Analysis
-
max time kernel
103s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 12:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe
-
Size
1.9MB
-
MD5
f65f169e7a5d3174f9eec9be4ddbd320
-
SHA1
e13050e3c2e3bd4458c769895bf11cd6923c1a96
-
SHA256
5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4ba
-
SHA512
9fa921e0e2e8ce5756490a44f834ad17cf77c27cb9904ecb7a8064ca0444dc8466de1246792e600ba629e6d5ed4645e8de0da90e3a8af2a71434bf250d0e641c
-
SSDEEP
12288:kOzR/Ng1/Nmr/Ng1/Nblt01PBNkEoILClt01PBExKN4P6IfKTLR+6CwUkEoILTAc:kBlkcEpelks/6HnEpnAc
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjpdoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkookd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paldmbmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapbdocn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noalfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gffmqq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcppbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkepl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodhpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncaacp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcckjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjcqpbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmaaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdckgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbilclhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iajfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knekknjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlqggcqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paldmbmq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibjdljfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmkjfgll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmjhjndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boboknnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmbgnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcokhaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdaajl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nagobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfnmjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqkpqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdkheh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ighfecdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnqae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knggqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdckncfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqhblm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijdcdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnoiqpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iniebmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agoodkgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpeidjfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccikghel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdlfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efkhkifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchmolkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifhacfhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhikiefk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njadab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dolpiipk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhjhbq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpmjplag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfdigocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbbpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpokkgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbpjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgfannba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobqgpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblgbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdobqgpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmpkhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmiakdll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbpplglj.exe -
Executes dropped EXE 64 IoCs
