Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
01-11-2024 16:46
Static task
static1
Behavioral task
behavioral1
Sample
9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe
Resource
win10v2004-20241007-en
General
-
Target
9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe
-
Size
55KB
-
MD5
47f05e4375221dc903c57a1a7edac948
-
SHA1
075a4bb1174788e3201a597697acedc89f7e9c59
-
SHA256
9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9
-
SHA512
9a83a6f2843b55f7993a7109c622d6fc09c65cf4ec901ce260151f715fb96a4669f0aa9d51e2f74edfc4018285d92200dba04b893d0a782fba0b035621a61248
-
SSDEEP
768:+DCCxqDtOHh5wpTkJd+VGfDSglg/2MvqYy5hjfSLt2fI4S2p/1H5CMXdnh:8CfBOB5wwbLpl82yyfSWQ2LQm
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdegfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcedad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdjcffd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iclbpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bqeqqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgmpnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfdhmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giolnomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgjldnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feddombd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejcpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbbachm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbggif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqdgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjeglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfjjdjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogijnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjkle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbmqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhhhbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhhkapeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajckilei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjoco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foahmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbchni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckkgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbklabl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikldqile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnmiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keeeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdhgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ageompfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfapfpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dncibp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpgfeao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaojnq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljldnhid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiafee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aacmij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefqdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnfjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loaokjjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khohkamc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmofdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkkfgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oalkih32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2296 Bjkhdacm.exe 580 Bqeqqk32.exe 2460 Bceibfgj.exe 2904 Bjpaop32.exe 2940 Bchfhfeh.exe 1948 Bqlfaj32.exe 2648 Bfioia32.exe 2416 Bigkel32.exe 1712 Cbppnbhm.exe 2356 Ckhdggom.exe 2280 Cfmhdpnc.exe 1692 Ckjamgmk.exe 2012 Cagienkb.exe 668 Ckmnbg32.exe 1148 Cchbgi32.exe 1348 Cjakccop.exe 2040 Ccjoli32.exe 1820 Dnpciaef.exe 2020 Dmbcen32.exe 1276 Dhhhbg32.exe 2176 Dmepkn32.exe 2456 Dcohghbk.exe 872 Dilapopb.exe 1004 Dmgmpnhl.exe 1724 Debadpeg.exe 1976 Dbfbnddq.exe 1704 Deenjpcd.exe 2228 Dbiocd32.exe 3044 Eibgpnjk.exe 2640 Eopphehb.exe 2800 Eeiheo32.exe 2636 Ehhdaj32.exe 2704 Eaphjp32.exe 2240 Eeldkonl.exe 1688 Eabepp32.exe 2520 Edaalk32.exe 1624 Einjdb32.exe 840 Eaebeoan.exe 2848 Edcnakpa.exe 3020 Egajnfoe.exe 1368 Ekmfne32.exe 2464 Flapkmlj.exe 1252 Foolgh32.exe 752 Flclam32.exe 2992 Foahmh32.exe 1648 Fcpacf32.exe 812 Fdqnkoep.exe 304 Fkkfgi32.exe 2208 Fnibcd32.exe 1964 Gdcjpncm.exe 1968 Ggagmjbq.exe 2776 Gdegfn32.exe 2752 Ggdcbi32.exe 2748 Gkoobhhg.exe 2696 Gaihob32.exe 1672 Gdhdkn32.exe 1288 Gjdldd32.exe 1776 Gnphdceh.exe 1812 Glchpp32.exe 1516 Gcmamj32.exe 2728 Gnbejb32.exe 1936 Gmeeepjp.exe 1628 Gqaafn32.exe 2144 Godaakic.exe -
Loads dropped DLL 64 IoCs
pid Process 1728 9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe 1728 9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe 2296 Bjkhdacm.exe 2296 Bjkhdacm.exe 580 Bqeqqk32.exe 580 Bqeqqk32.exe 2460 Bceibfgj.exe 2460 Bceibfgj.exe 2904 Bjpaop32.exe 2904 Bjpaop32.exe 2940 Bchfhfeh.exe 2940 Bchfhfeh.exe 1948 Bqlfaj32.exe 1948 Bqlfaj32.exe 2648 Bfioia32.exe 2648 Bfioia32.exe 2416 Bigkel32.exe 2416 Bigkel32.exe 1712 Cbppnbhm.exe 1712 Cbppnbhm.exe 2356 Ckhdggom.exe 2356 Ckhdggom.exe 2280 Cfmhdpnc.exe 2280 Cfmhdpnc.exe 1692 Ckjamgmk.exe 1692 Ckjamgmk.exe 2012 Cagienkb.exe 2012 Cagienkb.exe 668 Ckmnbg32.exe 668 Ckmnbg32.exe 1148 Cchbgi32.exe 1148 Cchbgi32.exe 1348 Cjakccop.exe 1348 Cjakccop.exe 2040 Ccjoli32.exe 2040 Ccjoli32.exe 1820 Dnpciaef.exe 1820 Dnpciaef.exe 2020 Dmbcen32.exe 2020 Dmbcen32.exe 1276 Dhhhbg32.exe 1276 Dhhhbg32.exe 2176 Dmepkn32.exe 2176 Dmepkn32.exe 2456 Dcohghbk.exe 2456 Dcohghbk.exe 872 Dilapopb.exe 872 Dilapopb.exe 1004 Dmgmpnhl.exe 1004 Dmgmpnhl.exe 2288 Dlljaj32.exe 2288 Dlljaj32.exe 1976 Dbfbnddq.exe 1976 Dbfbnddq.exe 1704 Deenjpcd.exe 1704 Deenjpcd.exe 2228 Dbiocd32.exe 2228 Dbiocd32.exe 3044 Eibgpnjk.exe 3044 Eibgpnjk.exe 2640 Eopphehb.exe 2640 Eopphehb.exe 2800 Eeiheo32.exe 2800 Eeiheo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ppmncnbh.dll Jfdhmk32.exe File opened for modification C:\Windows\SysWOW64\Oniebmda.exe Omhhke32.exe File created C:\Windows\SysWOW64\Ljdpbj32.dll Fdgdji32.exe File created C:\Windows\SysWOW64\Qmgaio32.dll Jcqlkjae.exe File created C:\Windows\SysWOW64\Lknocpdc.dll Feddombd.exe File created C:\Windows\SysWOW64\Hiclkp32.exe Hegpjaac.exe File created C:\Windows\SysWOW64\Jndjmifj.exe Jpajbl32.exe File created C:\Windows\SysWOW64\Capocbbb.dll Jdcpkp32.exe File opened for modification C:\Windows\SysWOW64\Mkdffoij.exe Mhfjjdjf.exe File created C:\Windows\SysWOW64\Qhkipdeb.exe Qemldifo.exe File opened for modification C:\Windows\SysWOW64\Anogijnb.exe Ajckilei.exe File created C:\Windows\SysWOW64\Eadbpdla.dll Cceogcfj.exe File created C:\Windows\SysWOW64\Kjcijlpq.dll Hgciff32.exe File created C:\Windows\SysWOW64\Lpgcln32.dll Jibnop32.exe File created C:\Windows\SysWOW64\Bodilc32.dll Kkjpggkn.exe File opened for modification C:\Windows\SysWOW64\Dnpciaef.exe Ccjoli32.exe File created C:\Windows\SysWOW64\Ccdbdc32.dll Edcnakpa.exe File created C:\Windows\SysWOW64\Lffkcfke.dll Omckoi32.exe File created C:\Windows\SysWOW64\Gdcjpncm.exe Fnibcd32.exe File created C:\Windows\SysWOW64\Ccgklc32.exe Ckpckece.exe File opened for modification C:\Windows\SysWOW64\Iediin32.exe Ibfmmb32.exe File created C:\Windows\SysWOW64\Gbmhafee.dll Iakino32.exe File created C:\Windows\SysWOW64\Cbamip32.dll Llpfjomf.exe File created C:\Windows\SysWOW64\Lcadghnk.exe Llgljn32.exe File created C:\Windows\SysWOW64\Hbbofa32.dll Ldmopa32.exe File created C:\Windows\SysWOW64\Ammhpd32.dll Lpflkb32.exe File opened for modification C:\Windows\SysWOW64\Aejlnmkm.exe Aclpaali.exe File opened for modification C:\Windows\SysWOW64\Fppaej32.exe Fmaeho32.exe File created C:\Windows\SysWOW64\Ikgkei32.exe Hiioin32.exe File created C:\Windows\SysWOW64\Lidgcclp.exe Lgfjggll.exe File opened for modification C:\Windows\SysWOW64\Eopphehb.exe Eibgpnjk.exe File opened for modification C:\Windows\SysWOW64\Egajnfoe.exe Edcnakpa.exe File created C:\Windows\SysWOW64\Kkpqlm32.exe Kechdf32.exe File created C:\Windows\SysWOW64\Iqjcnfeg.dll Ngpqfp32.exe File opened for modification C:\Windows\SysWOW64\Epnhpglg.exe Eakhdj32.exe File created C:\Windows\SysWOW64\Gdnfjl32.exe Gaojnq32.exe File opened for modification C:\Windows\SysWOW64\Ccjoli32.exe Cjakccop.exe File created C:\Windows\SysWOW64\Ggknna32.dll Jelfdc32.exe File created C:\Windows\SysWOW64\Lnqjnhge.exe Lonibk32.exe File opened for modification C:\Windows\SysWOW64\Omckoi32.exe Olbogqoe.exe File created C:\Windows\SysWOW64\Gefcmp32.dll Qejpoi32.exe File opened for modification C:\Windows\SysWOW64\Bbhccm32.exe Boifga32.exe File created C:\Windows\SysWOW64\Hjmicg32.dll Ljldnhid.exe File created C:\Windows\SysWOW64\Gfbliabl.dll Nfigck32.exe File opened for modification C:\Windows\SysWOW64\Bhmaeg32.exe Bjjaikoa.exe File created C:\Windows\SysWOW64\Hoqjqhjf.exe Hmbndmkb.exe File created C:\Windows\SysWOW64\Knfddo32.dll Jmkmjoec.exe File created C:\Windows\SysWOW64\Gkeeihpg.dll Lcmklh32.exe File created C:\Windows\SysWOW64\Lepaccmo.exe Lcadghnk.exe File opened for modification C:\Windows\SysWOW64\Ggagmjbq.exe Gdcjpncm.exe File opened for modification C:\Windows\SysWOW64\Pmmneg32.exe Pfbfhm32.exe File created C:\Windows\SysWOW64\Odecjfnl.dll Adipfd32.exe File opened for modification C:\Windows\SysWOW64\Dpklkgoj.exe Dahkok32.exe File created C:\Windows\SysWOW64\Pdbampij.dll Efljhq32.exe File opened for modification C:\Windows\SysWOW64\Fccglehn.exe Fmfocnjg.exe File created C:\Windows\SysWOW64\Kobgmfjh.dll Ieibdnnp.exe File opened for modification C:\Windows\SysWOW64\Dmepkn32.exe Dhhhbg32.exe File created C:\Windows\SysWOW64\Einjdb32.exe Edaalk32.exe File opened for modification C:\Windows\SysWOW64\Ijnkifgp.exe Igoomk32.exe File opened for modification C:\Windows\SysWOW64\Keeeje32.exe Kokmmkcm.exe File created C:\Windows\SysWOW64\Qiflohqk.exe Qejpoi32.exe File opened for modification C:\Windows\SysWOW64\Dcbnpgkh.exe Dadbdkld.exe File opened for modification C:\Windows\SysWOW64\Ifmocb32.exe Icncgf32.exe File created C:\Windows\SysWOW64\Cagienkb.exe Ckjamgmk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5976 5952 WerFault.exe 482 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehcij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggagmjbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efljhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpklkgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbndmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenhopmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiclkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coicfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcpkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejcpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aclpaali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbklabl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfanmogq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpgfeao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfehhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakino32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emaijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkggmldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkjac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qejpoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnqje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjdpie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpcca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loaokjjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foahmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeiheo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcohahpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcedad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilapopb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhkapeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokilo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfbpega.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebqngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgciff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kechdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihmmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdjaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opialpld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoobhhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgfekpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmppehkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbeedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmefdcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edaalk32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkjkle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikldqile.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdcjpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoqjqhjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eafkhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpajbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohqngjgk.dll" Ncpdbohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijnkifgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbchni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqgddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imgnjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfigck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojglhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfhfpel.dll" Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckpckece.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bieepc32.dll" Eblelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heolqjho.dll" Gaihob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glchpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqahpi32.dll" Dgknkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blghgj32.dll" Eafkhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpijbip.dll" Fkhbgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hklhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbliabl.dll" Nfigck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppmgfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kidjdpie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmpcca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcmklh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkijcgjo.dll" Mfgnnhkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npdhaq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejlnmkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hclfag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agpdah32.dll" Lidgcclp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieofkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocimkc32.dll" Cmhjdiap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfenf32.dll" Mbnocipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdmepgce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgdeifom.dll" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmnocmn.dll" Gmeeepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laqojfli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inppon32.dll" Bdhleh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll" Llpfjomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fameoj32.dll" Gdegfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qofpqofd.dll" Aphjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faffik32.dll" Bolcma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cceogcfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnokgjk.dll" Edaalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flapkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecqgacgg.dll" Ijnkifgp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2296 1728 9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe 31 PID 1728 wrote to memory of 2296 1728 9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe 31 PID 1728 wrote to memory of 2296 1728 9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe 31 PID 1728 wrote to memory of 2296 1728 9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe 31 PID 2296 wrote to memory of 580 2296 Bjkhdacm.exe 32 PID 2296 wrote to memory of 580 2296 Bjkhdacm.exe 32 PID 2296 wrote to memory of 580 2296 Bjkhdacm.exe 32 PID 2296 wrote to memory of 580 2296 Bjkhdacm.exe 32 PID 580 wrote to memory of 2460 580 Bqeqqk32.exe 33 PID 580 wrote to memory of 2460 580 Bqeqqk32.exe 33 PID 580 wrote to memory of 2460 580 Bqeqqk32.exe 33 PID 580 wrote to memory of 2460 580 Bqeqqk32.exe 33 PID 2460 wrote to memory of 2904 2460 Bceibfgj.exe 34 PID 2460 wrote to memory of 2904 2460 Bceibfgj.exe 34 PID 2460 wrote to memory of 2904 2460 Bceibfgj.exe 34 PID 2460 wrote to memory of 2904 2460 Bceibfgj.exe 34 PID 2904 wrote to memory of 2940 2904 Bjpaop32.exe 35 PID 2904 wrote to memory of 2940 2904 Bjpaop32.exe 35 PID 2904 wrote to memory of 2940 2904 Bjpaop32.exe 35 PID 2904 wrote to memory of 2940 2904 Bjpaop32.exe 35 PID 2940 wrote to memory of 1948 2940 Bchfhfeh.exe 36 PID 2940 wrote to memory of 1948 2940 Bchfhfeh.exe 36 PID 2940 wrote to memory of 1948 2940 Bchfhfeh.exe 36 PID 2940 wrote to memory of 1948 2940 Bchfhfeh.exe 36 PID 1948 wrote to memory of 2648 1948 Bqlfaj32.exe 37 PID 1948 wrote to memory of 2648 1948 Bqlfaj32.exe 37 PID 1948 wrote to memory of 2648 1948 Bqlfaj32.exe 37 PID 1948 wrote to memory of 2648 1948 Bqlfaj32.exe 37 PID 2648 wrote to memory of 2416 2648 Bfioia32.exe 38 PID 2648 wrote to memory of 2416 2648 Bfioia32.exe 38 PID 2648 wrote to memory of 2416 2648 Bfioia32.exe 38 PID 2648 wrote to memory of 2416 2648 Bfioia32.exe 38 PID 2416 wrote to memory of 1712 2416 Bigkel32.exe 39 PID 2416 wrote to memory of 1712 2416 Bigkel32.exe 39 PID 2416 wrote to memory of 1712 2416 Bigkel32.exe 39 PID 2416 wrote to memory of 1712 2416 Bigkel32.exe 39 PID 1712 wrote to memory of 2356 1712 Cbppnbhm.exe 40 PID 1712 wrote to memory of 2356 1712 Cbppnbhm.exe 40 PID 1712 wrote to memory of 2356 1712 Cbppnbhm.exe 40 PID 1712 wrote to memory of 2356 1712 Cbppnbhm.exe 40 PID 2356 wrote to memory of 2280 2356 Ckhdggom.exe 41 PID 2356 wrote to memory of 2280 2356 Ckhdggom.exe 41 PID 2356 wrote to memory of 2280 2356 Ckhdggom.exe 41 PID 2356 wrote to memory of 2280 2356 Ckhdggom.exe 41 PID 2280 wrote to memory of 1692 2280 Cfmhdpnc.exe 42 PID 2280 wrote to memory of 1692 2280 Cfmhdpnc.exe 42 PID 2280 wrote to memory of 1692 2280 Cfmhdpnc.exe 42 PID 2280 wrote to memory of 1692 2280 Cfmhdpnc.exe 42 PID 1692 wrote to memory of 2012 1692 Ckjamgmk.exe 43 PID 1692 wrote to memory of 2012 1692 Ckjamgmk.exe 43 PID 1692 wrote to memory of 2012 1692 Ckjamgmk.exe 43 PID 1692 wrote to memory of 2012 1692 Ckjamgmk.exe 43 PID 2012 wrote to memory of 668 2012 Cagienkb.exe 44 PID 2012 wrote to memory of 668 2012 Cagienkb.exe 44 PID 2012 wrote to memory of 668 2012 Cagienkb.exe 44 PID 2012 wrote to memory of 668 2012 Cagienkb.exe 44 PID 668 wrote to memory of 1148 668 Ckmnbg32.exe 45 PID 668 wrote to memory of 1148 668 Ckmnbg32.exe 45 PID 668 wrote to memory of 1148 668 Ckmnbg32.exe 45 PID 668 wrote to memory of 1148 668 Ckmnbg32.exe 45 PID 1148 wrote to memory of 1348 1148 Cchbgi32.exe 46 PID 1148 wrote to memory of 1348 1148 Cchbgi32.exe 46 PID 1148 wrote to memory of 1348 1148 Cchbgi32.exe 46 PID 1148 wrote to memory of 1348 1148 Cchbgi32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe"C:\Users\Admin\AppData\Local\Temp\9b6f0c5d23eeab36dbca83b84c54f6b4ca7e1663b64c6525f6f425b1b0f258e9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Bqeqqk32.exeC:\Windows\system32\Bqeqqk32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Bqlfaj32.exeC:\Windows\system32\Bqlfaj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Cbppnbhm.exeC:\Windows\system32\Cbppnbhm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Ckjamgmk.exeC:\Windows\system32\Ckjamgmk.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2012 -
C:\Windows\SysWOW64\Ckmnbg32.exeC:\Windows\system32\Ckmnbg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Ccjoli32.exeC:\Windows\system32\Ccjoli32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1820 -
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Dmepkn32.exeC:\Windows\system32\Dmepkn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1004 -
C:\Windows\SysWOW64\Debadpeg.exeC:\Windows\system32\Debadpeg.exe26⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Dlljaj32.exeC:\Windows\system32\Dlljaj32.exe27⤵
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe34⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe35⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe36⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe37⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe39⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe40⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe42⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Ekmfne32.exeC:\Windows\system32\Ekmfne32.exe43⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe45⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe46⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe48⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe49⤵
- Executes dropped EXE
PID:812 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:304 -
C:\Windows\SysWOW64\Fnibcd32.exeC:\Windows\system32\Fnibcd32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe55⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2696 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe58⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe59⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe60⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe62