Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-10-2024 18:13
Behavioral task
behavioral1
Sample
02e1875918a95938875567ad1a2413f62784d75886241284c87180d54670aaeb.exe
Resource
win7-20240903-en
General
-
Target
02e1875918a95938875567ad1a2413f62784d75886241284c87180d54670aaeb.exe
-
Size
337KB
-
MD5
bbdc2a524a94581322a857a65e0a2ef6
-
SHA1
124f20f29e3b5525b272e245f66af3b558658fd4
-
SHA256
02e1875918a95938875567ad1a2413f62784d75886241284c87180d54670aaeb
-
SHA512
c2d173d8b410a46f74b4a52653cd3d7051e3a6278f1487efee9694c7b4f137f72bb6c1d5e31388ebdc0458b15374764f8da25997ef429ef603b2c0b727cb2996
-
SSDEEP
3072:nxrKQhQcAmwQPkUgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:n9KQ2wr1+fIyG5jZkCwi8r
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ameadhfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggclim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmdfgdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngleec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inokbamd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqbbedfd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhamdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jleahcki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnbdmaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnomni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfinoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnjhpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhfbnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifdfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmcmffjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffaifah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnimc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmgllkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fncboeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggbmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdkgmnpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbgjha32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dioibnjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldhggj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idobedjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljffjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giahei32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgipie32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioljfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Affomo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjnnlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afokhg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbphjdfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkkice32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foboih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdkgmnpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aocffm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nehjdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldfjbkbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camehbfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmicbdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fangen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghjlhhol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffjla32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfbnl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjlpg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpdhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffnigpok.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjobfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgpomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciogff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fghche32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhmkkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlflkhkg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inokbamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinaeidp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoapkd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obefjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elaoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mclpje32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbchhhdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgfcmfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmcdi32.exe -
