\Cgdciiod.exe Cgbfcjag.exe File opened for modification C:\Windows\SysWOW64\Fijnabef.exe Facfpddd.exe File created C:\Windows\SysWOW64\Gddobpbe.exe Gaebfdba.exe File created C:\Windows\SysWOW64\Goplnb32.dll Gpmllpef.exe File created C:\Windows\SysWOW64\Hhfmbq32.exe Hdkaabnh.exe File created C:\Windows\SysWOW64\Mhkhgd32.exe Memlki32.exe File opened for modification C:\Windows\SysWOW64\Ihijhpdo.exe Iaobkf32.exe File created C:\Windows\SysWOW64\Ommbioja.dll Ihijhpdo.exe File created C:\Windows\SysWOW64\Hdjgff32.dll 9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe File opened for modification C:\Windows\SysWOW64\Bpfebmia.exe Bmgifa32.exe File created C:\Windows\SysWOW64\Jchbfbij.dll Ciglaa32.exe File created C:\Windows\SysWOW64\Mqobfajn.dll Ehfhgogp.exe File created C:\Windows\SysWOW64\Ngppolhf.dll Ekddck32.exe File created C:\Windows\SysWOW64\Fpbihl32.exe Fhkagonc.exe File opened for modification C:\Windows\SysWOW64\Ipdolbbj.exe Inebpgbf.exe File created C:\Windows\SysWOW64\Jqfhqe32.exe Joekimld.exe File created C:\Windows\SysWOW64\Kioiffcn.exe Kfaljjdj.exe File created C:\Windows\SysWOW64\Pbmebabj.dll Glkgcmbg.exe File created C:\Windows\SysWOW64\Kkilgb32.exe Kikokf32.exe File opened for modification C:\Windows\SysWOW64\Knjdimdh.exe Kkkhmadd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3120 3080 WerFault.exe 247 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfgjdlme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggbmbfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehbpjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimlqfeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcanq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gddobpbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlmphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokhcodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpngmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkejnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaljjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blobmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjiljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecdji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjjkhhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncloha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnlnaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjpddigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciglaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlepioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpaqmnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghbhhnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihijhpdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlbgkgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmabqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamifcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdciiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljcbcngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moqgiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgildi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hogcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maocekoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciepkajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipfkabpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnnkec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeoedjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfiaojkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihdmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdfmoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knoaeimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mifkfhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjpnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kioiffcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajmkhai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmhqokcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpiacp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnlpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdfmlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopnma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehfafgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhfmqge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjbba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekcffem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dofnnkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqfhqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfnlcnih.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfebmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befddlni.dll" Cdcjgnbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehfhgogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaebfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpdopknp.dll" Iokhcodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjlejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npiiafpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijpeihq.dll" Bpfebmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onmfnc32.dll" Heedqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpiei32.dll" Lekcffem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kehglhah.dll" Dgfpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emhnqbjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egmbnkie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqicbma.dll" Gddobpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laackgka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmdqkbq.dll" Nmmjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nickoldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpfebmia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjpddigo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekddck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cldcdi32.dll" Lnlaomae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqopfbfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Facfpddd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdogldmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkggnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmjmekan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdmdbpm.dll" Gjpddigo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnlepioj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmhqokcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knoaeimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kimlqfeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjnkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goplnb32.dll" Gpmllpef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmgnmlma.dll" Gdihmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gihnkejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgfkmph.dll" Jfhmehji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jclnnmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jknicnpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogllmge.dll" Hflndjin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndbile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dabniqgg.dll" Dcmpcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omhbed32.dll" Dgildi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdpcf32.dll" Hiockd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnlaomae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcncbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnhge32.dll" Ngcanq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjnhlm32.dll" Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblljhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmckeidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfnlcnih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djeljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcdfdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fblljhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqkelimm.dll" Hlkcbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbakpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gleaik32.dll" Kcngcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpaqmnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piipgfbo.dll" Dpaqmnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbihl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfjjkhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnlepioj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kodghqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmhdph32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2004 wrote to memory of 1300 2004 9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe 30 PID 2004 wrote to memory of 1300 2004 9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe 30 PID 2004 wrote to memory of 1300 2004 9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe 30 PID 2004 wrote to memory of 1300 2004 9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe 30 PID 1300 wrote to memory of 2836 1300 Bhjpnj32.exe 31 PID 1300 wrote to memory of 2836 1300 Bhjpnj32.exe 31 PID 1300 wrote to memory of 2836 1300 Bhjpnj32.exe 31 PID 1300 wrote to memory of 2836 1300 Bhjpnj32.exe 31 PID 2836 wrote to memory of 2864 2836 Bjiljf32.exe 32 PID 2836 wrote to memory of 2864 2836 Bjiljf32.exe 32 PID 2836 wrote to memory of 2864 2836 Bjiljf32.exe 32 PID 2836 wrote to memory of 2864 2836 Bjiljf32.exe 32 PID 2864 wrote to memory of 2740 2864 Bmgifa32.exe 33 PID 2864 wrote to memory of 2740 2864 Bmgifa32.exe 33 PID 2864 wrote to memory of 2740 2864 Bmgifa32.exe 33 PID 2864 wrote to memory of 2740 2864 Bmgifa32.exe 33 PID 2740 wrote to memory of 3000 2740 Bpfebmia.exe 34 PID 2740 wrote to memory of 3000 2740 Bpfebmia.exe 34 PID 2740 wrote to memory of 3000 2740 Bpfebmia.exe 34 PID 2740 wrote to memory of 3000 2740 Bpfebmia.exe 34 PID 3000 wrote to memory of 2752 3000 Bdaabk32.exe 35 PID 3000 wrote to memory of 2752 3000 Bdaabk32.exe 35 PID 3000 wrote to memory of 2752 3000 Bdaabk32.exe 35 PID 3000 wrote to memory of 2752 3000 Bdaabk32.exe 35 PID 2752 wrote to memory of 1524 2752 Blobmm32.exe 36 PID 2752 wrote to memory of 1524 2752 Blobmm32.exe 36 PID 2752 wrote to memory of 1524 2752 Blobmm32.exe 36 PID 2752 wrote to memory of 1524 2752 Blobmm32.exe 36 PID 1524 wrote to memory of 1744 1524 Beggec32.exe 37 PID 1524 wrote to memory of 1744 1524 Beggec32.exe 37 PID 1524 wrote to memory of 1744 1524 Beggec32.exe 37 PID 1524 wrote to memory of 1744 1524 Beggec32.exe 37 PID 1744 wrote to memory of 2276 1744 Bpmkbl32.exe 38 PID 1744 wrote to memory of 2276 1744 Bpmkbl32.exe 38 PID 1744 wrote to memory of 2276 1744 Bpmkbl32.exe 38 PID 1744 wrote to memory of 2276 1744 Bpmkbl32.exe 38 PID 2276 wrote to memory of 2120 2276 Ciepkajj.exe 39 PID 2276 wrote to memory of 2120 2276 Ciepkajj.exe 39 PID 2276 wrote to memory of 2120 2276 Ciepkajj.exe 39 PID 2276 wrote to memory of 2120 2276 Ciepkajj.exe 39 PID 2120 wrote to memory of 2280 2120 Clclhmin.exe 40 PID 2120 wrote to memory