Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-10-2024 03:38
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
General
-
Target
cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe
-
Size
163KB
-
MD5
cdd4726ea11e285d06e53e24b47831a0
-
SHA1
463c3ed369a469936ea0dded3f1813c1edd3e59f
-
SHA256
cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9f
-
SHA512
802a5cac257b16a34a91b4959d1f7ad2256a59ecf6eb982123d69a46ad5f1fe945fa033d5b715624c4fdfc87df381ed9b4945becfbf06fb9f8c290c872ac1918
-
SSDEEP
1536:P03DDYXYVSWyRLddbiTYv1MQl8F8IlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:4D0XYKRL/biXFdltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnnmeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccdjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajjhkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paafmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcidkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlohmonb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhkbmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknmok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jngilalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfidqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nldahn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kamlhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beadgdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhpqcpkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egcfdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhkcnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeokba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmidlmcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokkegmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbakc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjgjpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkcfjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqcmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomcpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmaog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqmmbqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiaqle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokfjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcppkbia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdpnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njeelc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhbabif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkhfnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmqkml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbglpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egcfdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfglfdeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiokholk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amhcad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aocbokia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icplje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inepgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdpohodn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjklb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Piadma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgbcfdmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odflmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnabffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgjgol32.exe -
Executes dropped EXE 64 IoCs
pid Process 2660 Dijfch32.exe 2884 Dbbklnpj.exe 2632 Dpfkeb32.exe 2588 Dfpcblfp.exe 2608 Dmjlof32.exe 2972 Dnkhfnck.exe 2480 Diqmcgca.exe 608 Epkepakn.exe 1088 Ealahi32.exe 620 Egfjdchi.exe 316 Ebknblho.exe 1164 Eejjnhgc.exe 1084 Enbogmnc.exe 2160 Eelgcg32.exe 1552 Endklmlq.exe 3048 Epfhde32.exe 1864 Emjhmipi.exe 908 Ebfqfpop.exe 868 Fmlecinf.exe 1768 Floeof32.exe 1076 Fegjgkla.exe 528 Fmnahilc.exe 2388 Ffgfancd.exe 2368 Fiebnjbg.exe 1792 Fbngfo32.exe 2760 Fapgblob.exe 2832 Fhjoof32.exe 2644 Facdgl32.exe 2960 Fhmldfdm.exe 1156 Gmidlmcd.exe 1488 Geqlnjcf.exe 1928 Ggbieb32.exe 2192 Goiafp32.exe 2080 Ghaeoe32.exe 1400 Ggdekbgb.exe 736 Gibbgmfe.exe 2356 Gajjhkgh.exe 1696 Gckfpc32.exe 1644 Gkbnap32.exe 2188 Gmqkml32.exe 2920 Glckihcg.exe 2948 Gigkbm32.exe 832 Gncgbkki.exe 884 Gcppkbia.exe 1660 Ggklka32.exe 2032 Hlhddh32.exe 2036 Hpcpdfhj.exe 1540 Hhoeii32.exe 2612 Hljaigmo.exe 2176 Hoimecmb.exe 2200 Hagianlf.exe 2544 Hdefnjkj.exe 1600 Hhaanh32.exe 2508 Hkpnjd32.exe 2512 Hokjkbkp.exe 1236 Hfebhmbm.exe 1440 Hhcndhap.exe 2044 Hgfooe32.exe 2460 Honfqb32.exe 1524 Hnpgloog.exe 1912 Halcmn32.exe 900 Hgiked32.exe 1260 Hjggap32.exe 2020 Hbnpbm32.exe -
