Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13/10/2024, 15:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe
-
Size
96KB
-
MD5
9068818aa14b14081606357817eed1f0
-
SHA1
819ef002ddc141a89cfaf38189ed3084a45f2b3b
-
SHA256
67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389
-
SHA512
321e77425bd9ccf00d00975fb99b70c4defd27cfad7832ff240d6d685709649be0fe95453af028862eabdd47d08db940b5ebb36aa1ee5a65e25447147ef311d4
-
SSDEEP
1536:gyNQzLfbFbHPfjXNJJlzzBnMNe9MbinV39+ChnSdFFn7Elz45zFV3zMetM:LNQfbVHzXNJd+AMbqV39ThSdn7Elz45Q
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdnmma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffldlne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnmgdli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgnjde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgclio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akabgebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Achjibcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqfemqod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqlfaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfphcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idgglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llgjaeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooabmbbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaajei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biaign32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmalldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnomjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhdcanc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amohfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biaign32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoiiijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpjnkig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oadkej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaebe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfeepelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmalldcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbaaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkpeci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeaepd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkngc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doecog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiekpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgjgboe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgmfchei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhjblpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncbdomg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjonncab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diaaeepi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbndpmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejbqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caifjn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2056 Nfnneb32.exe 2100 Ohojmjep.exe 2472 Olkfmi32.exe 2804 Oeckfndj.exe 2480 Okpcoe32.exe 2952 Oeehln32.exe 2608 Ohcdhi32.exe 2872 Omqlpp32.exe 1636 Odjdmjgo.exe 584 Ogiaif32.exe 1208 Omcifpnp.exe 1716 Okgjodmi.exe 1056 Omefkplm.exe 2684 Pgnjde32.exe 2636 Pilfpqaa.exe 844 Pdakniag.exe 408 Pgpgjepk.exe 2224 Pincfpoo.exe 1232 Plmpblnb.exe 1928 Pphkbj32.exe 2864 Pgbdodnh.exe 968 Peedka32.exe 2464 Phcpgm32.exe 3068 Pegqpacp.exe 1860 Phfmllbd.exe 2096 Phhjblpa.exe 2400 Qkffng32.exe 2820 Qnebjc32.exe 2816 Qhjfgl32.exe 2884 Qgmfchei.exe 1724 Qqfkln32.exe 2172 Agpcihcf.exe 812 Adcdbl32.exe 1492 Agbpnh32.exe 1736 Amohfo32.exe 1692 Adfqgl32.exe 1712 Agdmdg32.exe 1380 Amaelomh.exe 2300 Ackmih32.exe 2416 Afjjed32.exe 1008 Aqonbm32.exe 2948 Aobnniji.exe 612 Acnjnh32.exe 2240 Akiobk32.exe 1648 Bcpgdhpp.exe 1980 Bmhkmm32.exe 2064 Bkklhjnk.exe 1588 Bnihdemo.exe 2088 Bbeded32.exe 2160 Becpap32.exe 2848 Biolanld.exe 2756 Bkmhnjlh.exe 2652 Bnldjekl.exe 2660 Bajqfq32.exe 2144 Befmfpbi.exe 2028 Biaign32.exe 1708 Bkpeci32.exe 1968 Bbjmpcab.exe 2168 Bammlq32.exe 2236 Behilopf.exe 2488 Bgffhkoj.exe 1140 Bjebdfnn.exe 1000 Bmcnqama.exe 2436 Baojapfj.exe -
Loads dropped DLL 64 IoCs
pid Process 2548 67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe 2548 67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe 2056 Nfnneb32.exe 2056 Nfnneb32.exe 2100 Ohojmjep.exe 2100 Ohojmjep.exe 2472 Olkfmi32.exe 2472 Olkfmi32.exe 2804 Oeckfndj.exe 2804 Oeckfndj.exe 2480 Okpcoe32.exe 2480 Okpcoe32.exe 2952 Oeehln32.exe 2952 Oeehln32.exe 2608 Ohcdhi32.exe 2608 Ohcdhi32.exe 2872 Omqlpp32.exe 2872 Omqlpp32.exe 1636 Odjdmjgo.exe 1636 Odjdmjgo.exe 584 Ogiaif32.exe 584 Ogiaif32.exe 1208 Omcifpnp.exe 1208 Omcifpnp.exe 1716 Okgjodmi.exe 1716 Okgjodmi.exe 1056 Omefkplm.exe 1056 Omefkplm.exe 2684 Pgnjde32.exe 2684 Pgnjde32.exe 2636 Pilfpqaa.exe 2636 Pilfpqaa.exe 844 Pdakniag.exe 844 Pdakniag.exe 408 Pgpgjepk.exe 408 Pgpgjepk.exe 2224 Pincfpoo.exe 2224 Pincfpoo.exe 1232 Plmpblnb.exe 1232 Plmpblnb.exe 1928 Pphkbj32.exe 1928 Pphkbj32.exe 2864 Pgbdodnh.exe 2864 Pgbdodnh.exe 968 Peedka32.exe 968 Peedka32.exe 2464 Phcpgm32.exe 2464 Phcpgm32.exe 3068 Pegqpacp.exe 3068 Pegqpacp.exe 2020 Pejmfqan.exe 2020 Pejmfqan.exe 2096 Phhjblpa.exe 2096 Phhjblpa.exe 2400 Qkffng32.exe 2400 Qkffng32.exe 2820 Qnebjc32.exe 2820 Qnebjc32.exe 2816 Qhjfgl32.exe 2816 Qhjfgl32.exe 2884 Qgmfchei.exe 2884 Qgmfchei.exe 1724 Qqfkln32.exe 1724 Qqfkln32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fkfgkgmk.dll Pdakniag.exe File opened for modification C:\Windows\SysWOW64\Baojapfj.exe Bmcnqama.exe File opened for modification C:\Windows\SysWOW64\Cjgoje32.exe Bgibnj32.exe File created C:\Windows\SysWOW64\Knqcbd32.dll Mbcoio32.exe File created C:\Windows\SysWOW64\Oeopijom.dll Cgaaah32.exe File opened for modification C:\Windows\SysWOW64\Mdghaf32.exe Mbhlek32.exe File created C:\Windows\SysWOW64\Ocmbnbgf.dll Qgmfchei.exe File created C:\Windows\SysWOW64\Bmpcfg32.dll Afjjed32.exe File created C:\Windows\SysWOW64\Clmdmm32.exe Cmjdaqgi.exe File created C:\Windows\SysWOW64\Gjojef32.exe Gfcnegnk.exe File created C:\Windows\SysWOW64\Codfplej.dll Jkhejkcq.exe File created C:\Windows\SysWOW64\Knmdeioh.exe Kffldlne.exe File created C:\Windows\SysWOW64\Boadnkpf.dll Lhfefgkg.exe File created C:\Windows\SysWOW64\Opglafab.exe Oadkej32.exe File created C:\Windows\SysWOW64\Bdcifi32.exe Bmlael32.exe File created C:\Windows\SysWOW64\Pmiljc32.dll Djdgic32.exe File created C:\Windows\SysWOW64\Hoiaho32.dll Omqlpp32.exe File opened for modification C:\Windows\SysWOW64\Ccdmnj32.exe Clmdmm32.exe File opened for modification C:\Windows\SysWOW64\Kadfkhkf.exe Kjmnjkjd.exe File opened for modification C:\Windows\SysWOW64\Napbjjom.exe Nnafnopi.exe File opened for modification C:\Windows\SysWOW64\Odedge32.exe Oaghki32.exe File created C:\Windows\SysWOW64\Gdmdacnn.exe Gncldi32.exe File opened for modification C:\Windows\SysWOW64\Kdbbgdjj.exe Kadfkhkf.exe File opened for modification C:\Windows\SysWOW64\Pljlbf32.exe Pdbdqh32.exe File opened for modification C:\Windows\SysWOW64\Bkjdndjo.exe Bgoime32.exe File opened for modification C:\Windows\SysWOW64\Mmgfqh32.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Mlbakl32.dll Pljlbf32.exe File opened for modification C:\Windows\SysWOW64\Becpap32.exe Bbeded32.exe File created C:\Windows\SysWOW64\Fqfemqod.exe Fjlmpfhg.exe File created C:\Windows\SysWOW64\Imokehhl.exe Ijqoilii.exe File opened for modification C:\Windows\SysWOW64\Qdncmgbj.exe Qlgkki32.exe File created C:\Windows\SysWOW64\Kfcgie32.dll Bkhhhd32.exe File opened for modification C:\Windows\SysWOW64\Bmlael32.exe Bniajoic.exe File created C:\Windows\SysWOW64\Maljaabb.dll Akiobk32.exe File opened for modification C:\Windows\SysWOW64\Gmmfaa32.exe Gjojef32.exe File created C:\Windows\SysWOW64\Eddmlhaq.dll Lfoojj32.exe File created C:\Windows\SysWOW64\Akfkbd32.exe Agjobffl.exe File created C:\Windows\SysWOW64\Gfikmo32.dll Bffbdadk.exe File created C:\Windows\SysWOW64\Qgmfchei.exe Qhjfgl32.exe File created C:\Windows\SysWOW64\Kikpibof.dll Biaign32.exe File opened for modification C:\Windows\SysWOW64\Ciaefa32.exe Cfcijf32.exe File created C:\Windows\SysWOW64\Jpbbmeon.dll Kjokokha.exe File created C:\Windows\SysWOW64\Fqliblhd.dll Olpilg32.exe File created C:\Windows\SysWOW64\Cepipm32.exe Cbblda32.exe File opened for modification C:\Windows\SysWOW64\Adcdbl32.exe Agpcihcf.exe File created C:\Windows\SysWOW64\Agdmdg32.exe Adfqgl32.exe File created C:\Windows\SysWOW64\Cfnoogbo.exe Ccpcckck.exe File created C:\Windows\SysWOW64\Hoilnidl.dll Fajbke32.exe File opened for modification C:\Windows\SysWOW64\Jimbkh32.exe Jeafjiop.exe File created C:\Windows\SysWOW64\Kbdjfk32.dll Pnbojmmp.exe File created C:\Windows\SysWOW64\Gmkame32.dll Bqijljfd.exe File opened for modification C:\Windows\SysWOW64\Dafmqb32.exe Dmjqpdje.exe File created C:\Windows\SysWOW64\Kdklfe32.exe Jampjian.exe File created C:\Windows\SysWOW64\Lboiol32.exe Loqmba32.exe File opened for modification C:\Windows\SysWOW64\Mqnifg32.exe Mnomjl32.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe Oekjjl32.exe File opened for modification C:\Windows\SysWOW64\Qgjccb32.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Apedah32.exe Alihaioe.exe File created C:\Windows\SysWOW64\Qkffng32.exe Phhjblpa.exe File opened for modification C:\Windows\SysWOW64\Jbjpom32.exe Jkchmo32.exe File created C:\Windows\SysWOW64\Lnjcomcf.exe Lohccp32.exe File created C:\Windows\SysWOW64\Piicpk32.exe Oabkom32.exe File opened for modification C:\Windows\SysWOW64\Pdbdqh32.exe Pepcelel.exe File opened for modification C:\Windows\SysWOW64\Aqbdkk32.exe Aoagccfn.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6100 6068 WerFault.exe 476 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eijdkcgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncldi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmpblnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocmim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfnomde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmjqpdje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecploipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gneijien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcijf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgigil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkglnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepcelel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achjibcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpemm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoolael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baojapfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfphcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Locjhqpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odedge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abmgjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqfkln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaelomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbncjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elipgofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkplgnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomdoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkmmodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpjba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmhbplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicgopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaompi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkigoimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbdmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefhcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opglafab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjlli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhkmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnnnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcnegnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imokehhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgchgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpapdk32.dll" Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhlfoln.dll" Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbglcb32.dll" Lgchgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giqhcmil.dll" Ieajkfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgokeion.dll" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajhaomoi.dll" Lkjjma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmpgpond.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agpcihcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgnadkic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohojmjep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olkfmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnldjekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klpdaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdklfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbhlek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqijljfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edibhmml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnaooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cljoegei.dll" Lhpglecl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfibop32.dll" Pebpkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmpbdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplheofl.dll" Eihgfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkkapd32.dll" Jajcdjca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkhnd32.dll" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alqnah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bammlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qgmfchei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkjaa32.dll" Aqonbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcdhbgoc.dll" Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkaohl32.dll" Gmpcgace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plgolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfhpaf32.dll" Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apmhbiaf.dll" Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dejbqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfcnegnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pepcelel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoiaho32.dll" Omqlpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbjmpcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlfgcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcnkhmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekeef32.dll" Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbjpom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgaaah32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2056 2548 67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe 30 PID 2548 wrote to memory of 2056 2548 67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe 30 PID 2548 wrote to memory of 2056 2548 67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe 30 PID 2548 wrote to memory of 2056 2548 67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe 30 PID 2056 wrote to memory of 2100 2056 Nfnneb32.exe 31 PID 2056 wrote to memory of 2100 2056 Nfnneb32.exe 31 PID 2056 wrote to memory of 2100 2056 Nfnneb32.exe 31 PID 2056 wrote to memory of 2100 2056 Nfnneb32.exe 31 PID 2100 wrote to memory of 2472 2100 Ohojmjep.exe 32 PID 2100 wrote to memory of 2472 2100 Ohojmjep.exe 32 PID 2100 wrote to memory of 2472 2100 Ohojmjep.exe 32 PID 2100 wrote to memory of 2472 2100 Ohojmjep.exe 32 PID 2472 wrote to memory of 2804 2472 Olkfmi32.exe 33 PID 2472 wrote to memory of 2804 2472 Olkfmi32.exe 33 PID 2472 wrote to memory of 2804 2472 Olkfmi32.exe 33 PID 2472 wrote to memory of 2804 2472 Olkfmi32.exe 33 PID 2804 wrote to memory of 2480 2804 Oeckfndj.exe 34 PID 2804 wrote to memory of 2480 2804 Oeckfndj.exe 34 PID 2804 wrote to memory of 2480 2804 Oeckfndj.exe 34 PID 2804 wrote to memory of 2480 2804 Oeckfndj.exe 34 PID 2480 wrote to memory of 2952 2480 Okpcoe32.exe 35 PID 2480 wrote to memory of 2952 2480 Okpcoe32.exe 35 PID 2480 wrote to memory of 2952 2480 Okpcoe32.exe 35 PID 2480 wrote to memory of 2952 2480 Okpcoe32.exe 35 PID 2952 wrote to memory of 2608 2952 Oeehln32.exe 36 PID 2952 wrote to memory of 2608 2952 Oeehln32.exe 36 PID 2952 wrote to memory of 2608 2952 Oeehln32.exe 36 PID 2952 wrote to memory of 2608 2952 Oeehln32.exe 36 PID 2608 wrote to memory of 2872 2608 Ohcdhi32.exe 37 PID 2608 wrote to memory of 2872 2608 Ohcdhi32.exe 37 PID 2608 wrote to memory of 2872 2608 Ohcdhi32.exe 37 PID 2608 wrote to memory of 2872 2608 Ohcdhi32.exe 37 PID 2872 wrote to memory of 1636 2872 Omqlpp32.exe 38 PID 2872 wrote to memory of 1636 2872 Omqlpp32.exe 38 PID 2872 wrote to memory of 1636 2872 Omqlpp32.exe 38 PID 2872 wrote to memory of 1636 2872 Omqlpp32.exe 38 PID 1636 wrote to memory of 584 1636 Odjdmjgo.exe 39 PID 1636 wrote to memory of 584 1636 Odjdmjgo.exe 39 PID 1636 wrote to memory of 584 1636 Odjdmjgo.exe 39 PID 1636 wrote to memory of 584 1636 Odjdmjgo.exe 39 PID 584 wrote to memory of 1208 584 Ogiaif32.exe 40 PID 584 wrote to memory of 1208 584 Ogiaif32.exe 40 PID 584 wrote to memory of 1208 584 Ogiaif32.exe 40 PID 584 wrote to memory of 1208 584 Ogiaif32.exe 40 PID 1208 wrote to memory of 1716 1208 Omcifpnp.exe 41 PID 1208 wrote to memory of 1716 1208 Omcifpnp.exe 41 PID 1208 wrote to memory of 1716 1208 Omcifpnp.exe 41 PID 1208 wrote to memory of 1716 1208 Omcifpnp.exe 41 PID 1716 wrote to memory of 1056 1716 Okgjodmi.exe 42 PID 1716 wrote to memory of 1056 1716 Okgjodmi.exe 42 PID 1716 wrote to memory of 1056 1716 Okgjodmi.exe 42 PID 1716 wrote to memory of 1056 1716 Okgjodmi.exe 42 PID 1056 wrote to memory of 2684 1056 Omefkplm.exe 43 PID 1056 wrote to memory of 2684 1056 Omefkplm.exe 43 PID 1056 wrote to memory of 2684 1056 Omefkplm.exe 43 PID 1056 wrote to memory of 2684 1056 Omefkplm.exe 43 PID 2684 wrote to memory of 2636 2684 Pgnjde32.exe 44 PID 2684 wrote to memory of 2636 2684 Pgnjde32.exe 44 PID 2684 wrote to memory of 2636 2684 Pgnjde32.exe 44 PID 2684 wrote to memory of 2636 2684 Pgnjde32.exe 44 PID 2636 wrote to memory of 844 2636 Pilfpqaa.exe 45 PID 2636 wrote to memory of 844 2636 Pilfpqaa.exe 45 PID 2636 wrote to memory of 844 2636 Pilfpqaa.exe 45 PID 2636 wrote to memory of 844 2636 Pilfpqaa.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe"C:\Users\Admin\AppData\Local\Temp\67a042a4a600ae8c0c42e1d8963e1dc2f49f3b6c86154a3016448a6da77d5389N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Omefkplm.exeC:\Windows\system32\Omefkplm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Plmpblnb.exeC:\Windows\system32\Plmpblnb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe26⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe27⤵