Executes dropped EXE 64 IoCs
pid Process 2864 Fgdqglbm.exe 3736 Fokhiibo.exe 1584 Fajeeeac.exe 4248 Fdhaapqf.exe 1304 Fhcmao32.exe 3988 Fkbinj32.exe 2724 Fnqejfgg.exe 3312 Fehmkchi.exe 3104 Fdjnfp32.exe 3652 Fhfjgogm.exe 4448 Fkdfcjfq.exe 4568 Fopbdi32.exe 2984 Fncboeed.exe 4624 Fannpd32.exe 4028 Fdmjlp32.exe 2276 Fhhfmnej.exe 2884 Fkgbijdn.exe 1800 Foboih32.exe 4860 Fneoeeca.exe 4348 Felgfb32.exe 2908 Gdogaojo.exe 216 Ghkcbn32.exe 748 Ggncnkjb.exe 456 Gkioni32.exe 1764 Goekohjd.exe 3504 Gnglje32.exe 3580 Gacgkcih.exe 4804 Geoclb32.exe 4684 Ggppcjgp.exe 4476 Ggppcjgp.exe 5024 Gkkldi32.exe 3748 Goghdhhb.exe 1540 Gnjhpd32.exe 4112 Geapabpo.exe 1292 Gddqmo32.exe 3700 Ghommmob.exe 1140 Ggbmij32.exe 4976 Gkniiinf.exe 1488 Goiejg32.exe 2144 Gnleedmj.exe 3792 Gahafc32.exe 4728 Gecmganl.exe 3028 Ghbicmmp.exe 5064 Ggdinj32.exe 1676 Golapg32.exe 4616 Gnoakdkg.exe 2888 Gajnlb32.exe 1492 Gffjla32.exe 3448 Gdhjhnbd.exe 612 Ghdfhm32.exe 3556 Gggfdiag.exe 2028 Gkbbdh32.exe 4844 Gonnegbj.exe 3160 Gnanqc32.exe 4460 Galjabam.exe 636 Hdkgmnpa.exe 2168 Hdkgmnpa.exe 1808 Hhfbnl32.exe 2992 Hgiciipe.exe 4984 Hkeojh32.exe 1588 Hnckfc32.exe 1312 Hboggbok.exe 4092 Hfjcgq32.exe 4556 Hdmccmno.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dbnked32.exe Doooii32.exe File opened for modification C:\Windows\SysWOW64\Ipgpnaif.exe Hlldmb32.exe File opened for modification C:\Windows\SysWOW64\Lpdbeo32.exe Llhfdq32.exe File opened for modification C:\Windows\SysWOW64\Aghhla32.exe Aoapkd32.exe File opened for modification C:\Windows\SysWOW64\Emflia32.exe Efmclgdi.exe File created C:\Windows\SysWOW64\Ecipfm32.dll Gmgepo32.exe File opened for modification C:\Windows\SysWOW64\Malnbp32.exe Mbingcil.exe File created C:\Windows\SysWOW64\Lcgofi32.dll Lggjnl32.exe File created C:\Windows\SysWOW64\Gonbak32.dll Nagnno32.exe File created C:\Windows\SysWOW64\Bjpape32.dll Nopgcbpn.exe File opened for modification C:\Windows\SysWOW64\Ipliiq32.exe Innmme32.exe File created C:\Windows\SysWOW64\Gkkeic32.exe Gdammiep.exe File created C:\Windows\SysWOW64\Aocffm32.exe Aldjja32.exe File created C:\Windows\SysWOW64\Hgokel32.exe Hccodmjl.exe File created C:\Windows\SysWOW64\Djkgknlf.dll Njhelo32.exe File created C:\Windows\SysWOW64\Ffglnofp.exe Fdipacgl.exe File created C:\Windows\SysWOW64\Onjnnink.dll Lgemhm32.exe File created C:\Windows\SysWOW64\Ohpekp32.dll Bbpocfej.exe File created C:\Windows\SysWOW64\Idjboo32.exe Ipnfopbn.exe File opened for modification C:\Windows\SysWOW64\Micmnd32.exe Mbieajlh.exe File opened for modification C:\Windows\SysWOW64\Occqof32.exe Oiklfqpj.exe File created C:\Windows\SysWOW64\Bqmlae32.exe Biedpg32.exe File created C:\Windows\SysWOW64\Ejcfbfqg.exe Epnbdmaa.exe File opened for modification C:\Windows\SysWOW64\Kjopiihp.exe Kindbq32.exe File created C:\Windows\SysWOW64\Cpcfce32.dll Lepmhijl.exe File opened for modification C:\Windows\SysWOW64\Jddlpd32.exe Jbeodh32.exe File created C:\Windows\SysWOW64\Fejoeaam.dll Ifdfno32.exe File opened for modification C:\Windows\SysWOW64\Igiefq32.exe Idkije32.exe File created C:\Windows\SysWOW64\Labkla32.exe Lndopf32.exe File created C:\Windows\SysWOW64\Emgkkb32.dll Ijdnbfka.exe File created C:\Windows\SysWOW64\Mionmeaa.dll Ikgdfe32.exe File created C:\Windows\SysWOW64\Edkgifmb.dll Ghabhgid.exe File created C:\Windows\SysWOW64\Lqohllfi.exe Lnqkppge.exe File created C:\Windows\SysWOW64\Pbdomi32.dll Nbbqmbqb.exe File created C:\Windows\SysWOW64\Cmbbfkdf.dll Hgjbjlfk.exe File created C:\Windows\SysWOW64\Igahkk32.exe Ipgpnaif.exe File created C:\Windows\SysWOW64\Kopkfk32.dll Lggccf32.exe File opened for modification C:\Windows\SysWOW64\Jbmloneh.exe Jghhaeeb.exe File opened for modification C:\Windows\SysWOW64\Pohnee32.exe Pljaij32.exe File opened for modification C:\Windows\SysWOW64\Bgpomp32.exe Aqefpfkb.exe File opened for modification C:\Windows\SysWOW64\Cmnfgnle.exe Cjpikbma.exe File created