Analysis
-
max time kernel
120s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 03:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe
-
Size
45KB
-
MD5
81efcc4395b0ca22b38040cf2c959699
-
SHA1
bb7d320a389bdba0854f13441e84adebcf1016c4
-
SHA256
e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef
-
SHA512
d2971c4696d4cc55487734aa5cd49c224c569425d6bb1b17fc3b91944313e1c441d8ce8d016c3d769688e854c5f4949769f622be040e4142c7472459c671156d
-
SSDEEP
768:tbTGC3MxFpji/RWHpyekciD8di4H0J/1H5wL:EC87Ww2b8dPH0DSL
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kodghqop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfihml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnanefa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiqjao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfjgaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niijdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgodjico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbljfdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmgnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbclj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbaomf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eigpmjqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pknakhig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofmiea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meidib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcghbgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonfgbhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffcahq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnqfgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obfdgiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afqeaemk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjgdfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afcghbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciknhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llainlje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehlkfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnaiah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oedqcdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcgebhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naimepkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfopdk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfcdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miiaogio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgcnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Injlkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gphlgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iboghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlddpkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deajlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpmbjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enbapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdndggcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biceoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elmmegkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchadifq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqlbnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpaohjkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnfpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pildgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkenikc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngcanq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbhoip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcgaae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfcbdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kigibh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihcakpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciknhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhbdclg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipfkabpg.exe -
Executes dropped EXE 64 IoCs