- Loads dropped DLL
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe35⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe36⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1692 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe39⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe41⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe44⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe45⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe49⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe50⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2088 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe52⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe53⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Behilopf.exeC:\Windows\system32\Behilopf.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2236 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe63⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe64⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe66⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2436 -
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe67⤵PID:2036
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe68⤵
- Drops file in System32 directory
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe69⤵PID:2736
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe70⤵PID:2748
-
C:\Windows\SysWOW64\Caaggpdh.exeC:\Windows\system32\Caaggpdh.exe71⤵PID:2788
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe72⤵
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe73⤵PID:1444
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe74⤵PID:2584
-
C:\Windows\SysWOW64\Cpfdhl32.exeC:\Windows\system32\Cpfdhl32.exe75⤵PID:2124
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe76⤵PID:2656
-
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Cmjdaqgi.exeC:\Windows\system32\Cmjdaqgi.exe78⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe80⤵PID:1244
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe81⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Ciaefa32.exeC:\Windows\system32\Ciaefa32.exe82⤵PID:1740
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe83⤵PID:1864
-
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe86⤵PID:2624
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2628 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe88⤵PID:1808
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe89⤵PID:2112
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Difnaqih.exeC:\Windows\system32\Difnaqih.exe91⤵PID:1684
-
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe92⤵PID:3028
-
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe93⤵PID:1388
-
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe95⤵PID:692
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe96⤵
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe97⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe99⤵PID:2708
-
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe100⤵PID:1316
-
C:\Windows\SysWOW64\Ddblgn32.exeC:\Windows\system32\Ddblgn32.exe101⤵PID:1456
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe105⤵PID:1792
-
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe106⤵
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe108⤵PID:1884
-
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe109⤵PID:2304
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe110⤵PID:2544
-
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe112⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe113⤵PID:1096
-
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe114⤵PID:2892
-
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2920 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe116⤵PID:1532
-
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe117⤵PID:1440
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe118⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe119⤵
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe120⤵PID:2824
-
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe121⤵PID:3012
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-