C:\Windows\SysWOW64\Giheoj32.exe Gjeedmmf.exe File created C:\Windows\SysWOW64\Nkpbgdlj.exe Nlmblg32.exe File created C:\Windows\SysWOW64\Gjnabq32.dll Hnjagb32.exe File created C:\Windows\SysWOW64\Iffbcomf.exe Inokbamd.exe File opened for modification C:\Windows\SysWOW64\Cmomad32.exe Cicqaehg.exe File opened for modification C:\Windows\SysWOW64\Fkmihehm.exe Fhnmliii.exe File opened for modification C:\Windows\SysWOW64\Mlabpi32.exe Mhefojgd.exe File created C:\Windows\SysWOW64\Gecmganl.exe Gahafc32.exe File created C:\Windows\SysWOW64\Emflia32.exe Efmclgdi.exe File opened for modification C:\Windows\SysWOW64\Kjmcdi32.exe Kgnghn32.exe File created C:\Windows\SysWOW64\Jqdbolle.dll Ohaobfod.exe File created C:\Windows\SysWOW64\Mmdcicma.dll Flddffdg.exe File created C:\Windows\SysWOW64\Hgjbjlfk.exe Hdlenagg.exe File opened for modification C:\Windows\SysWOW64\Ikdjlibd.exe Idjboo32.exe File created C:\Windows\SysWOW64\Endgoobk.dll Lihnbe32.exe File created C:\Windows\SysWOW64\Bgiaco32.exe Bqoifd32.exe File created C:\Windows\SysWOW64\Hnpgfm32.exe Gkbkjbfe.exe File opened for modification C:\Windows\SysWOW64\Jbhlih32.exe Jgbhlo32.exe File created C:\Windows\SysWOW64\Ancjjodo.dll Qeclmh32.exe File created C:\Windows\SysWOW64\Chhkpeem.dll Galjabam.exe File opened for modification C:\Windows\SysWOW64\Jbffno32.exe Jklnadcc.exe File created C:\Windows\SysWOW64\Jnmgcpqd.exe Jkokgdaq.exe File created C:\Windows\SysWOW64\Dpbbioko.exe Daobmb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 15892 15816 WerFault.exe 852 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lieamfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edngpkee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlkgdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikamfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonnegbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccghio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhlde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijgabl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peeokjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaofmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqbdpqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olleglmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddiclhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfdhkkcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmlfpka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocmqcea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbbioko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmmpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecigkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fopbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnmhbaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgodlidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgcnckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flddffdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmgcpqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhfae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckadnek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcqdikg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keddgahe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dioibnjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmeknkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahkkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgnkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giheoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobbljpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oglpjeqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohnee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gineepcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpqbnlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgokel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdahpneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjipdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoedff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabmiifc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccienngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihjle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdlgfma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiqgbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpobk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjcaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggagoaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgfcmfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiamqaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjpikbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficldkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcmcfha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlighc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljaij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmomad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djomgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcfgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnkqngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihhfj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qomgpdkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfmggkp.dll" Hdmlhgkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhgjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjefidmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhbfdi32.dll" Fdhaapqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghkcbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hapmkkpp.dll" Geoclb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhcdnim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edkgifmb.dll" Ghabhgid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mambio32.dll" Llhfdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lagegacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaqqdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngmkmp32.dll" Qafcfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdpfbbad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnmnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lakpnekp.dll" Bhgjka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Incdma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdoing32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjicjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Naicih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnqejfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcjgdm32.dll" Jnmgcpqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgiaco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpodbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haqmbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmnfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idnljkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjompa32.dll" Mbieajlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpmghgem.dll" Pcmcee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgieni32.dll" Qlnkdilf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciogff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjicjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbdaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diqnhbgl.dll" Efgcga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjahckf.dll" Hlldmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlooagcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkhapdl.dll" Ohhllhgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obefjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pminen32.dll" Mpilpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nonbhifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgbio32.dll" Occqof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmicbdq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbjiohco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pehlajkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnmne32.dll" Pejifj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmognja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfihm32.dll" Gahafc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppcqdikg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbcbh32.dll" Cfedejhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbchjn32.dll" Iqjcng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncgbkpp.dll" Migpomld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhhfmnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnoakdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmfcbcji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihmhdjgl.dll" Eapkdpfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmnbllhc.dll" Mgpfjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbmloneh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dimcgdpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnjple32.dll" Hphfhgla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpnmhbaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gneafcnc.dll" Kgigbhlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffglnofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Banecfgb.dll" Hfjcgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kinklg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2692 wrote to memory of 2864 2692 02e1875918a95938875567ad1a2413f62784d75886241284c87180d54670aaeb.exe 84 PID 2692 wrote to memory of 2864 2692 02e1875918a95938875567ad1a2413f62784d75886241284c87180d54670aaeb.exe 84 PID 2692 wrote to memory of 2864 2692 02e1875918a95938875567ad1a2413f62784d75886241284c87180d54670aaeb.exe 84 PID 2864 wrote to memory of 3736 2864 Fgdqglbm.exe 86 PID 2864 wrote to memory of 3736 2864 Fgdqglbm.exe 86 PID 2864 wrote to memory of 3736 2864 Fgdqglbm.exe 86 PID 3736 wrote to memory of 1584 3736 Fokhiibo.exe 87 PID 3736 wrote to memory of 1584 3736 Fokhiibo.exe 87 PID 3736 wrote to memory of 1584 3736 Fokhiibo.exe 87 PID 1584 wrote to memory of 4248 1584 Fajeeeac.exe 88 PID 1584 wrote to memory of 4248 1584 Fajeeeac.exe 88 PID 1584 wrote to memory of 4248 1584 Fajeeeac.exe 88 PID 4248 wrote to memory of 1304 4248 Fdhaapqf.exe 89 PID 4248 wrote to memory of 1304 4248 Fdhaapqf.exe 89 PID 4248 wrote to memory of 1304 4248 Fdhaapqf.exe 89 PID 1304 wrote to memory of 3988 1304 Fhcmao32.exe 90 PID 1304 wrote to memory of 3988 1304 Fhcmao32.exe 90 PID 1304 wrote to memory of 3988 1304 Fhcmao32.exe 90 PID 3988 wrote to memory of 2724 3988 Fkbinj32.exe 91 PID 3988 wrote to memory of 2724 3988 Fkbinj32.exe 91 PID 3988 wrote to memory of 2724 3988 Fkbinj32.exe 91 PID 2724 wrote to memory of 3312 2724 Fnqejfgg.exe 92 PID 2724 wrote to memory of 3312 2724 Fnqejfgg.exe 92 PID 2724 wrote to memory of 3312 2724 Fnqejfgg.exe 92 PID 3312 wrote to memory of 3104 3312 Fehmkchi.exe 93 PID 3312 wrote to memory of 3104 3312 Fehmkchi.exe 93 PID 3312 wrote to memory of 3104 3312 Fehmkchi.exe 93 PID 3104 wrote to memory of 3652 3104 Fdjnfp32.exe 94 PID 3104 wrote to memory of 3652 3104 Fdjnfp32.exe 94 PID 3104 wrote to memory of 3652 3104 Fdjnfp32.exe 94 PID 3652 wrote to memory of 4448 3652 Fhfjgogm.exe 95 PID 3652 wrote to memory of 4448 3652 Fhfjgogm.exe 95 PID 3652 wrote to memory of 4448 3652 Fhfjgogm.exe 95 PID 4448 wrote to memory of 4568 4448 Fkdfcjfq.exe 96 PID 4448 wrote to memory of 4568 4448 Fkdfcjfq.exe 96 PID 4448 wrote to memory of 4568 4448 Fkdfcjfq.exe 96 PID 4568 wrote to memory of 2984 4568 Fopbdi32.exe 97 PID 4568 wrote to memory of 2984 4568 Fopbdi32.exe 97 PID 4568 wrote to memory of 2984 4568 Fopbdi32.exe 97 PID 2984 wrote to memory of 4624 2984 Fncboeed.exe 98 PID 2984 wrote to memory of 4624 2984 Fncboeed.exe 98 PID 2984 wrote to memory of 4624 2984 Fncboeed.exe 98 PID 4624 wrote to memory of 4028 4624 Fannpd32.exe 99 PID 4624 wrote to memory of 4028 4624 Fannpd32.exe 99 PID 4624 wrote to memory of 4028 4624 Fannpd32.exe 99 PID 4028 wrote to memory of 2276 4028 Fdmjlp32.exe 100 PID 4028 wrote to memory of 2276 4028 Fdmjlp32.exe 100 PID 4028 wrote to memory of 2276 4028 Fdmjlp32.exe 100 PID 2276 wrote to memory of 2884 2276 Fhhfmnej.exe 101 PID 2276 wrote to memory of 2884 2276 Fhhfmnej.exe 101 PID 2276 wrote to memory of 2884 2276 Fhhfmnej.exe 101 PID 2884 wrote to memory of 1800 2884 Fkgbijdn.exe 102 PID 2884 wrote to memory of 1800 2884 Fkgbijdn.exe 102 PID 2884 wrote to memory of 1800 2884 Fkgbijdn.exe 102 PID 1800 wrote to memory of 4860 1800 Foboih32.exe 103 PID 1800 wrote to memory of 4860 1800 Foboih32.exe 103 PID 1800 wrote to memory of 4860 1800 Foboih32.exe 103 PID 4860 wrote to memory of 4348 4860 Fneoeeca.exe 104 PID 4860 wrote to memory of 4348 4860 Fneoeeca.exe 104 PID 4860 wrote to memory of 4348 4860 Fneoeeca.exe 104 PID 4348 wrote to memory of 2908 4348 Felgfb32.exe 105 PID 4348 wrote to memory of 2908 4348 Felgfb32.exe 105 PID 4348 wrote to memory of 2908 4348 Felgfb32.exe 105 PID 2908 wrote to memory of 216 2908 Gdogaojo.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\02e1875918a95938875567ad1a2413f62784d75886241284c87180d54670aaeb.exe"C:\Users\Admin\AppData\Local\Temp\02e1875918a95938875567ad1a2413f62784d75886241284c87180d54670aaeb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Fgdqglbm.exeC:\Windows\system32\Fgdqglbm.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Fokhiibo.exeC:\Windows\system32\Fokhiibo.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\Fajeeeac.exeC:\Windows\system32\Fajeeeac.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Fdhaapqf.exeC:\Windows\system32\Fdhaapqf.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4248 -
C:\Windows\SysWOW64\Fhcmao32.exeC:\Windows\system32\Fhcmao32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Fkbinj32.exeC:\Windows\system32\Fkbinj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Windows\SysWOW64\Fnqejfgg.exeC:\Windows\system32\Fnqejfgg.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fehmkchi.exeC:\Windows\system32\Fehmkchi.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\SysWOW64\Fdjnfp32.exeC:\Windows\system32\Fdjnfp32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Windows\SysWOW64\Fhfjgogm.exeC:\Windows\system32\Fhfjgogm.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3652 -
C:\Windows\SysWOW64\Fkdfcjfq.exeC:\Windows\system32\Fkdfcjfq.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\Fopbdi32.exeC:\Windows\system32\Fopbdi32.exe13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\Fncboeed.exeC:\Windows\system32\Fncboeed.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Fannpd32.exeC:\Windows\system32\Fannpd32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4624 -
C:\Windows\SysWOW64\Fdmjlp32.exeC:\Windows\system32\Fdmjlp32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4028 -
C:\Windows\SysWOW64\Fhhfmnej.exeC:\Windows\system32\Fhhfmnej.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Fkgbijdn.exeC:\Windows\system32\Fkgbijdn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Foboih32.exeC:\Windows\system32\Foboih32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Fneoeeca.exeC:\Windows\system32\Fneoeeca.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\Felgfb32.exeC:\Windows\system32\Felgfb32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4348 -
C:\Windows\SysWOW64\Gdogaojo.exeC:\Windows\system32\Gdogaojo.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Ghkcbn32.exeC:\Windows\system32\Ghkcbn32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:216 -
C:\Windows\SysWOW64\Ggncnkjb.exeC:\Windows\system32\Ggncnkjb.exe24⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Gkioni32.exeC:\Windows\system32\Gkioni32.exe25⤵
- Executes dropped EXE
PID:456 -
C:\Windows\SysWOW64\Goekohjd.exeC:\Windows\system32\Goekohjd.exe26⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Gnglje32.exeC:\Windows\system32\Gnglje32.exe27⤵
- Executes dropped EXE
PID:3504 -
C:\Windows\SysWOW64\Gacgkcih.exeC:\Windows\system32\Gacgkcih.exe28⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Geoclb32.exeC:\Windows\system32\Geoclb32.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:4804 -
C:\Windows\SysWOW64\Ggppcjgp.exeC:\Windows\system32\Ggppcjgp.exe30⤵
- Executes dropped EXE
PID:4684 -
C:\Windows\SysWOW64\Ggppcjgp.exeC:\Windows\system32\Ggppcjgp.exe31⤵
- Executes dropped EXE
PID:4476 -
C:\Windows\SysWOW64\Gkkldi32.exeC:\Windows\system32\Gkkldi32.exe32⤵
- Executes dropped EXE
PID:5024 -
C:\Windows\SysWOW64\Goghdhhb.exeC:\Windows\system32\Goghdhhb.exe33⤵
- Executes dropped EXE
PID:3748 -
