Analysis
-
max time kernel
33s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 22:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe
-
Size
62KB
-
MD5
e5c8140218491b7a86182940451eb1a0
-
SHA1
6f1bf434192c8c4bf8c9a8779230a04e3def9e27
-
SHA256
07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364
-
SHA512
7455c68d0414161ec04a545811785b3a27e3fe0e2a8a1d3c76e44c6f967abf13c631817fa61d471b76a393efe85a5c6b61280d5a45f18d43edb1f633afd586ed
-
SSDEEP
1536:sgFSi0UKrNVwXYvyLRe66t2Qmjygve8Cy:byUcwXYvyt6MQEdve8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmliqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcagkmaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpicfdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlmnfeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdlbckee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldlghhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmiaknb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifgllbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnlbnagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhfljm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnffnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nepkia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oohlaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nilpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncfgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adbmjbif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faikbkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaoblk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdnmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kegebn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdffcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aglhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkpaoape.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khmnio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnipgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adhohapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cneiki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpjcaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gopnca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hecjco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llkgpmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpmjpba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akhkkmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akbgdkgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oolelj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghnfci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbgjmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajmhljip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnlqemal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcgnphgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jilkbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddnaonia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohbmppia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmfjdbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jephgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjcfco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppegdapd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniglajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idepdhia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaeacppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiimci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqendf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmloigln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkpnph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnobi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifqfge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppegdapd.exe -
Executes dropped EXE 64 IoCs
pid Process 324 Dcblgbfe.exe 2348 Deahcneh.exe 2912 Dpflqfeo.exe 2108 Eagiho32.exe 2872 Elmmegkb.exe 2712 Eokiabjf.exe 1916 Ehdnkh32.exe 2528 Enqfco32.exe 2760 Edkopifk.exe 2920 Ehfkphnd.exe 3044 Encchoml.exe 2308 Edmkei32.exe 308 Eaalom32.exe 2764 Ecbhfeip.exe 860 Fjlqcppm.exe 892 Fqfipj32.exe 2552 Ffcahq32.exe 2136 Flmidkmn.exe 2184 Fgbnbcmd.exe 2252 Ffenmp32.exe 2164 Fqkbkicd.exe 856 Fjcfco32.exe 2024 Fkdckgpc.exe 1928 Ffjghppi.exe 660 Fmdpejgf.exe 2888 Foblaefj.exe 2880 Gdodjlda.exe 2876 Gkimff32.exe 2680 Geaaolbo.exe 1608 Gkkilfjk.exe 1272 Gbeaip32.exe 1744 Gcgnphgf.exe 2312 Gknfaehi.exe 1924 Gnlbnagl.exe 3004 Gmobin32.exe 1992 Gefjjk32.exe 448 Gcikfhed.exe 900 Gjccbb32.exe 1344 Gnoocq32.exe 2344 Gamkol32.exe 2172 Gckgkg32.exe 560 Gggclfkj.exe 2084 Gjephakn.exe 1848 Hmdldmja.exe 2748 Haohel32.exe 1008 Hcndag32.exe 2324 Hflpmb32.exe 2240 Hjhlnahk.exe 1568 Hmfhjmho.exe 2584 Hpdefh32.exe 2904 Hcpqfgol.exe 2824 Hfnmbbnp.exe 2844 Heamno32.exe 2740 Hmheol32.exe 944 Hpgakh32.exe 2536 Hnjagdlj.exe 1640 Hfajhblm.exe 2948 Hecjco32.exe 3048 Hhbfpj32.exe 1852 Hlnbqijd.exe 2644 Hnlnmd32.exe 1700 Hbgjmcba.exe 2144 Hefginae.exe 1168 Hhdcejph.exe -
Loads dropped DLL 64 IoCs
pid Process 1200 07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe 1200 07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe 324 Dcblgbfe.exe 324 Dcblgbfe.exe 2348 Deahcneh.exe 2348 Deahcneh.exe 2912 Dpflqfeo.exe 2912 Dpflqfeo.exe 2108 Eagiho32.exe 2108 Eagiho32.exe 2872 Elmmegkb.exe 2872 Elmmegkb.exe 2712 Eokiabjf.exe 2712 Eokiabjf.exe 1916 Ehdnkh32.exe 1916 Ehdnkh32.exe 2528 Enqfco32.exe 2528 Enqfco32.exe 2760 Edkopifk.exe 2760 Edkopifk.exe 2920 Ehfkphnd.exe 2920 Ehfkphnd.exe 3044 Encchoml.exe 3044 Encchoml.exe 2308 Edmkei32.exe 2308 Edmkei32.exe 308 Eaalom32.exe 308 Eaalom32.exe 2764 Ecbhfeip.exe 2764 Ecbhfeip.exe 860 Fjlqcppm.exe 860 Fjlqcppm.exe 892 Fqfipj32.exe 892 Fqfipj32.exe 2552 Ffcahq32.exe 2552 Ffcahq32.exe 2136 Flmidkmn.exe 2136 Flmidkmn.exe 2184 Fgbnbcmd.exe 2184 Fgbnbcmd.exe 2252 Ffenmp32.exe 2252 Ffenmp32.exe 2164 Fqkbkicd.exe 2164 Fqkbkicd.exe 856 Fjcfco32.exe 856 Fjcfco32.exe 2024 Fkdckgpc.exe 2024 Fkdckgpc.exe 1928 Ffjghppi.exe 1928 Ffjghppi.exe 660 Fmdpejgf.exe 660 Fmdpejgf.exe 2888 Foblaefj.exe 2888 Foblaefj.exe 2880 Gdodjlda.exe 2880 Gdodjlda.exe 2876 Gkimff32.exe 2876 Gkimff32.exe 2680 Geaaolbo.exe 2680 Geaaolbo.exe 1608 Gkkilfjk.exe 1608 Gkkilfjk.exe 1272 Gbeaip32.exe 1272 Gbeaip32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gknnkain.dll Ajghgd32.exe File opened for modification C:\Windows\SysWOW64\Lgejidgn.exe Lhbjmg32.exe File created C:\Windows\SysWOW64\Hajdniep.exe Hiblmldn.exe File created C:\Windows\SysWOW64\Pngjlfla.dll Ieelnkpd.exe File created C:\Windows\SysWOW64\Fgkpdifc.dll Gbfklolh.exe File created C:\Windows\SysWOW64\Hccfoehi.exe Haejcj32.exe File opened for modification C:\Windows\SysWOW64\Afqeaemk.exe Aaeiqf32.exe File created C:\Windows\SysWOW64\Fcjqpm32.exe Fondonbc.exe File created C:\Windows\SysWOW64\Bebkdqbc.dll Ikbndqnc.exe File created C:\Windows\SysWOW64\Okolfkjg.exe Ohppjpkc.exe File opened for modification C:\Windows\SysWOW64\Ppiapp32.exe Phbinc32.exe File created C:\Windows\SysWOW64\Kaliaphd.exe Kommediq.exe File created C:\Windows\SysWOW64\Pbppqf32.exe Pkihpi32.exe File created C:\Windows\SysWOW64\Lecjaf32.dll Clkfjman.exe File opened for modification C:\Windows\SysWOW64\Mdkcgk32.exe Process not Found File created C:\Windows\SysWOW64\Okmpgc32.dll Hbgjmcba.exe File opened for modification C:\Windows\SysWOW64\Fcmdpcle.exe Fdjddf32.exe File created C:\Windows\SysWOW64\Njnjicba.dll Hnnkbd32.exe File created C:\Windows\SysWOW64\Ldadhokg.dll Iocdmccp.exe File created C:\Windows\SysWOW64\Cjkoioja.dll Jdpidm32.exe File opened for modification C:\Windows\SysWOW64\Eabeal32.exe Eocieq32.exe File created C:\Windows\SysWOW64\Gojkecka.exe Gmloigln.exe File opened for modification C:\Windows\SysWOW64\Hjmolp32.exe Hgobpd32.exe File created C:\Windows\SysWOW64\Hnnkbd32.exe Hlpofh32.exe File opened for modification C:\Windows\SysWOW64\Hnnkbd32.exe Hlpofh32.exe File created C:\Windows\SysWOW64\Cncmei32.exe Copljmpo.exe File created C:\Windows\SysWOW64\Ldcnnnje.dll Fhifmcfa.exe File opened for modification C:\Windows\SysWOW64\Llainlje.exe Ljbmbpkb.exe File opened for modification C:\Windows\SysWOW64\Qdkpomkb.exe Qlcgmpkp.exe File opened for modification C:\Windows\SysWOW64\Djqcki32.exe Dfegjknm.exe File created C:\Windows\SysWOW64\Momdeobl.dll Aonjpp32.exe File created C:\Windows\SysWOW64\Canbdfch.dll Nfbmlckg.exe File opened for modification C:\Windows\SysWOW64\Almjcobe.exe Ahancp32.exe File created C:\Windows\SysWOW64\Bfcnfh32.exe Bcdbjl32.exe File created C:\Windows\SysWOW64\Dckdio32.exe Dpphipbk.exe File opened for modification C:\Windows\SysWOW64\Ajmhljip.exe Akjham32.exe File created C:\Windows\SysWOW64\Aqljdclg.exe Anmnhhmd.exe File created C:\Windows\SysWOW64\Mojdel32.dll Bbolge32.exe File opened for