pid Process 2336 Dkookd32.exe 2780 Dlokegib.exe 2752 Dblcnngi.exe 2720 Ddoiei32.exe 2776 Ejkampao.exe 2708 Eqhfoj32.exe 2044 Ejpkho32.exe 2084 Emadjj32.exe 2632 Efihcpqk.exe 1312 Fgmaphdg.exe 2088 Fhakkg32.exe 2492 Fdkheh32.exe 1960 Gdmekg32.exe 632 Gdobqgpn.exe 2236 Glmckikf.exe 816 Hegdinpd.exe 1728 Hejaon32.exe 2016 Haqbcoce.exe 1512 Hngbhp32.exe 1696 Hnjonpgg.exe 2152 Ijcmipjh.exe 3020 Ianambhc.exe 3048 Iaqnbb32.exe 2040 Ifngiqlg.exe 3060 Iqhhin32.exe 2540 Jjqlbdog.exe 2808 Jjcigcmd.exe 2628 Jobnej32.exe 2608 Jbbgge32.exe 2488 Kmjhjndm.exe 3044 Kkpekjie.exe 2872 Kaojiqej.exe 2568 Lpmjplag.exe 2408 Laacmc32.exe 1040 Macpcccp.exe 2496 Mafmhcam.exe 1320 Mhbakmgg.exe 956 Mclbkjcf.exe 2432 Npbpjn32.exe 1736 Nijdcdgn.exe 1600 Neaehelb.exe 900 Necandjo.exe 2572 Nnofbg32.exe 2196 Ooncljom.exe 2836 Ogigpllh.exe 2508 Okgpfjbo.exe 3076 Ofaaghom.exe 3132 Ogpnakfp.exe 3180 Oqibjq32.exe 3236 Pidgnc32.exe 3288 Pifcdbhi.exe 3344 Pgkqeo32.exe 3392 Pjlifjjb.exe 3444 Pgpjpnhk.exe 3508 Qgbfen32.exe 3576 Qpnkjq32.exe 3644 Acldpojj.exe 3704 Amdhidqk.exe 3768 Amfeodoh.exe 3836 Allbpqcp.exe 3892 Befcne32.exe 3960 Bdkpob32.exe 4020 Bpbadcbj.exe 4084 Bpdnjb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2364 5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe 2364 5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe 2336 Dkookd32.exe 2336 Dkookd32.exe 2780 Dlokegib.exe 2780 Dlokegib.exe 2752 Dblcnngi.exe 2752 Dblcnngi.exe 2720 Ddoiei32.exe 2720 Ddoiei32.exe 2776 Ejkampao.exe 2776 Ejkampao.exe 2708 Eqhfoj32.exe 2708 Eqhfoj32.exe 2044 Ejpkho32.exe 2044 Ejpkho32.exe 2084 Emadjj32.exe 2084 Emadjj32.exe 2632 Efihcpqk.exe 2632 Efihcpqk.exe 1312 Fgmaphdg.exe 1312 Fgmaphdg.exe 2088 Fhakkg32.exe 2088 Fhakkg32.exe 2492 Fdkheh32.exe 2492 Fdkheh32.exe 1960 Gdmekg32.exe 1960 Gdmekg32.exe 632 Gdobqgpn.exe 632 Gdobqgpn.exe 2236 Glmckikf.exe 2236 Glmckikf.exe 816 Hegdinpd.exe 816 Hegdinpd.exe 1728 Hejaon32.exe 1728 Hejaon32.exe 2016 Haqbcoce.exe 2016 Haqbcoce.exe 1512 Hngbhp32.exe 1512 Hngbhp32.exe 1696 Hnjonpgg.exe 1696 Hnjonpgg.exe 2152 Ijcmipjh.exe 2152 Ijcmipjh.exe 3020 Ianambhc.exe 3020 Ianambhc.exe 3048 Iaqnbb32.exe 3048 Iaqnbb32.exe 2040 Ifngiqlg.exe 2040 Ifngiqlg.exe 3060 Iqhhin32.exe 3060 Iqhhin32.exe 2540 Jjqlbdog.exe 2540 Jjqlbdog.exe 2808 Jjcigcmd.exe 2808 Jjcigcmd.exe 2628 Jobnej32.exe 2628 Jobnej32.exe 2608 Jbbgge32.exe 2608 Jbbgge32.exe 2488 Kmjhjndm.exe 2488 Kmjhjndm.exe 3044 Kkpekjie.exe 3044 Kkpekjie.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gifpkoho.dll Cekihh32.exe File opened for modification C:\Windows\SysWOW64\Gncblo32.exe Gnaffpoi.exe File created C:\Windows\SysWOW64\Lmikhn32.exe Lhjfjhje.exe File created C:\Windows\SysWOW64\Ogiacfkq.dll Glflmi32.exe File created C:\Windows\SysWOW64\Jpdmao32.exe Innkddeg.exe File created C:\Windows\SysWOW64\Mikochhm.dll Hegdinpd.exe File created C:\Windows\SysWOW64\Mjjebgej.dll Hngbhp32.exe File created C:\Windows\SysWOW64\Amfeodoh.exe Amdhidqk.exe File opened for modification C:\Windows\SysWOW64\Papmnj32.exe Pplcabif.exe File created C:\Windows\SysWOW64\Hpggmf32.dll Hikppghf.exe File created C:\Windows\SysWOW64\Agpfjqlc.dll Hbpphgmn.exe File opened for modification C:\Windows\SysWOW64\Bigbmb32.exe Bmaaha32.exe File opened for modification C:\Windows\SysWOW64\Pcppbc32.exe Pdjcaf32.exe File created C:\Windows\SysWOW64\Qjbbbgql.dll Mammfa32.exe File opened for modification C:\Windows\SysWOW64\Hodbopmq.exe Hlopbe32.exe File opened for modification C:\Windows\SysWOW64\Aiacamhm.exe Qcbndg32.exe File created C:\Windows\SysWOW64\Gnaffpoi.exe Fnoiqpqk.exe File created C:\Windows\SysWOW64\Ilifkclg.dll Ipbgci32.exe File opened for modification C:\Windows\SysWOW64\Klcjfdqi.exe Kgfannba.exe File created C:\Windows\SysWOW64\Jjkmhbek.exe Imgmonga.exe File created C:\Windows\SysWOW64\Dninfgol.exe Dbpplglj.exe File created C:\Windows\SysWOW64\Hmmaqjfn.dll Dcjpjn32.exe File created C:\Windows\SysWOW64\Qdeohmhi.dll Emdjbi32.exe File created C:\Windows\SysWOW64\Adbbfabn.dll Jakjlpif.exe File created C:\Windows\SysWOW64\Ghfpmopi.dll Godjaj32.exe File created C:\Windows\SysWOW64\Ekohac32.exe Epckkeek.exe File created C:\Windows\SysWOW64\Hodbopmq.exe Hlopbe32.exe File created C:\Windows\SysWOW64\Gegljo32.dll Cmnqae32.exe File created C:\Windows\SysWOW64\Kdckgc32.exe Jdoblckh.exe File opened for modification C:\Windows\SysWOW64\Jicigg32.exe Jmmhbfjq.exe File created C:\Windows\SysWOW64\Qdeckq32.dll Odekqg32.exe File created C:\Windows\SysWOW64\Hnmkog32.dll Jfdigocb.exe File created C:\Windows\SysWOW64\Mblcbkbh.dll Lkhfhaea.exe File created C:\Windows\SysWOW64\Eenfnmfe.exe Djolbp32.exe File opened for modification C:\Windows\SysWOW64\Qjmmkgga.exe Qadhba32.exe File created C:\Windows\SysWOW64\Gdobqgpn.exe Gdmekg32.exe File created C:\Windows\SysWOW64\Elokkl32.dll Nhmpmcaq.exe File created C:\Windows\SysWOW64\Gmdimeom.dll Nmiakdll.exe File opened for modification C:\Windows\SysWOW64\Qfnmjb32.exe Pggcdf32.exe File created C:\Windows\SysWOW64\Kionqdjb.dll