C:\Windows\SysWOW64\Gnjhpd32.exeC:\Windows\system32\Gnjhpd32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Geapabpo.exeC:\Windows\system32\Geapabpo.exe35⤵
- Executes dropped EXE
PID:4112 -
C:\Windows\SysWOW64\Gddqmo32.exeC:\Windows\system32\Gddqmo32.exe36⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Ghommmob.exeC:\Windows\system32\Ghommmob.exe37⤵
- Executes dropped EXE
PID:3700 -
C:\Windows\SysWOW64\Ggbmij32.exeC:\Windows\system32\Ggbmij32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Gkniiinf.exeC:\Windows\system32\Gkniiinf.exe39⤵
- Executes dropped EXE
PID:4976 -
C:\Windows\SysWOW64\Goiejg32.exeC:\Windows\system32\Goiejg32.exe40⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Gnleedmj.exeC:\Windows\system32\Gnleedmj.exe41⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Gahafc32.exeC:\Windows\system32\Gahafc32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3792 -
C:\Windows\SysWOW64\Gecmganl.exeC:\Windows\system32\Gecmganl.exe43⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Gdfmbn32.exeC:\Windows\system32\Gdfmbn32.exe44⤵PID:4572
-
C:\Windows\SysWOW64\Ghbicmmp.exeC:\Windows\system32\Ghbicmmp.exe45⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ggdinj32.exeC:\Windows\system32\Ggdinj32.exe46⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Golapg32.exeC:\Windows\system32\Golapg32.exe47⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Gnoakdkg.exeC:\Windows\system32\Gnoakdkg.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:4616 -
C:\Windows\SysWOW64\Gajnlb32.exeC:\Windows\system32\Gajnlb32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Gffjla32.exeC:\Windows\system32\Gffjla32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Gdhjhnbd.exeC:\Windows\system32\Gdhjhnbd.exe51⤵
- Executes dropped EXE
PID:3448 -
C:\Windows\SysWOW64\Ghdfhm32.exeC:\Windows\system32\Ghdfhm32.exe52⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Gggfdiag.exeC:\Windows\system32\Gggfdiag.exe53⤵
- Executes dropped EXE
PID:3556 -
C:\Windows\SysWOW64\Gkbbdh32.exeC:\Windows\system32\Gkbbdh32.exe54⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Gonnegbj.exeC:\Windows\system32\Gonnegbj.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\Gnanqc32.exeC:\Windows\system32\Gnanqc32.exe56⤵
- Executes dropped EXE
PID:3160 -
C:\Windows\SysWOW64\Galjabam.exeC:\Windows\system32\Galjabam.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4460 -
C:\Windows\SysWOW64\Hdkgmnpa.exeC:\Windows\system32\Hdkgmnpa.exe58⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Hdkgmnpa.exeC:\Windows\system32\Hdkgmnpa.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Hhfbnl32.exeC:\Windows\system32\Hhfbnl32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Hgiciipe.exeC:\Windows\system32\Hgiciipe.exe61⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Hkeojh32.exeC:\Windows\system32\Hkeojh32.exe62⤵
- Executes dropped EXE
PID:4984 -
C:\Windows\SysWOW64\Hnckfc32.exeC:\Windows\system32\Hnckfc32.exe63⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Hboggbok.exeC:\Windows\system32\Hboggbok.exe64⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Hfjcgq32.exeC:\Windows\system32\Hfjcgq32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Hdmccmno.exeC:\Windows\system32\Hdmccmno.exe66⤵
- Executes dropped EXE
PID:4556 -
C:\Windows\SysWOW64\Hoedff32.exeC:\Windows\system32\Hoedff32.exe67⤵
- System Location Discovery: System Language Discovery
PID:5068 -
C:\Windows\SysWOW64\Hnhdabcl.exeC:\Windows\system32\Hnhdabcl.exe68⤵PID:4260
-
C:\Windows\SysWOW64\Hfombpco.exeC:\Windows\system32\Hfombpco.exe69⤵PID:3452
-
C:\Windows\SysWOW64\Hhmiokbb.exeC:\Windows\system32\Hhmiokbb.exe70⤵PID:4952
-
C:\Windows\SysWOW64\Hgpijhim.exeC:\Windows\system32\Hgpijhim.exe71⤵PID:1680
-
C:\Windows\SysWOW64\Hklekg32.exeC:\Windows\system32\Hklekg32.exe72⤵PID:4988
-
C:\Windows\SysWOW64\Hnjagb32.exeC:\Windows\system32\Hnjagb32.exe73⤵
- Drops file in System32 directory
PID:5028 -
C:\Windows\SysWOW64\Hbfmgaic.exeC:\Windows\system32\Hbfmgaic.exe74⤵PID:184
-
C:\Windows\SysWOW64\Hddiclhf.exeC:\Windows\system32\Hddiclhf.exe75⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Hgbfphgj.exeC:\Windows\system32\Hgbfphgj.exe76⤵PID:1536
-