modification C:\Windows\SysWOW64\Jemkai32.exe Jocceo32.exe File opened for modification C:\Windows\SysWOW64\Hpdefh32.exe Hmfhjmho.exe File created C:\Windows\SysWOW64\Bbhfgj32.exe Bnmjgkpo.exe File created C:\Windows\SysWOW64\Hiblmldn.exe Hfdpaqej.exe File opened for modification C:\Windows\SysWOW64\Pacqlcdi.exe Pbppqf32.exe File created C:\Windows\SysWOW64\Bfmkge32.dll Djqcki32.exe File created C:\Windows\SysWOW64\Ceahlg32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Cegbce32.exe Bbhfgj32.exe File opened for modification C:\Windows\SysWOW64\Gnphfppi.exe Gkaljdaf.exe File created C:\Windows\SysWOW64\Agcekn32.exe Achikonn.exe File created C:\Windows\SysWOW64\Bfmlgi32.exe Bbapgknp.exe File created C:\Windows\SysWOW64\Ekofgnna.exe Echoepmo.exe File created C:\Windows\SysWOW64\Eihdakqq.dll Hjieapck.exe File created C:\Windows\SysWOW64\Nmaojjod.dll Dgbgon32.exe File opened for modification C:\Windows\SysWOW64\Imdjlida.exe Ijenpn32.exe File created C:\Windows\SysWOW64\Eaalom32.exe Edmkei32.exe File created C:\Windows\SysWOW64\Gohqfe32.dll Hefginae.exe File opened for modification C:\Windows\SysWOW64\Eplood32.exe Emncci32.exe File created C:\Windows\SysWOW64\Eabeal32.exe Eocieq32.exe File opened for modification C:\Windows\SysWOW64\Nfppfcmj.exe Ncbdjhnf.exe File opened for modification C:\Windows\SysWOW64\Lddagi32.exe Leaallcb.exe File created C:\Windows\SysWOW64\Aigggf32.dll Jeofnpke.exe File created C:\Windows\SysWOW64\Fmflaaok.dll Ddcadd32.exe File created C:\Windows\SysWOW64\Eagbnh32.exe Eipjmk32.exe File opened for modification C:\Windows\SysWOW64\Hndaao32.exe Hjieapck.exe File created C:\Windows\SysWOW64\Ojgokflc.exe Ohhcokmp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10968 10944 Process not Found 1123 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icbldbgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adppdckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgmjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqffna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnafop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hflpmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpofh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oppbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknakhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbfbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieiegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcblgbfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcndag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djemfibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnenfjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlpmndba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lednal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmljnfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgaoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opkndldc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndebkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljejgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmkei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknfaehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiakjld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knaqcabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihaldgak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfihd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmholgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadlgjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajoebigm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpomnilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbppqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnplgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onehadbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkndiabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlegic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dendcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhcdhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaaghp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkihpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haejcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfngbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klimcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnihneon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpdefh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahciaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mncfgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgboogb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deikhhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geaaolbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhjghlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcoaebjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkljfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhfgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgfckbfa.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgphke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjonihkc.dll" Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kplfmfmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldikbhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljfckodo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jblpge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafhmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhbpk32.dll" Ihaldgak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfncad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcegdnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idnhngnf.dll" Lbhphdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihmimaj.dll" Hgobpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haggijgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boeppomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anggfg32.dll" Goodpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfngbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpmmdj32.dll" Bgkeol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhlcioh.dll" Dfnjqifb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blcdaojp.dll" Encchoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nadoiccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elpldp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmholgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jadlgjjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqfgcek.dll" Gjiibm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ienfml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mheohk32.dll" Jpomnilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjpajqqn.dll" Egimdmmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obiemd32.dll" Eaalom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbopcm32.dll" Epqhjdhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjfllm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjfdadn.dll" Lgejidgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeanjk32.dll" Kpcbhlki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dimfmeef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glpdbfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khmpbemc.dll" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hecjco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aocgll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkghjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiiqknjg.dll" Oefmid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdekigip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icponb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaadjh32.dll" Hlnbqijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oplmkm32.dll" Jlbhjkij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nljcflbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkchpcoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhifmcfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igioiacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkljfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnffnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gicpnhbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbokda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kemgqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eceiinfd.dll" Oahdce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqngjcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iniglajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eghdanac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mflgkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djqcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkiknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1200 