of 2280 2120 Clclhmin.exe 40 PID 2120 wrote to memory of 2280 2120 Clclhmin.exe 40 PID 2120 wrote to memory of 2280 2120 Clclhmin.exe 40 PID 2280 wrote to memory of 1796 2280 Ciglaa32.exe 41 PID 2280 wrote to memory of 1796 2280 Ciglaa32.exe 41 PID 2280 wrote to memory of 1796 2280 Ciglaa32.exe 41 PID 2280 wrote to memory of 1796 2280 Ciglaa32.exe 41 PID 1796 wrote to memory of 1760 1796 Ckiiiine.exe 42 PID 1796 wrote to memory of 1760 1796 Ckiiiine.exe 42 PID 1796 wrote to memory of 1760 1796 Ckiiiine.exe 42 PID 1796 wrote to memory of 1760 1796 Ckiiiine.exe 42 PID 1760 wrote to memory of 1144 1760 Ccpqjfnh.exe 43 PID 1760 wrote to memory of 1144 1760 Ccpqjfnh.exe 43 PID 1760 wrote to memory of 1144 1760 Ccpqjfnh.exe 43 PID 1760 wrote to memory of 1144 1760 Ccpqjfnh.exe 43 PID 1144 wrote to memory of 2556 1144 Ckkenikc.exe 44 PID 1144 wrote to memory of 2556 1144 Ckkenikc.exe 44 PID 1144 wrote to memory of 2556 1144 Ckkenikc.exe 44 PID 1144 wrote to memory of 2556 1144 Ckkenikc.exe 44 PID 2556 wrote to memory of 2324 2556 Cdcjgnbc.exe 45 PID 2556 wrote to memory of 2324 2556 Cdcjgnbc.exe 45 PID 2556 wrote to memory of 2324 2556 Cdcjgnbc.exe 45 PID 2556 wrote to memory of 2324 2556 Cdcjgnbc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe"C:\Users\Admin\AppData\Local\Temp\9e95472265e118754f1a3695bcb7b96ec17f9d89fdfefbf3837b95519553e265N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Bhjpnj32.exeC:\Windows\system32\Bhjpnj32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Bjiljf32.exeC:\Windows\system32\Bjiljf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Bmgifa32.exeC:\Windows\system32\Bmgifa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Bpfebmia.exeC:\Windows\system32\Bpfebmia.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Bdaabk32.exeC:\Windows\system32\Bdaabk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Blobmm32.exeC:\Windows\system32\Blobmm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Bpmkbl32.exeC:\Windows\system32\Bpmkbl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Ciepkajj.exeC:\Windows\system32\Ciepkajj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Ciglaa32.exeC:\Windows\system32\Ciglaa32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ckiiiine.exeC:\Windows\system32\Ckiiiine.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Dnnkec32.exeC:\Windows\system32\Dnnkec32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Dgfpni32.exeC:\Windows\system32\Dgfpni32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Dgildi32.exeC:\Windows\system32\Dgildi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Dpaqmnap.exeC:\Windows\system32\Dpaqmnap.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Dbejjfek.exeC:\Windows\system32\Dbejjfek.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Doijcjde.exeC:\Windows\system32\Doijcjde.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Dcdfdi32.exeC:\Windows\system32\Dcdfdi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Efeoedjo.exeC:\Windows\system32\Efeoedjo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:656 -
C:\Windows\SysWOW64\Eqopfbfn.exeC:\Windows\system32\Eqopfbfn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Ekddck32.exeC:\Windows\system32\Ekddck32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Eqamla32.exeC:\Windows\system32\Eqamla32.exe35⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Egkehllh.exeC:\Windows\system32\Egkehllh.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Ejiadgkl.exeC:\Windows\system32\Ejiadgkl.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Emhnqbjo.exeC:\Windows\system32\Emhnqbjo.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Edofbpja.exeC:\Windows\system32\Edofbpja.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Egmbnkie.exeC:\Windows\system32\Egmbnkie.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Engjkeab.exeC:\Windows\system32\Engjkeab.exe41⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Fqffgapf.exeC:\Windows\system32\Fqffgapf.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Fjnkpf32.exeC:\Windows\system32\Fjnkpf32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Fmlglb32.exeC:\Windows\system32\Fmlglb32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2544 -
C:\Windows\SysWOW64\Fcfohlmg.exeC:\Windows\system32\Fcfohlmg.exe45⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Fladmn32.exeC:\Windows\system32\Fladmn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Fblljhbo.exeC:\Windows\system32\Fblljhbo.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Fihalb32.exeC:\Windows\system32\Fihalb32.exe48⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Fhkagonc.exeC:\Windows\system32\Fhkagonc.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1064 -
C:\Windows\SysWOW64\Fpbihl32.exeC:\Windows\system32\Fpbihl32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Facfpddd.exeC:\Windows\system32\Facfpddd.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Glijnmdj.exeC:\Windows\system32\Glijnmdj.exe53⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Gbbbjg32.exeC:\Windows\system32\Gbbbjg32.exe54⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Gaebfdba.exeC:\Windows\system32\Gaebfdba.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2468 -
C:\Windows\SysWOW64\Gddobpbe.exeC:\Windows\system32\Gddobpbe.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3036 -