C:\Windows\SysWOW64\Hojnaehl.exeC:\Windows\system32\Hojnaehl.exe77⤵PID:4088
-
C:\Windows\SysWOW64\Hnmnlb32.exeC:\Windows\system32\Hnmnlb32.exe78⤵
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Ifdfno32.exeC:\Windows\system32\Ifdfno32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Ihbbjk32.exeC:\Windows\system32\Ihbbjk32.exe80⤵PID:1832
-
C:\Windows\SysWOW64\Igebegeg.exeC:\Windows\system32\Igebegeg.exe81⤵PID:1428
-
C:\Windows\SysWOW64\Ioljfe32.exeC:\Windows\system32\Ioljfe32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Inokbamd.exeC:\Windows\system32\Inokbamd.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Iffbcomf.exeC:\Windows\system32\Iffbcomf.exe84⤵PID:2036
-
C:\Windows\SysWOW64\Iidoojlj.exeC:\Windows\system32\Iidoojlj.exe85⤵PID:1572
-
C:\Windows\SysWOW64\Iggokg32.exeC:\Windows\system32\Iggokg32.exe86⤵PID:1132
-
C:\Windows\SysWOW64\Ioogld32.exeC:\Windows\system32\Ioogld32.exe87⤵PID:5136
-
C:\Windows\SysWOW64\Inaggaka.exeC:\Windows\system32\Inaggaka.exe88⤵PID:5176
-
C:\Windows\SysWOW64\Ifhoiokd.exeC:\Windows\system32\Ifhoiokd.exe89⤵PID:5216
-
C:\Windows\SysWOW64\Iiglejjg.exeC:\Windows\system32\Iiglejjg.exe90⤵PID:5256
-
C:\Windows\SysWOW64\Igjlpg32.exeC:\Windows\system32\Igjlpg32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5296 -
C:\Windows\SysWOW64\Ioadadbd.exeC:\Windows\system32\Ioadadbd.exe92⤵PID:5336
-
C:\Windows\SysWOW64\Incdma32.exeC:\Windows\system32\Incdma32.exe93⤵
- Modifies registry class
PID:5376 -
C:\Windows\SysWOW64\Ifklnn32.exeC:\Windows\system32\Ifklnn32.exe94⤵PID:5416
-
C:\Windows\SysWOW64\Idnljkpl.exeC:\Windows\system32\Idnljkpl.exe95⤵
- Modifies registry class
PID:5456 -
C:\Windows\SysWOW64\Iglhffop.exeC:\Windows\system32\Iglhffop.exe96⤵PID:5492
-
C:\Windows\SysWOW64\Ikgdfe32.exeC:\Windows\system32\Ikgdfe32.exe97⤵
- Drops file in System32 directory
PID:5532 -
C:\Windows\SysWOW64\Iocqgdpb.exeC:\Windows\system32\Iocqgdpb.exe98⤵PID:5564
-
C:\Windows\SysWOW64\Iepiokni.exeC:\Windows\system32\Iepiokni.exe99⤵PID:5632
-
C:\Windows\SysWOW64\Ignekfmm.exeC:\Windows\system32\Ignekfmm.exe100⤵PID:5672
-
C:\Windows\SysWOW64\Ikjale32.exeC:\Windows\system32\Ikjale32.exe101⤵PID:5712
-
C:\Windows\SysWOW64\Inhnhp32.exeC:\Windows\system32\Inhnhp32.exe102⤵PID:5752
-
C:\Windows\SysWOW64\Jfpeinel.exeC:\Windows\system32\Jfpeinel.exe103⤵PID:5796
-
C:\Windows\SysWOW64\Jinaeidp.exeC:\Windows\system32\Jinaeidp.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5836 -
C:\Windows\SysWOW64\Jklnadcc.exeC:\Windows\system32\Jklnadcc.exe105⤵
- Drops file in System32 directory
PID:5880 -
C:\Windows\SysWOW64\Jbffno32.exeC:\Windows\system32\Jbffno32.exe106⤵PID:5920
-
C:\Windows\SysWOW64\Jedbjj32.exeC:\Windows\system32\Jedbjj32.exe107⤵PID:5956
-
C:\Windows\SysWOW64\Jipnkibm.exeC:\Windows\system32\Jipnkibm.exe108⤵PID:6000
-
C:\Windows\SysWOW64\Jkokgdaq.exeC:\Windows\system32\Jkokgdaq.exe109⤵
- Drops file in System32 directory
PID:6040 -
C:\Windows\SysWOW64\Jnmgcpqd.exeC:\Windows\system32\Jnmgcpqd.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:6080 -
C:\Windows\SysWOW64\Jbhcdnim.exeC:\Windows\system32\Jbhcdnim.exe111⤵
- Modifies registry class
PID:6120 -
C:\Windows\SysWOW64\Jibkqh32.exeC:\Windows\system32\Jibkqh32.exe112⤵PID:1448
-
C:\Windows\SysWOW64\Jnocio32.exeC:\Windows\system32\Jnocio32.exe113⤵PID:4496
-
C:\Windows\SysWOW64\Jeileifo.exeC:\Windows\system32\Jeileifo.exe114⤵PID:2772
-
C:\Windows\SysWOW64\Jghhaeeb.exeC:\Windows\system32\Jghhaeeb.exe115⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Jbmloneh.exeC:\Windows\system32\Jbmloneh.exe116⤵
- Modifies registry class
PID:4008 -
C:\Windows\SysWOW64\Jleahcki.exeC:\Windows\system32\Jleahcki.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Kbpidm32.exeC:\Windows\system32\Kbpidm32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1188 -
C:\Windows\SysWOW64\Klhnmcif.exeC:\Windows\system32\Klhnmcif.exe119⤵PID:2900
-
C:\Windows\SysWOW64\Kbbfjm32.exeC:\Windows\system32\Kbbfjm32.exe120⤵PID:1520
-
C:\Windows\SysWOW64\Kepbfh32.exeC:\Windows\system32\Kepbfh32.exe121⤵PID:5240
-
C:\Windows\SysWOW64\Kljjcb32.exeC:\Windows\system32\Kljjcb32.exe122⤵PID:5464
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-