wrote to memory of 324 1200 07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe 30 PID 1200 wrote to memory of 324 1200 07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe 30 PID 1200 wrote to memory of 324 1200 07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe 30 PID 1200 wrote to memory of 324 1200 07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe 30 PID 324 wrote to memory of 2348 324 Dcblgbfe.exe 31 PID 324 wrote to memory of 2348 324 Dcblgbfe.exe 31 PID 324 wrote to memory of 2348 324 Dcblgbfe.exe 31 PID 324 wrote to memory of 2348 324 Dcblgbfe.exe 31 PID 2348 wrote to memory of 2912 2348 Deahcneh.exe 32 PID 2348 wrote to memory of 2912 2348 Deahcneh.exe 32 PID 2348 wrote to memory of 2912 2348 Deahcneh.exe 32 PID 2348 wrote to memory of 2912 2348 Deahcneh.exe 32 PID 2912 wrote to memory of 2108 2912 Dpflqfeo.exe 33 PID 2912 wrote to memory of 2108 2912 Dpflqfeo.exe 33 PID 2912 wrote to memory of 2108 2912 Dpflqfeo.exe 33 PID 2912 wrote to memory of 2108 2912 Dpflqfeo.exe 33 PID 2108 wrote to memory of 2872 2108 Eagiho32.exe 34 PID 2108 wrote to memory of 2872 2108 Eagiho32.exe 34 PID 2108 wrote to memory of 2872 2108 Eagiho32.exe 34 PID 2108 wrote to memory of 2872 2108 Eagiho32.exe 34 PID 2872 wrote to memory of 2712 2872 Elmmegkb.exe 35 PID 2872 wrote to memory of 2712 2872 Elmmegkb.exe 35 PID 2872 wrote to memory of 2712 2872 Elmmegkb.exe 35 PID 2872 wrote to memory of 2712 2872 Elmmegkb.exe 35 PID 2712 wrote to memory of 1916 2712 Eokiabjf.exe 36 PID 2712 wrote to memory of 1916 2712 Eokiabjf.exe 36 PID 2712 wrote to memory of 1916 2712 Eokiabjf.exe 36 PID 2712 wrote to memory of 1916 2712 Eokiabjf.exe 36 PID 1916 wrote to memory of 2528 1916 Ehdnkh32.exe 37 PID 1916 wrote to memory of 2528 1916 Ehdnkh32.exe 37 PID 1916 wrote to memory of 2528 1916 Ehdnkh32.exe 37 PID 1916 wrote to memory of 2528 1916 Ehdnkh32.exe 37 PID 2528 wrote to memory of 2760 2528 Enqfco32.exe 38 PID 2528 wrote to memory of 2760 2528 Enqfco32.exe 38 PID 2528 wrote to memory of 2760 2528 Enqfco32.exe 38 PID 2528 wrote to memory of 2760 2528 Enqfco32.exe 38 PID 2760 wrote to memory of 2920 2760 Edkopifk.exe 39 PID 2760 wrote to memory of 2920 2760 Edkopifk.exe 39 PID 2760 wrote to memory of 2920 2760 Edkopifk.exe 39 PID 2760 wrote to memory of 2920 2760 Edkopifk.exe 39 PID 2920 wrote to memory of 3044 2920 Ehfkphnd.exe 40 PID 2920 wrote to memory of 3044 2920 Ehfkphnd.exe 40 PID 2920 wrote to memory of 3044 2920 Ehfkphnd.exe 40 PID 2920 wrote to memory of 3044 2920 Ehfkphnd.exe 40 PID 3044 wrote to memory of 2308 3044 Encchoml.exe 41 PID 3044 wrote to memory of 2308 3044 Encchoml.exe 41 PID 3044 wrote to memory of 2308 3044 Encchoml.exe 41 PID 3044 wrote to memory of 2308 3044 Encchoml.exe 41 PID 2308 wrote to memory of 308 2308 Edmkei32.exe 42 PID 2308 wrote to memory of 308 2308 Edmkei32.exe 42 PID 2308 wrote to memory of 308 2308 Edmkei32.exe 42 PID 2308 wrote to memory of 308 2308 Edmkei32.exe 42 PID 308 wrote to memory of 2764 308 Eaalom32.exe 43 PID 308 wrote to memory of 2764 308 Eaalom32.exe 43 PID 308 wrote to memory of 2764 308 Eaalom32.exe 43 PID 308 wrote to memory of 2764 308 Eaalom32.exe 43 PID 2764 wrote to memory of 860 2764 Ecbhfeip.exe 44 PID 2764 wrote to memory of 860 2764 Ecbhfeip.exe 44 PID 2764 wrote to memory of 860 2764 Ecbhfeip.exe 44 PID 2764 wrote to memory of 860 2764 Ecbhfeip.exe 44 PID 860 wrote to memory of 892 860 Fjlqcppm.exe 45 PID 860 wrote to memory of 892 860 Fjlqcppm.exe 45 PID 860 wrote to memory of 892 860 Fjlqcppm.exe 45 PID 860 wrote to memory of 892 860 Fjlqcppm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe"C:\Users\Admin\AppData\Local\Temp\07374d3dc05c6b533bf39eaac203d947ac07cb9cf9a86c50a62ca24aa4d0d364N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Elmmegkb.exeC:\Windows\system32\Elmmegkb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Eokiabjf.exeC:\Windows\system32\Eokiabjf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Ehdnkh32.exeC:\Windows\system32\Ehdnkh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Windows\SysWOW64\Enqfco32.exeC:\Windows\system32\Enqfco32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Edkopifk.exeC:\Windows\system32\Edkopifk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Encchoml.exeC:\Windows\system32\Encchoml.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Eaalom32.exeC:\Windows\system32\Eaalom32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Ecbhfeip.exeC:\Windows\system32\Ecbhfeip.