Loads dropped DLL 64 IoCs
pid Process 3044 cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe 3044 cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe 2660 Dijfch32.exe 2660 Dijfch32.exe 2884 Dbbklnpj.exe 2884 Dbbklnpj.exe 2632 Dpfkeb32.exe 2632 Dpfkeb32.exe 2588 Dfpcblfp.exe 2588 Dfpcblfp.exe 2608 Dmjlof32.exe 2608 Dmjlof32.exe 2972 Dnkhfnck.exe 2972 Dnkhfnck.exe 2480 Diqmcgca.exe 2480 Diqmcgca.exe 608 Epkepakn.exe 608 Epkepakn.exe 1088 Ealahi32.exe 1088 Ealahi32.exe 620 Egfjdchi.exe 620 Egfjdchi.exe 316 Ebknblho.exe 316 Ebknblho.exe 1164 Eejjnhgc.exe 1164 Eejjnhgc.exe 1084 Enbogmnc.exe 1084 Enbogmnc.exe 2160 Eelgcg32.exe 2160 Eelgcg32.exe 1552 Endklmlq.exe 1552 Endklmlq.exe 3048 Epfhde32.exe 3048 Epfhde32.exe 1864 Emjhmipi.exe 1864 Emjhmipi.exe 908 Ebfqfpop.exe 908 Ebfqfpop.exe 868 Fmlecinf.exe 868 Fmlecinf.exe 1768 Floeof32.exe 1768 Floeof32.exe 1076 Fegjgkla.exe 1076 Fegjgkla.exe 528 Fmnahilc.exe 528 Fmnahilc.exe 2388 Ffgfancd.exe 2388 Ffgfancd.exe 2368 Fiebnjbg.exe 2368 Fiebnjbg.exe 1792 Fbngfo32.exe 1792 Fbngfo32.exe 2760 Fapgblob.exe 2760 Fapgblob.exe 2832 Fhjoof32.exe 2832 Fhjoof32.exe 2644 Facdgl32.exe 2644 Facdgl32.exe 2960 Fhmldfdm.exe 2960 Fhmldfdm.exe 1156 Gmidlmcd.exe 1156 Gmidlmcd.exe 1488 Geqlnjcf.exe 1488 Geqlnjcf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fnejdq32.dll Ifgklp32.exe File created C:\Windows\SysWOW64\Ofeceb32.dll Ldpnoj32.exe File created C:\Windows\SysWOW64\Inalmqgb.dll Qekbgbpf.exe File created C:\Windows\SysWOW64\Igooceih.dll Qldjdlgb.exe File created C:\Windows\SysWOW64\Mbpmdgef.dll Aifjgdkj.exe File created C:\Windows\SysWOW64\Ejcofica.exe Efhcej32.exe File created C:\Windows\SysWOW64\Gncgbkki.exe Gigkbm32.exe File created C:\Windows\SysWOW64\Pmmqmpdm.exe Piadma32.exe File created C:\Windows\SysWOW64\Ghbakjma.dll Befnbd32.exe File created C:\Windows\SysWOW64\Cppobaeb.exe Camnge32.exe File created C:\Windows\SysWOW64\Eclcon32.exe Epqgopbi.exe File created C:\Windows\SysWOW64\Ckfkpqnm.dll Mmjomogn.exe File opened for modification C:\Windows\SysWOW64\Enbogmnc.exe Eejjnhgc.exe File created C:\Windows\SysWOW64\Ndfkbpjk.dll Apilcoho.exe File created C:\Windows\SysWOW64\Adiaommc.exe Albjnplq.exe File created C:\Windows\SysWOW64\Cgjgol32.exe Chggdoee.exe File created C:\Windows\SysWOW64\Dppfbm32.dll cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe File opened for modification C:\Windows\SysWOW64\Jfekec32.exe Jcfoihhp.exe File opened for modification C:\Windows\SysWOW64\Ldpnoj32.exe Lpdankjg.exe File opened for modification C:\Windows\SysWOW64\Nobndj32.exe Nldahn32.exe File created C:\Windows\SysWOW64\Cdeffdbl.dll Oqojhp32.exe File opened for modification C:\Windows\SysWOW64\Amhcad32.exe Anecfgdc.exe File opened for modification C:\Windows\SysWOW64\Cpbkhabp.exe Caokmd32.exe File created C:\Windows\SysWOW64\Ekghcq32.exe Emdhhdqb.exe File opened for modification C:\Windows\SysWOW64\Iomcpe32.exe Imogcj32.exe File created C:\Windows\SysWOW64\Jcngcc32.dll Faijggao.exe File created C:\Windows\SysWOW64\Kbnlnmnm.dll Lkifkdjm.exe File opened for modification C:\Windows\SysWOW64\Okpdjjil.exe Oiahnnji.exe File created C:\Windows\SysWOW64\Pbiffmpn.dll Phgannal.exe File created C:\Windows\SysWOW64\Aeokba32.exe Amhcad32.exe File created C:\Windows\SysWOW64\Qleikgfd.dll Dbadagln.exe File opened for modification C:\Windows\SysWOW64\Jkkjeeke.exe Jgpndg32.exe File created C:\Windows\SysWOW64\Mneaacno.exe Mobaef32.exe File created C:\Windows\SysWOW64\Nlohmonb.exe Nnlhab32.exe File opened for modification C:\Windows\SysWOW64\Immjnj32.exe Ifbaapfk.exe File opened for modification C:\Windows\SysWOW64\Lajkbp32.exe Lbgkfbbj.exe File created C:\Windows\SysWOW64\Kihpmnbb.exe Kfidqb32.exe File created C:\Windows\SysWOW64\Aggpokfi.dll Kpdeoh32.exe File created C:\Windows\SysWOW64\Ojoligof.dll Ppipdl32.exe File created C:\Windows\SysWOW64\Fiqechmg.dll Afeaei32.exe File opened for modification C:\Windows\SysWOW64\Efffpjmk.exe Egcfdn32.exe File opened for modification C:\Windows\SysWOW64\Icbipe32.exe Iqcmcj32.exe File created C:\Windows\SysWOW64\Oggeokoq.exe