pid Process 2772 Elieipej.exe 2940 Fnjnkkbk.exe 2840 Fakglf32.exe 2476 Ffjljmla.exe 436 Fikelhib.exe 2392 Gfoeel32.exe 2564 Gmkjgfmf.exe 2156 Gfcopl32.exe 2704 Gidhbgag.exe 2972 Gdnibdmf.exe 2296 Hememgdi.exe 3040 Hmijajbd.exe 1932 Hchoop32.exe 1944 Hehhqk32.exe 2428 Hclhjpjc.exe 620 Iaaekl32.exe 1680 Iadbqlmh.exe 2620 Iafofkkf.exe 1860 Iojopp32.exe 1780 Ihbdhepp.exe 1684 Jcleiclo.exe 900 Jcoanb32.exe 2364 Joebccpp.exe 2492 Jinfli32.exe 1980 Jfagemej.exe 2120 Jbhhkn32.exe 2896 Knohpo32.exe 2852 Kigibh32.exe 2500 Kbpnkm32.exe 2656 Klhbdclg.exe 2208 Kepgmh32.exe 1952 Lcedne32.exe 2844 Laidgi32.exe 2060 Ldjmidcj.exe 2196 Ligfakaa.exe 2456 Llhocfnb.exe 2960 Lpckce32.exe 716 Magdam32.exe 548 Mheeif32.exe 2384 Miiofn32.exe 2056 Nljhhi32.exe 1720 Ngoleb32.exe 1868 Nhqhmj32.exe 1540 Naimepkp.exe 1552 Nakikpin.exe 2332 Nkdndeon.exe 1812 Ndlbmk32.exe 1764 Oapcfo32.exe 1828 Ogmkne32.exe 1328 Ongckp32.exe 2876 Oqepgk32.exe 2112 Occlcg32.exe 664 Onipqp32.exe 2520 Onkmfofg.exe 2640 Ogdaod32.exe 2152 Oqlfhjch.exe 2304 Ockbdebl.exe 2176 Pmcgmkil.exe 3004 Pcmoie32.exe 2448 Pbpoebgc.exe 2160 Pnfpjc32.exe 2128 Pildgl32.exe 2592 Pgodcich.exe 2616 Pnimpcke.exe -
Loads dropped DLL 64 IoCs
pid Process 2904 e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe 2904 e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe 2772 Elieipej.exe 2772 Elieipej.exe 2940 Fnjnkkbk.exe 2940 Fnjnkkbk.exe 2840 Fakglf32.exe 2840 Fakglf32.exe 2476 Ffjljmla.exe 2476 Ffjljmla.exe 436 Fikelhib.exe 436 Fikelhib.exe 2392 Gfoeel32.exe 2392 Gfoeel32.exe 2564 Gmkjgfmf.exe 2564 Gmkjgfmf.exe 2156 Gfcopl32.exe 2156 Gfcopl32.exe 2704 Gidhbgag.exe 2704 Gidhbgag.exe 2972 Gdnibdmf.exe 2972 Gdnibdmf.exe 2296 Hememgdi.exe 2296 Hememgdi.exe 3040 Hmijajbd.exe 3040 Hmijajbd.exe 1932 Hchoop32.exe 1932 Hchoop32.exe 1944 Hehhqk32.exe 1944 Hehhqk32.exe 2428 Hclhjpjc.exe 2428 Hclhjpjc.exe 620 Iaaekl32.exe 620 Iaaekl32.exe 1680 Iadbqlmh.exe 1680 Iadbqlmh.exe 2620 Iafofkkf.exe 2620 Iafofkkf.exe 1860 Iojopp32.exe 1860 Iojopp32.exe 1780 Ihbdhepp.exe 1780 Ihbdhepp.exe 1684 Jcleiclo.exe 1684 Jcleiclo.exe 900 Jcoanb32.exe 900 Jcoanb32.exe 2364 Joebccpp.exe 2364 Joebccpp.exe 2492 Jinfli32.exe 2492 Jinfli32.exe 1980 Jfagemej.exe 1980 Jfagemej.exe 2120 Jbhhkn32.exe 2120 Jbhhkn32.exe 2896 Knohpo32.exe 2896 Knohpo32.exe 2852 Kigibh32.exe 2852 Kigibh32.exe 2500 Kbpnkm32.exe 2500 Kbpnkm32.exe 2656 Klhbdclg.exe 2656 Klhbdclg.exe 2208 Kepgmh32.exe 2208 Kepgmh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ogmkne32.exe Oapcfo32.exe File created C:\Windows\SysWOW64\Nmhqokcq.exe Nkjdcp32.exe File created C:\Windows\SysWOW64\Mnakjaoc.exe Mmpobi32.exe File created C:\Windows\SysWOW64\Celpqbon.exe Ceickb32.exe File created C:\Windows\SysWOW64\Pfapgnji.dll Ceickb32.exe File opened for modification C:\Windows\SysWOW64\Chgimh32.exe Blnkbg32.exe File created C:\Windows\SysWOW64\Gbigao32.exe Gojkecka.exe File created C:\Windows\SysWOW64\Nmaojjod.dll Dedkbb32.exe File opened for modification C:\Windows\SysWOW64\Kbeqjl32.exe Kpgdnp32.exe File created C:\Windows\SysWOW64\Qcpnob32.dll Peiaij32.exe File opened for modification C:\Windows\SysWOW64\Gnjehaio.exe Gimmpj32.exe File created C:\Windows\SysWOW64\Olgdpp32.dll Pcagkmaj.exe File opened for modification C:\Windows\SysWOW64\Ijenpn32.exe Iclfccmq.exe File opened for modification C:\Windows\SysWOW64\Nmnoll32.exe Nmkbfmpf.exe File created C:\Windows\SysWOW64\Fjigapme.dll Ogdaod32.exe File opened for modification C:\Windows\SysWOW64\Ncnlnaim.exe Nldcagaq.exe File created C:\Windows\SysWOW64\Nhngem32.exe Nbaomf32.exe File created C:\Windows\SysWOW64\Fgeabi32.exe Fqkieogp.exe File created C:\Windows\SysWOW64\Ehdpcahk.exe Ekppjmia.exe File opened for modification C:\Windows\SysWOW64\Kheaoj32.exe Kommediq.exe File opened for modification C:\Windows\SysWOW64\Fmbjjp32.exe Fgeabi32.exe File opened for modification C:\Windows\SysWOW64\Bjiobnbn.exe Bnbnnm32.exe File created C:\Windows\SysWOW64\Mekjoc32.dll Mnaiah32.exe File opened for modification C:\Windows\SysWOW64\Kommediq.exe Kaillp32.exe File opened for modification C:\Windows\SysWOW64\Kepgmh32.exe Klhbdclg.exe File created C:\Windows\SysWOW64\Bbijkm32.dll Edhpaa32.exe File opened for modification C:\Windows\SysWOW64\Oeegnj32.exe Omjbihpn.exe File created C:\Windows\SysWOW64\Ngoleb32.exe Nljhhi32.exe File opened for modification C:\Windows\SysWOW64\Iloilcci.exe Igbqdlea.exe File opened for modification C:\Windows\SysWOW64\Mginjnnp.exe Mnaiah32.exe