C:\Windows\SysWOW64\Gnicoh32.exeC:\Windows\system32\Gnicoh32.exe58⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Gahpkd32.exeC:\Windows\system32\Gahpkd32.exe59⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ghbhhnhk.exeC:\Windows\system32\Ghbhhnhk.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Gnlpeh32.exeC:\Windows\system32\Gnlpeh32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Gpmllpef.exeC:\Windows\system32\Gpmllpef.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Gjbqjiem.exeC:\Windows\system32\Gjbqjiem.exe65⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe66⤵PID:2352
-
C:\Windows\SysWOW64\Gamifcmi.exeC:\Windows\system32\Gamifcmi.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Gdkebolm.exeC:\Windows\system32\Gdkebolm.exe68⤵PID:1172
-
C:\Windows\SysWOW64\Gfiaojkq.exeC:\Windows\system32\Gfiaojkq.exe69⤵
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe71⤵PID:2876
-
C:\Windows\SysWOW64\Gdmbhnjj.exeC:\Windows\system32\Gdmbhnjj.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Hflndjin.exeC:\Windows\system32\Hflndjin.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Hlhfmqge.exeC:\Windows\system32\Hlhfmqge.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1332 -
C:\Windows\SysWOW64\Hogcil32.exeC:\Windows\system32\Hogcil32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Hfnkji32.exeC:\Windows\system32\Hfnkji32.exe76⤵PID:1592
-
C:\Windows\SysWOW64\Hhogaamj.exeC:\Windows\system32\Hhogaamj.exe77⤵PID:532
-
C:\Windows\SysWOW64\Hlkcbp32.exeC:\Windows\system32\Hlkcbp32.exe78⤵
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Hoipnl32.exeC:\Windows\system32\Hoipnl32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:976 -
C:\Windows\SysWOW64\Hahljg32.exeC:\Windows\system32\Hahljg32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:696 -
C:\Windows\SysWOW64\Hiockd32.exeC:\Windows\system32\Hiockd32.exe81⤵
- Modifies registry class
PID:556 -
C:\Windows\SysWOW64\Hlmphp32.exeC:\Windows\system32\Hlmphp32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Hbghdj32.exeC:\Windows\system32\Hbghdj32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2656 -
C:\Windows\SysWOW64\Heedqe32.exeC:\Windows\system32\Heedqe32.exe84⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Hhdqma32.exeC:\Windows\system32\Hhdqma32.exe85⤵PID:2728
-
C:\Windows\SysWOW64\Hlpmmpam.exeC:\Windows\system32\Hlpmmpam.exe86⤵
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Honiikpa.exeC:\Windows\system32\Honiikpa.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2284 -
C:\Windows\SysWOW64\Haleefoe.exeC:\Windows\system32\Haleefoe.exe88⤵
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Hdkaabnh.exeC:\Windows\system32\Hdkaabnh.exe89⤵
- Drops file in System32 directory
PID:2272 -
C:\Windows\SysWOW64\Hhfmbq32.exeC:\Windows\system32\Hhfmbq32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2196 -
C:\Windows\SysWOW64\Hkejnl32.exeC:\Windows\system32\Hkejnl32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2412 -
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe92⤵PID:1928
-
C:\Windows\SysWOW64\Iaobkf32.exeC:\Windows\system32\Iaobkf32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Ihijhpdo.exeC:\Windows\system32\Ihijhpdo.exe94⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Ikgfdlcb.exeC:\Windows\system32\Ikgfdlcb.exe95⤵PID:1112
-
C:\Windows\SysWOW64\Inebpgbf.exeC:\Windows\system32\Inebpgbf.exe96⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Ipdolbbj.exeC:\Windows\system32\Ipdolbbj.exe97⤵PID:2964
-
C:\Windows\SysWOW64\Icbkhnan.exeC:\Windows\system32\Icbkhnan.exe98⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Ikicikap.exeC:\Windows\system32\Ikicikap.exe99⤵PID:1604
-
C:\Windows\SysWOW64\Inhoegqc.exeC:\Windows\system32\Inhoegqc.exe100⤵PID:1636
-
C:\Windows\SysWOW64\Ipfkabpg.exeC:\Windows\system32\Ipfkabpg.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Icdhnn32.exeC:\Windows\system32\Icdhnn32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Iecdji32.exeC:\Windows\system32\Iecdji32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3044 -
C:\Windows\SysWOW64\Injlkf32.exeC:\Windows\system32\Injlkf32.exe104⤵PID:2168
-
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Ieeqpi32.exeC:\Windows\system32\Ieeqpi32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2088 -
C:\Windows\SysWOW64\Ihdmld32.exeC:\Windows\system32\Ihdmld32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1068 -
C:\Windows\SysWOW64\Ipkema32.exeC:\Windows\system32\Ipkema32.exe108⤵PID:340
-
C:\Windows\SysWOW64\Iciaim32.exeC:\Windows\system32\Iciaim32.exe109⤵PID:2516
-
C:\Windows\SysWOW64\Jfhmehji.exeC:\Windows\system32\Jfhmehji.exe110⤵
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Jkdfmoha.exeC:\Windows\system32\Jkdfmoha.exe111⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Jclnnmic.exeC:\Windows\system32\Jclnnmic.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Jfjjkhhg.exeC:\Windows\system32\Jfjjkhhg.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Jbakpi32.exeC:\Windows\system32\Jbakpi32.exe115⤵
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Jdogldmo.exeC:\Windows\system32\Jdogldmo.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Joekimld.exeC:\Windows\system32\Joekimld.exe117⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Jqfhqe32.exeC:\Windows\system32\Jqfhqe32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Jdadadkl.exeC:\Windows\system32\Jdadadkl.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2012 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe120⤵PID:2472
-
C:\Windows\SysWOW64\Jnjhjj32.exeC:\Windows\system32\Jnjhjj32.exe121⤵PID:1076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-