Ockinl32.exe File created C:\Windows\SysWOW64\Cgqmpkfg.exe Cceapl32.exe File opened for modification C:\Windows\SysWOW64\Dochelmj.exe Dkgldm32.exe File opened for modification C:\Windows\SysWOW64\Epkepakn.exe Diqmcgca.exe File created C:\Windows\SysWOW64\Mgbcfdmo.exe Mokkegmm.exe File created C:\Windows\SysWOW64\Oddphp32.exe Obecld32.exe File created C:\Windows\SysWOW64\Epqgopbi.exe Embkbdce.exe File created C:\Windows\SysWOW64\Afgdde32.dll Jeaahk32.exe File created C:\Windows\SysWOW64\Hhfdfc32.dll Mpikik32.exe File created C:\Windows\SysWOW64\Dihoofcd.dll Ngeljh32.exe File created C:\Windows\SysWOW64\Ockinl32.exe Oqmmbqgd.exe File opened for modification C:\Windows\SysWOW64\Efhcej32.exe Ecjgio32.exe File created C:\Windows\SysWOW64\Hcggbimn.dll Kbbakc32.exe File created C:\Windows\SysWOW64\Hipfaokh.dll Eejjnhgc.exe File created C:\Windows\SysWOW64\Honlnbae.dll Macjgadf.exe File created C:\Windows\SysWOW64\Akpcdopi.dll Bknmok32.exe File created C:\Windows\SysWOW64\Dnknlm32.dll Cgjgol32.exe File created C:\Windows\SysWOW64\Dnkhfnck.exe Dmjlof32.exe File opened for modification C:\Windows\SysWOW64\Odacbpee.exe Ofobgc32.exe File created C:\Windows\SysWOW64\Qlggjlep.exe Qdpohodn.exe File created C:\Windows\SysWOW64\Albjnplq.exe Aicmadmm.exe File opened for modification C:\Windows\SysWOW64\Dpfkeb32.exe Dbbklnpj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4496 4420 WerFault.exe 418 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooidei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocbokia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coladm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joblkegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhimji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdankjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piohgbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnqjkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcdpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiebnjbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hagianlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laodmoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nobndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ablbjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blipno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koibpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiokholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpqim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkgldm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddppmclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmnahnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmclmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baclaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgqmpkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fegjgkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkelpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlohmonb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhbabif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caokmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpdjjil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcfdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepmlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppipdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknmok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chggdoee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbbinig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngeljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeoongd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpgloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpaehl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laaabo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miocmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdhhdqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immjnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpfbegei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpcohbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmmffgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqinhcoc.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmficl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mopdpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meljbqna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcemnopj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncgbkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obckefai.dll" Nopaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eclcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imogcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onoqfehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lolofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogiamne.dll" Lhfpdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhjoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoeadjbl.dll" Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidbakdl.dll" Cpbkhabp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dehdbhgg.dll" Hdefnjkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqcmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hefccdhf.dll" Jihdnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaholp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmjomogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiaqle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aedkomok.dll" Fmlecinf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfbllkc.dll" Odflmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll" Emdhhdqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onjgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hokjkbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhlmfio.dll" Hnpgloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjfql32.dll" Fbngfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfnod32.dll" Mneaacno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbnpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amoaeb32.dll" Jkimpfmg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbnhpdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfeilp32.dll" Keango32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdeffdbl.dll" Oqojhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbnhpdke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oddphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odflmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okpdjjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dochelmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocjgfch.dll" Efmlqigc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgiolk32.dll" Imogcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aggpokfi.dll" Kpdeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckfkpqnm.dll" Mmjomogn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kembmblk.dll" Ngpcohbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofobgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aicmadmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbfjkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfjhbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljgqipg.dll" Kbpefc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhdcojaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccpbd32.dll" Bfjkphjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpokpklp.dll" Eddjhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeoeclek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnqjkh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3044 wrote to memory of 2660 3044 cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe 30 PID 3044 wrote to memory of 2660 3044 cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe 30 PID 3044 wrote to memory of 2660 3044 cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe 30 PID 3044 wrote to memory of 2660 3044 cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe 30 PID 2660 wrote to memory of 2884 2660 Dijfch32.exe 31 PID 2660 wrote to memory of 2884 2660 Dijfch32.exe 31 PID 2660 wrote to memory of 2884 2660 Dijfch32.exe 31 PID 2660 wrote to memory of 2884 2660 Dijfch32.exe 31 PID 2884 wrote to memory of 2632 2884 Dbbklnpj.exe 32 PID 2884 wrote to memory of 2632 2884 Dbbklnpj.exe 32 PID 2884 wrote to memory of 2632 2884 Dbbklnpj.exe 32 PID 2884 wrote to memory of 2632 2884 Dbbklnpj.exe 32 PID 2632 wrote to memory of 2588 2632 Dpfkeb32.exe 33 PID 2632 wrote to memory of 2588 2632 Dpfkeb32.exe 33 PID 2632 wrote to memory of 2588 2632 Dpfkeb32.exe 33 PID 2632 wrote to memory of 2588 2632 Dpfkeb32.exe 33 PID 2588 wrote to