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Fjlqcppm.exeC:\Windows\system32\Fjlqcppm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Fqfipj32.exeC:\Windows\system32\Fqfipj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Ffcahq32.exeC:\Windows\system32\Ffcahq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Flmidkmn.exeC:\Windows\system32\Flmidkmn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Fgbnbcmd.exeC:\Windows\system32\Fgbnbcmd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Fqkbkicd.exeC:\Windows\system32\Fqkbkicd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Fjcfco32.exeC:\Windows\system32\Fjcfco32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:856 -
C:\Windows\SysWOW64\Fkdckgpc.exeC:\Windows\system32\Fkdckgpc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2024 -
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Windows\SysWOW64\Foblaefj.exeC:\Windows\system32\Foblaefj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Gdodjlda.exeC:\Windows\system32\Gdodjlda.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Gkimff32.exeC:\Windows\system32\Gkimff32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Geaaolbo.exeC:\Windows\system32\Geaaolbo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2680 -
C:\Windows\SysWOW64\Gkkilfjk.exeC:\Windows\system32\Gkkilfjk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Gbeaip32.exeC:\Windows\system32\Gbeaip32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1272 -
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Gnlbnagl.exeC:\Windows\system32\Gnlbnagl.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Gmobin32.exeC:\Windows\system32\Gmobin32.exe36⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Gefjjk32.exeC:\Windows\system32\Gefjjk32.exe37⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Gcikfhed.exeC:\Windows\system32\Gcikfhed.exe38⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe39⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe40⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Gamkol32.exeC:\Windows\system32\Gamkol32.exe41⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Gckgkg32.exeC:\Windows\system32\Gckgkg32.exe42⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe43⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Gjephakn.exeC:\Windows\system32\Gjephakn.exe44⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe45⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Haohel32.exeC:\Windows\system32\Haohel32.exe46⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Hcndag32.exeC:\Windows\system32\Hcndag32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Hjhlnahk.exeC:\Windows\system32\Hjhlnahk.exe49⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Hmfhjmho.exeC:\Windows\system32\Hmfhjmho.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Hpdefh32.exeC:\Windows\system32\Hpdefh32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Hcpqfgol.exeC:\Windows\system32\Hcpqfgol.exe52⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Hfnmbbnp.exeC:\Windows\system32\Hfnmbbnp.exe53⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Heamno32.exeC:\Windows\system32\Heamno32.exe54⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe55⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Hpgakh32.exeC:\Windows\system32\Hpgakh32.exe56⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe57⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe58⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Hecjco32.exeC:\Windows\system32\Hecjco32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Hhbfpj32.exeC:\Windows\system32\Hhbfpj32.exe60⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Hlnbqijd.exeC:\Windows\system32\Hlnbqijd.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Hnlnmd32.exeC:\Windows\system32\Hnlnmd32.exe62⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Hbgjmcba.exeC:\Windows\system32\Hbgjmcba.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Hefginae.exeC:\Windows\system32\Hefginae.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Hhdcejph.exeC:\Windows\system32\Hhdcejph.exe65⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Hlpofh32.exeC:\Windows\system32\Hlpofh32.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Hnnkbd32.exeC:\Windows\system32\Hnnkbd32.exe67⤵
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe68⤵PID:1308
-
C:\Windows\SysWOW64\Hehconob.exeC:\Windows\system32\Hehconob.exe69⤵PID:1984
-
C:\Windows\SysWOW64\Ilblkh32.exeC:\Windows\system32\Ilblkh32.exe70⤵PID:2236
-
C:\Windows\SysWOW64\Ijelgemi.exeC:\Windows\system32\Ijelgemi.exe71⤵PID:1208
-
C:\Windows\SysWOW64\Imchcplm.exeC:\Windows\system32\Imchcplm.exe72⤵PID:2352
-
C:\Windows\SysWOW64\Iekpdn32.exeC:\Windows\system32\Iekpdn32.exe73⤵PID:2092
-
C:\Windows\SysWOW64\Idnppjcj.exeC:\Windows\system32\Idnppjcj.exe74⤵PID:3020
-
C:\Windows\SysWOW64\Iflmlfcn.exeC:\Windows\system32\Iflmlfcn.exe75⤵PID:2852
-
C:\Windows\SysWOW64\Iocdmccp.exeC:\Windows\system32\Iocdmccp.exe76⤵
- Drops file in System32 directory
PID:2276 -
C:\Windows\SysWOW64\Iaaaiobc.exeC:\Windows\system32\Iaaaiobc.exe77⤵PID:2504
-
C:\Windows\SysWOW64\Idpmejag.exeC:\Windows\system32\Idpmejag.exe78⤵PID:1464
-
C:\Windows\SysWOW64\Ihkifi32.exeC:\Windows\system32\Ihkifi32.exe79⤵PID:2996
-
C:\Windows\SysWOW64\Ijjebd32.exeC:\Windows\system32\Ijjebd32.exe80⤵PID:3024
-
C:\Windows\SysWOW64\Iimenapo.exeC:\Windows\system32\Iimenapo.exe81⤵PID:680
-
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe82⤵PID:1896
-
C:\Windows\SysWOW64\Ipfnjkgk.exeC:\Windows\system32\Ipfnjkgk.exe83⤵PID:2216
-
C:\Windows\SysWOW64\Idbjkj32.exeC:\Windows\system32\Idbjkj32.exe84⤵PID:2328
-
C:\Windows\SysWOW64\Ifqfge32.exeC:\Windows\system32\Ifqfge32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:588 -
C:\Windows\SysWOW64\Iiobcq32.exeC:\Windows\system32\Iiobcq32.exe86⤵PID:1136
-
C:\Windows\SysWOW64\Iddfqi32.exeC:\Windows\system32\Iddfqi32.exe87⤵PID:2340
-
C:\Windows\SysWOW64\Ibgglfdl.exeC:\Windows\system32\Ibgglfdl.exe88⤵PID:2284
-
C:\Windows\SysWOW64\Iefchacp.exeC:\Windows\system32\Iefchacp.exe89⤵PID:2756
-
C:\Windows\SysWOW64\Iiaoip32.exeC:\Windows\system32\Iiaoip32.exe90⤵PID:2812
-
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe91⤵PID:2976
-
C:\Windows\SysWOW64\Jongag32.exeC:\Windows\system32\Jongag32.exe92⤵PID:2704
-
C:\Windows\SysWOW64\Jbjcaf32.exeC:\Windows\system32\Jbjcaf32.exe93⤵PID:2488
-
C:\Windows\SysWOW64\Jehpna32.exeC:\Windows\system32\Jehpna32.exe94⤵PID:1316
-
C:\Windows\SysWOW64\Jhfljm32.exeC:\Windows\system32\Jhfljm32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Jlbhjkij.exeC:\Windows\system32\Jlbhjkij.exe96⤵
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Joqdfghn.exeC:\Windows\system32\Joqdfghn.exe97⤵PID:1552
-
C:\Windows\SysWOW64\Jblpge32.exeC:\Windows\system32\Jblpge32.exe98⤵
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Jaopcbga.exeC:\Windows\system32\Jaopcbga.exe99⤵PID:1292
-
C:\Windows\SysWOW64\Jifhdphd.exeC:\Windows\system32\Jifhdphd.exe100⤵PID:2548
-
C:\Windows\SysWOW64\Jlddpkgh.exeC:\Windows\system32\Jlddpkgh.exe101⤵PID:1736
-
C:\Windows\SysWOW64\Jocalffk.exeC:\Windows\system32\Jocalffk.exe102⤵PID:2288
-
C:\Windows\SysWOW64\Jaamhb32.exeC:\Windows\system32\Jaamhb32.exe103⤵PID:1968
-
C:\Windows\SysWOW64\Jdpidm32.exeC:\Windows\system32\Jdpidm32.exe104⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Jlgaek32.exeC:\Windows\system32\Jlgaek32.exe105⤵PID:2808
-
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe106⤵PID:2884
-
C:\Windows\SysWOW64\Jnhnmckc.exeC:\Windows\system32\Jnhnmckc.exe107⤵PID:2924
-
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe108⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Jhnbklji.exeC:\Windows\system32\Jhnbklji.exe109⤵PID:2956
-
C:\Windows\SysWOW64\Jgpbfh32.exeC:\Windows\system32\Jgpbfh32.exe110⤵PID:2384
-
C:\Windows\SysWOW64\Jogjgf32.exeC:\Windows\system32\Jogjgf32.exe111⤵PID:1444
-
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe112⤵PID:2160
-
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe113⤵PID:924
-
C:\Windows\SysWOW64\Jhpopk32.exeC:\Windows\system32\Jhpopk32.exe114⤵PID:1516
-
C:\Windows\SysWOW64\Jgbolhoa.exeC:\Windows\system32\Jgbolhoa.exe115⤵PID:2476
-
C:\Windows\SysWOW64\Kjakhcne.exeC:\Windows\system32\Kjakhcne.exe116⤵PID:964
-
C:\Windows\SysWOW64\Knmghb32.exeC:\Windows\system32\Knmghb32.exe117⤵PID:2892
-
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe118⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Kdgoelnk.exeC:\Windows\system32\Kdgoelnk.exe119⤵PID:2600
-
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe120⤵PID:1332
-
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe121⤵PID:3016
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-