Alhnag32.exe File opened for modification C:\Windows\SysWOW64\Olhfdl32.exe Oodejhfg.exe File created C:\Windows\SysWOW64\Dqicfdjc.dll Dodhpa32.exe File created C:\Windows\SysWOW64\Dfgekbni.dll Ondejl32.exe File created C:\Windows\SysWOW64\Jifmgman.exe Jmplbl32.exe File created C:\Windows\SysWOW64\Lbemeo32.exe Logdoq32.exe File created C:\Windows\SysWOW64\Haqbcoce.exe Hejaon32.exe File opened for modification C:\Windows\SysWOW64\Befcne32.exe Allbpqcp.exe File created C:\Windows\SysWOW64\Bhhmjacg.dll Mdjnge32.exe File opened for modification C:\Windows\SysWOW64\Fhpoalho.exe Fogkhf32.exe File created C:\Windows\SysWOW64\Nbipmk32.dll Bjamhh32.exe File created C:\Windows\SysWOW64\Njcfdpkb.dll Femlbjee.exe File opened for modification C:\Windows\SysWOW64\Ongijbja.exe Oqhemjef.exe File created C:\Windows\SysWOW64\Cialng32.exe Cmkkhfmn.exe File opened for modification C:\Windows\SysWOW64\Ffokan32.exe Fjhjlm32.exe File created C:\Windows\SysWOW64\Fkofnoej.dll Lpgekanj.exe File created C:\Windows\SysWOW64\Cijenjap.dll Gakchj32.exe File created C:\Windows\SysWOW64\Fohafo32.dll Dninfgol.exe File opened for modification C:\Windows\SysWOW64\Bfqfoeng.exe Aoeajc32.exe File opened for modification C:\Windows\SysWOW64\Pgpjpnhk.exe Pjlifjjb.exe File created C:\Windows\SysWOW64\Lagknhgp.dll Befcne32.exe File created C:\Windows\SysWOW64\Igpkhjlc.dll Ihgcof32.exe File created C:\Windows\SysWOW64\Qiqpmp32.exe Pinchq32.exe File created C:\Windows\SysWOW64\Qkpmkopd.dll Mfdmdlaj.exe File opened for modification C:\Windows\SysWOW64\Deckeo32.exe Cjgmoahd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 612 2888 WerFault.exe 480 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgnjof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcodol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpobo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkoocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdmdlaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfodb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffjih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llfiemfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjcigcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpeidjfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epdafl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmkjfgll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gffmqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhpidak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pggcdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmekg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenfnmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgmaphdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ighfecdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Comkdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joijbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djolbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejgkfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgjiiaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macpcccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlqggcqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcppbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noalfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniebmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamafbjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcaqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbeacbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klcjfdqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpgekanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innkddeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclbkjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhlaaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlbcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmdeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgmonga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcalindb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhial32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcpdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpflhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njadab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjoejj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegdinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfohb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfmlhjfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haqbcoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhfhaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjedghh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogpnakfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedeea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdlfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefdjnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgolhoik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcehpbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdoblckh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pajlidnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feglmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifcdbhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiichkog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnjfepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdjnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogbkakeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbllgblj.dll" Olijen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njadab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlejhmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnaffpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmblcp32.dll" Kjpdoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnoc32.dll" Klcjfdqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knggqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdkheh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpdnjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allbpqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcodol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llcgnple.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepajh32.dll" Ifngiqlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Necandjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkkjenp.dll" Amdhidqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffbkkkcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbchijlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckdnbend.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaojiqej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajkokgia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biegpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmdimeom.dll" Nmiakdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eenfnmfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaqnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhjdpgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajidnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjebgej.dll" Hngbhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhpgkfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdcbfbbl.dll" Imepio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Namedgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfcfdk32.dll" Ghndjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfkdffp.dll" Lffjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fekafc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmbgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmldajml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mefhpcek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjpdoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfnoed32.dll" Ljdjildq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmpmcaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bokfaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmcgdlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghndjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iniebmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfkphnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncgdjj32.dll" Ogbkakeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plmdqmpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ichmclja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjoejj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epgecnoc.dll" Nijdcdgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcokhaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glnqfd32.dll" Eenfnmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qadhba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epdafl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpdlfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmqjoljn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjamhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blckoifq.dll" Kbfgab32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2336 2364 5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe 29 PID 2364 wrote to memory of 2336 2364 5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe 29 PID 2364 wrote to memory of 2336 2364 5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe 29 PID 2364 wrote to memory of 2336 2364 5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe 29 PID 2336 wrote to memory of 2780 2336 Dkookd32.exe 30 PID 2336 wrote to memory of 2780 2336 Dkookd32.exe 30 PID 2336 wrote to memory of 2780 2336 Dkookd32.exe 30 PID 2336 wrote to memory of 2780 2336 Dkookd32.exe 30 PID 2780 wrote to memory of 2752 2780 Dlokegib.exe 31 PID 2780 wrote to memory of 2752 2780 Dlokegib.exe 31 PID 2780 wrote to memory of 2752 2780 Dlokegib.exe 31 PID 2780 wrote to memory of 2752 2780 Dlokegib.exe 31 PID 2752 wrote to memory of 2720 2752 Dblcnngi.exe 32 PID 2752 wrote to memory of 2720 2752 Dblcnngi.exe 32 PID 2752 wrote to memory of 2720 2752 Dblcnngi.exe 32 PID 2752 wrote to memory of 2720 2752 Dblcnngi.exe 32 PID 2720 wrote to memory of 2776 2720 Ddoiei32.exe 213 PID 2720 wrote to memory of 2776 2720 Ddoiei32.exe 213 PID 2720 wrote to memory of 2776 2720 Ddoiei32.exe 213 PID 2720 wrote to memory of 2776 2720 Ddoiei32.exe 213 PID 2776 wrote to memory of 2708 2776 Ejkampao.exe 34 PID 2776 wrote to memory of 2708 2776 Ejkampao.exe 34 PID 2776 wrote to memory of 2708 2776 Ejkampao.exe 34 PID 2776 wrote to memory of 2708 2776 Ejkampao.exe 34 PID 2708 wrote to memory of 2044 2708 Eqhfoj32.exe 35 PID 2708 wrote to memory of 2044 2708 Eqhfoj32.exe 35 PID 2708 wrote to memory of 2044 2708 Eqhfoj32.exe 35 PID 2708 wrote to memory of 2044 2708 Eqhfoj32.exe 35 PID 2044 wrote to memory of 2084 2044 Ejpkho32.exe 36 PID 2044 wrote to memory of 2084 2044 Ejpkho32.exe 36 PID 2044 wrote to memory of 2084 2044 Ejpkho32.exe 36 PID 2044 wrote to memory of 2084 2044 Ejpkho32.exe 36 PID 2084 wrote to memory of 2632 2084 Emadjj32.exe 215 PID 2084 wrote to memory of 2632 2084 Emadjj32.exe 215 PID 2084 wrote to memory of 2632 2084 Emadjj32.exe 215 PID 2084 wrote to memory of 2632 2084 Emadjj32.exe 215 PID 2632 wrote to memory of 1312 2632 Efihcpqk.exe 38 PID 2632 wrote to memory of 1312 2632 Efihcpqk.exe 38 PID 2632 wrote to memory of 1312 2632 Efihcpqk.exe 38 PID 2632 wrote to memory of 1312 2632 Efihcpqk.exe 38 PID 1312 wrote to memory of 2088 1312 Fgmaphdg.exe 39 PID 1312 wrote to memory of 2088 1312 Fgmaphdg.exe 39 PID 1312 wrote to memory of 2088 1312 Fgmaphdg.exe 39 PID 1312 wrote to memory of 2088 1312 Fgmaphdg.exe 39 PID 2088 wrote to memory of 2492 2088 Fhakkg32.exe 40 PID 2088 wrote to memory of 2492 2088 Fhakkg32.exe 40 PID 2088 wrote to memory of 2492 2088 Fhakkg32.exe 40 PID 2088 wrote to memory of 2492 2088 Fhakkg32.exe 40 PID 2492 wrote to memory of 1960 2492 Fdkheh32.exe 41 PID 2492 wrote to memory of 1960 2492 Fdkheh32.exe 41 PID 2492 wrote to memory of 1960 2492 Fdkheh32.exe 41 PID 2492 wrote to memory of 1960 2492 Fdkheh32.exe 41 PID 1960 wrote to memory of 632 1960 Gdmekg32.exe 42 PID 1960 wrote to memory of 632 1960 Gdmekg32.exe 42 PID 1960 wrote to memory of 632 1960 Gdmekg32.exe 42 PID 1960 wrote to memory of 632 1960 Gdmekg32.exe 42 PID 632 wrote to memory of 2236 632 Gdobqgpn.exe 43 PID 632 wrote to memory of 2236 632 Gdobqgpn.exe 43 PID 632 wrote to memory of 2236 632 Gdobqgpn.exe 43 PID 632 wrote to memory of 2236 632 Gdobqgpn.exe 43 PID 2236 wrote to memory of 816 2236 Glmckikf.exe 44 PID 2236 wrote to memory of 816 2236 Glmckikf.exe 44 PID 2236 wrote to memory of 816 2236 Glmckikf.exe 44 PID 2236 wrote to memory of 816 2236 Glmckikf.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe"C:\Users\Admin\AppData\Local\Temp\5ee3b6af8e2f4f26474c4c4b7ccc089ab9aa47b2d7bd2513a1c2556e1e0fe4baN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Dkookd32.exeC:\Windows\system32\Dkookd32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Dlokegib.exeC:\Windows\system32\Dlokegib.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Dblcnngi.exeC:\Windows\system32\Dblcnngi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Ddoiei32.exeC:\Windows\system32\Ddoiei32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ejkampao.exeC:\Windows\system32\Ejkampao.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Eqhfoj32.exeC:\Windows\system32\Eqhfoj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Emadjj32.exeC:\Windows\system32\Emadjj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Efihcpqk.exeC:\Windows\system32\Efihcpqk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Fgmaphdg.exeC:\Windows\system32\Fgmaphdg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Windows\SysWOW64\Fhakkg32.exeC:\Windows\system32\Fhakkg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Fdkheh32.exeC:\Windows\system32\Fdkheh32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Gdmekg32.exeC:\Windows\system32\Gdmekg32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Gdobqgpn.exeC:\Windows\system32\Gdobqgpn.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Hegdinpd.exeC:\Windows\system32\Hegdinpd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:816 -