memory of 2608 2588 Dfpcblfp.exe 34 PID 2588 wrote to memory of 2608 2588 Dfpcblfp.exe 34 PID 2588 wrote to memory of 2608 2588 Dfpcblfp.exe 34 PID 2588 wrote to memory of 2608 2588 Dfpcblfp.exe 34 PID 2608 wrote to memory of 2972 2608 Dmjlof32.exe 35 PID 2608 wrote to memory of 2972 2608 Dmjlof32.exe 35 PID 2608 wrote to memory of 2972 2608 Dmjlof32.exe 35 PID 2608 wrote to memory of 2972 2608 Dmjlof32.exe 35 PID 2972 wrote to memory of 2480 2972 Dnkhfnck.exe 36 PID 2972 wrote to memory of 2480 2972 Dnkhfnck.exe 36 PID 2972 wrote to memory of 2480 2972 Dnkhfnck.exe 36 PID 2972 wrote to memory of 2480 2972 Dnkhfnck.exe 36 PID 2480 wrote to memory of 608 2480 Diqmcgca.exe 37 PID 2480 wrote to memory of 608 2480 Diqmcgca.exe 37 PID 2480 wrote to memory of 608 2480 Diqmcgca.exe 37 PID 2480 wrote to memory of 608 2480 Diqmcgca.exe 37 PID 608 wrote to memory of 1088 608 Epkepakn.exe 38 PID 608 wrote to memory of 1088 608 Epkepakn.exe 38 PID 608 wrote to memory of 1088 608 Epkepakn.exe 38 PID 608 wrote to memory of 1088 608 Epkepakn.exe 38 PID 1088 wrote to memory of 620 1088 Ealahi32.exe 39 PID 1088 wrote to memory of 620 1088 Ealahi32.exe 39 PID 1088 wrote to memory of 620 1088 Ealahi32.exe 39 PID 1088 wrote to memory of 620 1088 Ealahi32.exe 39 PID 620 wrote to memory of 316 620 Egfjdchi.exe 40 PID 620 wrote to memory of 316 620 Egfjdchi.exe 40 PID 620 wrote to memory of 316 620 Egfjdchi.exe 40 PID 620 wrote to memory of 316 620 Egfjdchi.exe 40 PID 316 wrote to memory of 1164 316 Ebknblho.exe 41 PID 316 wrote to memory of 1164 316 Ebknblho.exe 41 PID 316 wrote to memory of 1164 316 Ebknblho.exe 41 PID 316 wrote to memory of 1164 316 Ebknblho.exe 41 PID 1164 wrote to memory of 1084 1164 Eejjnhgc.exe 42 PID 1164 wrote to memory of 1084 1164 Eejjnhgc.exe 42 PID 1164 wrote to memory of 1084 1164 Eejjnhgc.exe 42 PID 1164 wrote to memory of 1084 1164 Eejjnhgc.exe 42 PID 1084 wrote to memory of 2160 1084 Enbogmnc.exe 43 PID 1084 wrote to memory of 2160 1084 Enbogmnc.exe 43 PID 1084 wrote to memory of 2160 1084 Enbogmnc.exe 43 PID 1084 wrote to memory of 2160 1084 Enbogmnc.exe 43 PID 2160 wrote to memory of 1552 2160 Eelgcg32.exe 44 PID 2160 wrote to memory of 1552 2160 Eelgcg32.exe 44 PID 2160 wrote to memory of 1552 2160 Eelgcg32.exe 44 PID 2160 wrote to memory of 1552 2160 Eelgcg32.exe 44 PID 1552 wrote to memory of 3048 1552 Endklmlq.exe 45 PID 1552 wrote to memory of 3048 1552 Endklmlq.exe 45 PID 1552 wrote to memory of 3048 1552 Endklmlq.exe 45 PID 1552 wrote to memory of 3048 1552 Endklmlq.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe"C:\Users\Admin\AppData\Local\Temp\cf63af24df902713f6c113c593b3e823386b5479ea1ab525981d53440356ba9fN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:908 -
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:528 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Fiebnjbg.exeC:\Windows\system32\Fiebnjbg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Fapgblob.exeC:\Windows\system32\Fapgblob.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe33⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe34⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ghaeoe32.exeC:\Windows\system32\Ghaeoe32.exe35⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe36⤵
- Executes dropped EXE
PID:1400 -
C:\Windows\SysWOW64\Gibbgmfe.exeC:\Windows\system32\Gibbgmfe.exe37⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Gajjhkgh.exeC:\Windows\system32\Gajjhkgh.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe40⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe42⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Gncgbkki.exeC:\Windows\system32\Gncgbkki.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:832 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe46⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Hlhddh32.exeC:\Windows\system32\Hlhddh32.exe47⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Hpcpdfhj.exeC:\Windows\system32\Hpcpdfhj.exe48⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe49⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe50⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe51⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Hagianlf.exeC:\Windows\system32\Hagianlf.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe54⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe55⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Hfebhmbm.exeC:\Windows\system32\Hfebhmbm.exe57⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe58⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe59⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe60⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1912 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe63⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe64⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe66⤵PID:1748