File opened for modification C:\Windows\SysWOW64\Bkjdpp32.exe Bfmlgi32.exe File created C:\Windows\SysWOW64\Deajlf32.exe Dijjgegh.exe File created C:\Windows\SysWOW64\Hibebeqb.exe Hgbhibio.exe File created C:\Windows\SysWOW64\Dbcgao32.dll Lpgqlc32.exe File opened for modification C:\Windows\SysWOW64\Gmlmpo32.exe Gphlgk32.exe File opened for modification C:\Windows\SysWOW64\Mmcpjfcj.exe Mfihml32.exe File created C:\Windows\SysWOW64\Pmcgmkil.exe Ockbdebl.exe File created C:\Windows\SysWOW64\Aepkphoe.dll Dlnjjc32.exe File opened for modification C:\Windows\SysWOW64\Bpfgke32.exe Bjiobnbn.exe File created C:\Windows\SysWOW64\Aomolh32.dll Anhdmh32.exe File opened for modification C:\Windows\SysWOW64\Akbgdkgm.exe Abjcleqm.exe File created C:\Windows\SysWOW64\Hhgceh32.dll Bfjmia32.exe File created C:\Windows\SysWOW64\Eoajgh32.exe Ecjibgdh.exe File opened for modification C:\Windows\SysWOW64\Mfihml32.exe Mmpcdfem.exe File opened for modification C:\Windows\SysWOW64\Cinahhff.exe Cpemob32.exe File opened for modification C:\Windows\SysWOW64\Nkhhie32.exe Nbodpo32.exe File created C:\Windows\SysWOW64\Dhompmdf.dll Dbggpfci.exe File created C:\Windows\SysWOW64\Jlghpa32.exe Jempcgad.exe File created C:\Windows\SysWOW64\Lelljepm.exe Liekddkh.exe File opened for modification C:\Windows\SysWOW64\Ffcahq32.exe Fqfipj32.exe File opened for modification C:\Windows\SysWOW64\Fclkldqe.exe Fkdckgpc.exe File created C:\Windows\SysWOW64\Abinjdad.exe Aiqjao32.exe File created C:\Windows\SysWOW64\Ifdeao32.dll Jjcieg32.exe File created C:\Windows\SysWOW64\Fcgaae32.exe Ffcahq32.exe File created C:\Windows\SysWOW64\Acemeo32.exe Anhdmh32.exe File opened for modification C:\Windows\SysWOW64\Pajeanhf.exe Pgaahh32.exe File opened for modification C:\Windows\SysWOW64\Dljngoea.exe Djlbkcfn.exe File created C:\Windows\SysWOW64\Amfabj32.dll Fladmn32.exe File created C:\Windows\SysWOW64\Lbgkic32.dll Kgmilmkb.exe File created C:\Windows\SysWOW64\Chohqebq.exe Ckkhga32.exe File opened for modification C:\Windows\SysWOW64\Iaipmm32.exe Ienfml32.exe File opened for modification C:\Windows\SysWOW64\Gpfggeai.exe Gemfghek.exe File created C:\Windows\SysWOW64\Kdeehe32.exe Johlpoij.exe File created C:\Windows\SysWOW64\Gmkjgfmf.exe Gfoeel32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1940 3088 WerFault.exe 719 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfcqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gicpnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaaekl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhhkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naimepkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfiaojkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgdnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkgegad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijenpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cneiki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpfkhbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcdlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eonfgbhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiifcdhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfflfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkiknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johlpoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaobkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhekfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaillp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moloidjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainmlomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknicnpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijghmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobmkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhlgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcleiclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceacoqfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmmegkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdngl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfonlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlkfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiaoip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdobjgqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omonmpcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlkcbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Denknngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfipj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjbienl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjbfhqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakhhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekeiel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmfpnqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hememgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbapf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcblgbfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqdbjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhngem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoanb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpqgkpcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnloph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqmmhdka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clfhml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfopdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljeoimeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlnjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckdio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgakd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgeabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daelem32.dll" Iaipmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enfbchek.dll" Mchadifq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqmmhdka.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqepgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjbcnmen.dll" Pgaahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igkjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppjjcogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imidgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmkbfmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klnkbdan.dll" Jkllnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndoelpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eonfgbhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhkaa32.dll" Bfmlgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjkkb32.dll" Bcmjpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplcho32.dll" Jddbpmpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkiknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgaahh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhklha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckndmaad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfmjoqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfnkji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aodnfbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbpoebgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgaahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoqfgcek.dll" Fcoaebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqdlookk.dll" Npieoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcelpdef.dll" Fcgdjmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hemjiblk.dll" Nnjlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbenfb32.dll" Eabeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moedaakj.dll" Mpaoojjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peiaij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inqhhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fiopah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehbfjia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghlof32.dll" Moloidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajaagi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cogocmbd.dll" Lkhcdhmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbkgegad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbkgliff.dll" Mglpjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ligfakaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onkmfofg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dofnnkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmacej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohkpn32.dll" Dlfgehqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiifcdhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceickb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcpnob32.dll" Peiaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbekoih.dll" Lphlck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogdaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Denknngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcmpcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oedqcdim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfdngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beegbq32.dll" Pildgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbcik32.dll" Knddcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fabkfhch.dll" Mbgela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoimalh.dll" Aodnfbpm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajibckpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nehjmppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpclfokl.dll" Icdhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbplciof.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2904 wrote to memory of 2772 2904 e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe 30 PID 2904 wrote to memory of 2772 2904 e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe 30 PID 2904 wrote to memory of 2772 2904 e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe 30 PID 2904 wrote to memory of 2772 2904 e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe 30 PID 2772 wrote to memory of 2940 2772 Elieipej.exe 31 PID 2772 wrote to memory of 2940 2772 Elieipej.exe 31 PID 2772 wrote to memory of 2940 2772 Elieipej.exe 31 PID 2772 wrote to memory of 2940 2772 Elieipej.exe 31 PID 2940 wrote to memory of 2840 2940 Fnjnkkbk.exe 32 PID 2940 wrote to memory of 2840 2940 Fnjnkkbk.exe 32 PID 2940 wrote to memory of 2840 2940 Fnjnkkbk.exe 32 PID 2940 wrote to memory of 2840 2940 Fnjnkkbk.exe 32 PID 2840 wrote to memory of 2476 2840 Fakglf32.exe 33 PID 2840 wrote to memory of 2476 2840 Fakglf32.exe 33 PID 2840 wrote to memory of 2476 2840 Fakglf32.exe 33 PID 2840 wrote to memory of 2476 2840 Fakglf32.exe 33 PID 2476 wrote to memory of 436 2476 Ffjljmla.exe 34 PID 2476 wrote to memory of 436 2476 Ffjljmla.exe 34 PID 2476 wrote to memory of 436 2476 Ffjljmla.exe 34 PID 2476 wrote to memory of 436 2476 Ffjljmla.exe 34 PID 436 wrote to memory of 2392 436 Fikelhib.exe 35 PID 436 wrote to memory of 2392 436 Fikelhib.exe 35 PID 436 wrote to memory of 2392 436 Fikelhib.exe 35 PID 436 wrote to memory of 2392 436 Fikelhib.exe 35 PID 2392 wrote to memory of 2564 2392 Gfoeel32.exe 36 PID 2392 wrote to memory of 2564 2392 Gfoeel32.exe 36 PID 2392 wrote to memory of 2564 2392 Gfoeel32.exe 36 PID 2392 wrote to memory of 2564 2392 Gfoeel32.exe 36 PID 2564 wrote to memory of 2156 2564 Gmkjgfmf.exe 37 PID 2564 wrote to memory of 2156 2564 Gmkjgfmf.exe 37 PID 2564 wrote to memory of 2156 2564 Gmkjgfmf.exe 37 PID 2564 wrote to memory of 2156 2564 Gmkjgfmf.exe 37 PID 2156 wrote to memory of 2704 2156 Gfcopl32.exe 38 PID 2156 wrote to memory of 2704 2156 Gfcopl32.exe 38 PID 2156 wrote to memory of 2704 2156 Gfcopl32.exe 38 PID 2156 wrote to memory of 2704 2156 Gfcopl32.exe 38 PID 2704 wrote to memory of 2972 2704 Gidhbgag.exe 39 PID 2704 wrote to memory of 2972 2704 Gidhbgag.exe 39 PID 2704 wrote to memory of 2972 2704 Gidhbgag.exe 39 PID 2704 wrote to memory of 2972 2704 Gidhbgag.exe 39 PID 2972 wrote to memory of 2296 2972 Gdnibdmf.exe 40 PID 2972 wrote to memory of 2296 2972 Gdnibdmf.exe 40 PID 2972 wrote to memory of 2296 2972 Gdnibdmf.exe 40 PID 2972 wrote to memory of 2296 2972 Gdnibdmf.exe 40 PID 2296 wrote to memory of 3040 2296 Hememgdi.exe 41 PID 2296 wrote to memory of 3040 2296 Hememgdi.exe 41 PID 2296 wrote to memory of 3040 2296 Hememgdi.exe 41 PID 2296 wrote to memory of 3040 2296 Hememgdi.exe 41 PID 3040 wrote to memory of 1932 3040 Hmijajbd.exe 42 PID 3040 wrote to memory of 1932 3040 Hmijajbd.exe 42 PID 3040 wrote to memory of 1932 3040 Hmijajbd.exe 42 PID 3040 wrote to memory of 1932 3040 Hmijajbd.exe 42 PID 1932 wrote to memory of 1944 1932 Hchoop32.exe 43 PID 1932 wrote to memory of 1944 1932 Hchoop32.exe 43 PID 1932 wrote to memory of 1944 1932 Hchoop32.exe 43 PID 1932 wrote to memory of 1944 1932 Hchoop32.exe 43 PID 1944 wrote to memory of 2428 1944 Hehhqk32.exe 44 PID 1944 wrote to memory of 2428 1944 Hehhqk32.exe 44 PID 1944 wrote to memory of 2428 1944 Hehhqk32.exe 44 PID 1944 wrote to memory of 2428 1944 Hehhqk32.exe 44 PID 2428 wrote to memory of 620 2428 Hclhjpjc.exe 45 PID 2428 wrote to memory of 620 2428 Hclhjpjc.exe 45 PID 2428 wrote to memory of 620 2428 Hclhjpjc.exe 45 PID 2428 wrote to memory of 620 2428 Hclhjpjc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe"C:\Users\Admin\AppData\Local\Temp\e1e3e595e4f5eab5fa3631e4ed261c6728b64b6fe987697a8491c9e1b65a15ef.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Ffjljmla.exeC:\Windows\system32\Ffjljmla.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Gfcopl32.exeC:\Windows\system32\Gfcopl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Iafofkkf.exeC:\Windows\system32\Iafofkkf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1780 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Jfagemej.exeC:\Windows\system32\Jfagemej.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2120 -
C:\Windows\SysWOW64\Knohpo32.exeC:\Windows\system32\Knohpo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Kigibh32.exeC:\Windows\system32\Kigibh32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2656 -
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe33⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Laidgi32.exeC:\Windows\system32\Laidgi32.exe34⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe35⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe37⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Lpckce32.exeC:\Windows\system32\Lpckce32.exe38⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe39⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Mheeif32.exeC:\Windows\system32\Mheeif32.exe40⤵
- Executes dropped EXE
PID:548 -
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe41⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Nljhhi32.exeC:\Windows\system32\Nljhhi32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Ngoleb32.exeC:\Windows\system32\Ngoleb32.exe43⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Nhqhmj32.exeC:\Windows\system32\Nhqhmj32.exe44⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Nakikpin.exeC:\Windows\system32\Nakikpin.exe46⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Nkdndeon.exeC:\Windows\system32\Nkdndeon.exe47⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Ndlbmk32.exeC:\Windows\system32\Ndlbmk32.exe48⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Oapcfo32.exeC:\Windows\system32\Oapcfo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe50⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Ongckp32.exeC:\Windows\system32\Ongckp32.exe51⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Oqepgk32.exeC:\Windows\system32\Oqepgk32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe53⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Onipqp32.exeC:\Windows\system32\Onipqp32.exe54⤵
- Executes dropped EXE
PID:664 -
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Oqlfhjch.exeC:\Windows\system32\Oqlfhjch.exe57⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Ockbdebl.exeC:\Windows\system32\Ockbdebl.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Pmcgmkil.exeC:\Windows\system32\Pmcgmkil.exe59⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Pcmoie32.exeC:\Windows\system32\Pcmoie32.exe60⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Pnfpjc32.exeC:\Windows\system32\Pnfpjc32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Pildgl32.exeC:\Windows\system32\Pildgl32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Pgodcich.exeC:\Windows\system32\Pgodcich.exe64⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Pnimpcke.exeC:\Windows\system32\Pnimpcke.exe65⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pecelm32.exeC:\Windows\system32\Pecelm32.exe66⤵PID:956
-
C:\Windows\SysWOW64\Pgaahh32.exeC:\Windows\system32\Pgaahh32.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe68⤵PID:2600