C:\Windows\SysWOW64\Hejaon32.exeC:\Windows\system32\Hejaon32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Haqbcoce.exeC:\Windows\system32\Haqbcoce.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Ijcmipjh.exeC:\Windows\system32\Ijcmipjh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2808 -
C:\Windows\SysWOW64\Jobnej32.exeC:\Windows\system32\Jobnej32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Jbbgge32.exeC:\Windows\system32\Jbbgge32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Kmjhjndm.exeC:\Windows\system32\Kmjhjndm.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Kkpekjie.exeC:\Windows\system32\Kkpekjie.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Lpmjplag.exeC:\Windows\system32\Lpmjplag.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Laacmc32.exeC:\Windows\system32\Laacmc32.exe35⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Macpcccp.exeC:\Windows\system32\Macpcccp.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe37⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Mhbakmgg.exeC:\Windows\system32\Mhbakmgg.exe38⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Neaehelb.exeC:\Windows\system32\Neaehelb.exe42⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Nnofbg32.exeC:\Windows\system32\Nnofbg32.exe44⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe45⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ogigpllh.exeC:\Windows\system32\Ogigpllh.exe46⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe47⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Ofaaghom.exeC:\Windows\system32\Ofaaghom.exe48⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Ogpnakfp.exeC:\Windows\system32\Ogpnakfp.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132 -
C:\Windows\SysWOW64\Oqibjq32.exeC:\Windows\system32\Oqibjq32.exe50⤵
- Executes dropped EXE
PID:3180 -
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe51⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Pifcdbhi.exeC:\Windows\system32\Pifcdbhi.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:3288 -
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe53⤵
- Executes dropped EXE
PID:3344 -
C:\Windows\SysWOW64\Pjlifjjb.exeC:\Windows\system32\Pjlifjjb.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3392 -
C:\Windows\SysWOW64\Pgpjpnhk.exeC:\Windows\system32\Pgpjpnhk.exe55⤵
- Executes dropped EXE
PID:3444 -
C:\Windows\SysWOW64\Qgbfen32.exeC:\Windows\system32\Qgbfen32.exe56⤵
- Executes dropped EXE
PID:3508 -
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe57⤵
- Executes dropped EXE
PID:3576 -
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe58⤵
- Executes dropped EXE
PID:3644 -
C:\Windows\SysWOW64\Amdhidqk.exeC:\Windows\system32\Amdhidqk.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3704 -
C:\Windows\SysWOW64\Amfeodoh.exeC:\Windows\system32\Amfeodoh.exe60⤵
- Executes dropped EXE
PID:3768 -
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3836 -
C:\Windows\SysWOW64\Befcne32.exeC:\Windows\system32\Befcne32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3892 -
C:\Windows\SysWOW64\Bdkpob32.exeC:\Windows\system32\Bdkpob32.exe63⤵
- Executes dropped EXE
PID:3960 -
C:\Windows\SysWOW64\Bpbadcbj.exeC:\Windows\system32\Bpbadcbj.exe64⤵
- Executes dropped EXE
PID:4020 -
C:\Windows\SysWOW64\Bpdnjb32.exeC:\Windows\system32\Bpdnjb32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4084 -
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe66⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe67⤵
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Cialng32.exeC:\Windows\system32\Cialng32.exe68⤵PID:2112
-
C:\Windows\SysWOW64\Ccjpfmic.exeC:\Windows\system32\Ccjpfmic.exe69⤵PID:2668
-
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe70⤵PID:2228
-
C:\Windows\SysWOW64\Cekihh32.exeC:\Windows\system32\Cekihh32.exe71⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Cocnanmd.exeC:\Windows\system32\Cocnanmd.exe72⤵PID:2180
-
C:\Windows\SysWOW64\Cgnbepjp.exeC:\Windows\system32\Cgnbepjp.exe73⤵PID:3128