-
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe68⤵PID:876
-
C:\Windows\SysWOW64\Inepgn32.exeC:\Windows\system32\Inepgn32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:584 -
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Icbipe32.exeC:\Windows\system32\Icbipe32.exe71⤵PID:2596
-
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe72⤵PID:2548
-
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe73⤵PID:2464
-
C:\Windows\SysWOW64\Imjmhkpj.exeC:\Windows\system32\Imjmhkpj.exe74⤵PID:2904
-
C:\Windows\SysWOW64\Icdeee32.exeC:\Windows\system32\Icdeee32.exe75⤵PID:628
-
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe76⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe77⤵
- System Location Discovery: System Language Discovery
PID:1336 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe78⤵PID:1268
-
C:\Windows\SysWOW64\Iokfjf32.exeC:\Windows\system32\Iokfjf32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Ibibfa32.exeC:\Windows\system32\Ibibfa32.exe80⤵PID:2140
-
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Iomcpe32.exeC:\Windows\system32\Iomcpe32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Ifgklp32.exeC:\Windows\system32\Ifgklp32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1764 -
C:\Windows\SysWOW64\Iejkhlip.exeC:\Windows\system32\Iejkhlip.exe85⤵PID:2540
-
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe86⤵PID:2956
-
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe87⤵PID:408
-
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe88⤵
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe89⤵
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Joblkegc.exeC:\Windows\system32\Joblkegc.exe90⤵
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe91⤵PID:2936
-
C:\Windows\SysWOW64\Jeoeclek.exeC:\Windows\system32\Jeoeclek.exe92⤵
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Jkimpfmg.exeC:\Windows\system32\Jkimpfmg.exe94⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Jbcelp32.exeC:\Windows\system32\Jbcelp32.exe96⤵PID:1908
-
C:\Windows\SysWOW64\Jeaahk32.exeC:\Windows\system32\Jeaahk32.exe97⤵
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe98⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe99⤵PID:2720
-
C:\Windows\SysWOW64\Jnifaajh.exeC:\Windows\system32\Jnifaajh.exe100⤵PID:1108
-
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe101⤵PID:2120
-
C:\Windows\SysWOW64\Jcfoihhp.exeC:\Windows\system32\Jcfoihhp.exe102⤵
- Drops file in System32 directory
PID:844 -
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe103⤵PID:992
-
C:\Windows\SysWOW64\Jjpgfbom.exeC:\Windows\system32\Jjpgfbom.exe104⤵PID:2228
-
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe105⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe106⤵PID:1760
-
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe107⤵PID:1364
-
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe108⤵PID:2484
-
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:564 -
C:\Windows\SysWOW64\Kbnhpdke.exeC:\Windows\system32\Kbnhpdke.exe110⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe112⤵PID:2952
-
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe113⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Kpbhjh32.exeC:\Windows\system32\Kpbhjh32.exe114⤵PID:3036
-
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe115⤵
- Modifies registry class
PID:2092 -
C:\Windows\SysWOW64\Kflafbak.exeC:\Windows\system32\Kflafbak.exe116⤵PID:2348
-
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe117⤵PID:2324
-
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe118⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe119⤵
- Drops file in System32 directory
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe120⤵PID:2384
-
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1996
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-