-
C:\Windows\SysWOW64\Pgcnnh32.exeC:\Windows\system32\Pgcnnh32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Pjbjjc32.exeC:\Windows\system32\Pjbjjc32.exe70⤵PID:1996
-
C:\Windows\SysWOW64\Palbgn32.exeC:\Windows\system32\Palbgn32.exe71⤵PID:2948
-
C:\Windows\SysWOW64\Qfikod32.exeC:\Windows\system32\Qfikod32.exe72⤵PID:1712
-
C:\Windows\SysWOW64\Qpaohjkk.exeC:\Windows\system32\Qpaohjkk.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe74⤵PID:2780
-
C:\Windows\SysWOW64\Abbhje32.exeC:\Windows\system32\Abbhje32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:396 -
C:\Windows\SysWOW64\Ailqfooi.exeC:\Windows\system32\Ailqfooi.exe76⤵PID:1092
-
C:\Windows\SysWOW64\Abdeoe32.exeC:\Windows\system32\Abdeoe32.exe77⤵PID:600
-
C:\Windows\SysWOW64\Aebakp32.exeC:\Windows\system32\Aebakp32.exe78⤵PID:2280
-
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe79⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Aphehidc.exeC:\Windows\system32\Aphehidc.exe80⤵PID:1392
-
C:\Windows\SysWOW64\Afbnec32.exeC:\Windows\system32\Afbnec32.exe81⤵PID:756
-
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Abinjdad.exeC:\Windows\system32\Abinjdad.exe83⤵
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Aegkfpah.exeC:\Windows\system32\Aegkfpah.exe84⤵PID:1568
-
C:\Windows\SysWOW64\Ajdcofop.exeC:\Windows\system32\Ajdcofop.exe85⤵PID:2328
-
C:\Windows\SysWOW64\Ahhchk32.exeC:\Windows\system32\Ahhchk32.exe86⤵PID:1288
-
C:\Windows\SysWOW64\Beldao32.exeC:\Windows\system32\Beldao32.exe87⤵PID:1032
-
C:\Windows\SysWOW64\Bhjpnj32.exeC:\Windows\system32\Bhjpnj32.exe88⤵PID:2184
-
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe89⤵PID:2248
-
C:\Windows\SysWOW64\Bpfebmia.exeC:\Windows\system32\Bpfebmia.exe90⤵PID:3052
-
C:\Windows\SysWOW64\Baealp32.exeC:\Windows\system32\Baealp32.exe91⤵PID:2676
-
C:\Windows\SysWOW64\Biqfpb32.exeC:\Windows\system32\Biqfpb32.exe92⤵PID:952
-
C:\Windows\SysWOW64\Bopknhjd.exeC:\Windows\system32\Bopknhjd.exe93⤵PID:2472
-
C:\Windows\SysWOW64\Ceickb32.exeC:\Windows\system32\Ceickb32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Celpqbon.exeC:\Windows\system32\Celpqbon.exe95⤵PID:2764
-
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Cenmfbml.exeC:\Windows\system32\Cenmfbml.exe97⤵PID:2416
-
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Cnlnpd32.exeC:\Windows\system32\Cnlnpd32.exe99⤵PID:1352
-
C:\Windows\SysWOW64\Cgdciiod.exeC:\Windows\system32\Cgdciiod.exe100⤵PID:1660
-
C:\Windows\SysWOW64\Dgfpni32.exeC:\Windows\system32\Dgfpni32.exe101⤵PID:2256
-
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe102⤵PID:2912
-
C:\Windows\SysWOW64\Dcmpcjcf.exeC:\Windows\system32\Dcmpcjcf.exe103⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Dncdqcbl.exeC:\Windows\system32\Dncdqcbl.exe104⤵PID:2688
-
C:\Windows\SysWOW64\Dhleaq32.exeC:\Windows\system32\Dhleaq32.exe105⤵PID:2864
-
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe106⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Djlbkcfn.exeC:\Windows\system32\Djlbkcfn.exe107⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Dljngoea.exeC:\Windows\system32\Dljngoea.exe108⤵PID:2444
-
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe109⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Ehaolpke.exeC:\Windows\system32\Ehaolpke.exe110⤵PID:2032
-
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe111⤵
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Egflml32.exeC:\Windows\system32\Egflml32.exe112⤵PID:1756
-
C:\Windows\SysWOW64\Ehfhgogp.exeC:\Windows\system32\Ehfhgogp.exe113⤵PID:296
-
C:\Windows\SysWOW64\Enbapf32.exeC:\Windows\system32\Enbapf32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe115⤵PID:1292
-
C:\Windows\SysWOW64\Fphgbn32.exeC:\Windows\system32\Fphgbn32.exe116⤵PID:2756
-
C:\Windows\SysWOW64\Fladmn32.exeC:\Windows\system32\Fladmn32.exe117⤵
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Felekcop.exeC:\Windows\system32\Felekcop.exe118⤵PID:1716
-
C:\Windows\SysWOW64\Geaofc32.exeC:\Windows\system32\Geaofc32.exe119⤵PID:2572
-
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe120⤵PID:2344
-
C:\Windows\SysWOW64\Ghbhhnhk.exeC:\Windows\system32\Ghbhhnhk.exe121⤵PID:2028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-