-
C:\Windows\SysWOW64\Ddbbod32.exeC:\Windows\system32\Ddbbod32.exe74⤵PID:3204
-
C:\Windows\SysWOW64\Dpicceon.exeC:\Windows\system32\Dpicceon.exe75⤵PID:1672
-
C:\Windows\SysWOW64\Djahmk32.exeC:\Windows\system32\Djahmk32.exe76⤵PID:3328
-
C:\Windows\SysWOW64\Dfhial32.exeC:\Windows\system32\Dfhial32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3408 -
C:\Windows\SysWOW64\Dclikp32.exeC:\Windows\system32\Dclikp32.exe78⤵PID:3496
-
C:\Windows\SysWOW64\Dppiddie.exeC:\Windows\system32\Dppiddie.exe79⤵PID:3584
-
C:\Windows\SysWOW64\Dhknigfq.exeC:\Windows\system32\Dhknigfq.exe80⤵PID:3540
-
C:\Windows\SysWOW64\Edbonh32.exeC:\Windows\system32\Edbonh32.exe81⤵PID:3668
-
C:\Windows\SysWOW64\Ebfpglkn.exeC:\Windows\system32\Ebfpglkn.exe82⤵PID:3760
-
C:\Windows\SysWOW64\Enmplm32.exeC:\Windows\system32\Enmplm32.exe83⤵PID:268
-
C:\Windows\SysWOW64\Ekqqea32.exeC:\Windows\system32\Ekqqea32.exe84⤵PID:3816
-
C:\Windows\SysWOW64\Eggajb32.exeC:\Windows\system32\Eggajb32.exe85⤵PID:3900
-
C:\Windows\SysWOW64\Emdjbi32.exeC:\Windows\system32\Emdjbi32.exe86⤵
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe87⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1680 -
C:\Windows\SysWOW64\Ffokan32.exeC:\Windows\system32\Ffokan32.exe88⤵PID:4028
-
C:\Windows\SysWOW64\Fcckjb32.exeC:\Windows\system32\Fcckjb32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4072 -
C:\Windows\SysWOW64\Fcehpbdm.exeC:\Windows\system32\Fcehpbdm.exe90⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Fnoiqpqk.exeC:\Windows\system32\Fnoiqpqk.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Gnaffpoi.exeC:\Windows\system32\Gnaffpoi.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Gncblo32.exeC:\Windows\system32\Gncblo32.exe93⤵PID:440
-
C:\Windows\SysWOW64\Gjjcqpbj.exeC:\Windows\system32\Gjjcqpbj.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2080 -
C:\Windows\SysWOW64\Ghndjd32.exeC:\Windows\system32\Ghndjd32.exe95⤵
- Modifies registry class
PID:3164 -
C:\Windows\SysWOW64\Gdedoegh.exeC:\Windows\system32\Gdedoegh.exe96⤵PID:3096
-
C:\Windows\SysWOW64\Gffmqq32.exeC:\Windows\system32\Gffmqq32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Windows\SysWOW64\Hiffbl32.exeC:\Windows\system32\Hiffbl32.exe98⤵PID:600
-
C:\Windows\SysWOW64\Hiichkog.exeC:\Windows\system32\Hiichkog.exe99⤵
- Modifies registry class
PID:3484 -
C:\Windows\SysWOW64\Hbagaa32.exeC:\Windows\system32\Hbagaa32.exe100⤵PID:3616
-
C:\Windows\SysWOW64\Hinlck32.exeC:\Windows\system32\Hinlck32.exe101⤵PID:828
-
C:\Windows\SysWOW64\Ihcidgpj.exeC:\Windows\system32\Ihcidgpj.exe102⤵PID:3552
-
C:\Windows\SysWOW64\Ighfecdb.exeC:\Windows\system32\Ighfecdb.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3876 -
C:\Windows\SysWOW64\Ihgcof32.exeC:\Windows\system32\Ihgcof32.exe104⤵
- Drops file in System32 directory
PID:3784 -
C:\Windows\SysWOW64\Ipbgci32.exeC:\Windows\system32\Ipbgci32.exe105⤵
- Drops file in System32 directory
PID:4004 -
C:\Windows\SysWOW64\Ikhlaaif.exeC:\Windows\system32\Ikhlaaif.exe106⤵
- System Location Discovery: System Language Discovery
PID:3948 -
C:\Windows\SysWOW64\Iniebmfg.exeC:\Windows\system32\Iniebmfg.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4040 -
C:\Windows\SysWOW64\Jfdigocb.exeC:\Windows\system32\Jfdigocb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Jakjlpif.exeC:\Windows\system32\Jakjlpif.exe109⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Jookedhp.exeC:\Windows\system32\Jookedhp.exe110⤵PID:3040
-
C:\Windows\SysWOW64\Jkfkjemd.exeC:\Windows\system32\Jkfkjemd.exe111⤵PID:2936
-
C:\Windows\SysWOW64\Jfkphnmj.exeC:\Windows\system32\Jfkphnmj.exe112⤵
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Jbbpmo32.exeC:\Windows\system32\Jbbpmo32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Kkjeedio.exeC:\Windows\system32\Kkjeedio.exe114⤵PID:860
-
C:\Windows\SysWOW64\Kceijg32.exeC:\Windows\system32\Kceijg32.exe115⤵PID:3284
-
C:\Windows\SysWOW64\Kdefdjnl.exeC:\Windows\system32\Kdefdjnl.exe116⤵
- System Location Discovery: System Language Discovery
PID:532 -
C:\Windows\SysWOW64\Kmpkhl32.exeC:\Windows\system32\Kmpkhl32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3488 -
C:\Windows\SysWOW64\Kmbgnl32.exeC:\Windows\system32\Kmbgnl32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3612 -
C:\Windows\SysWOW64\Kjfhgp32.exeC:\Windows\system32\Kjfhgp32.exe119⤵PID:1932
-
C:\Windows\SysWOW64\Lfmhla32.exeC:\Windows\system32\Lfmhla32.exe120⤵PID:3812
-
C:\Windows\SysWOW64\Lbdiabcg.exeC:\Windows\system32\Lbdiabcg.exe121⤵PID:3824
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-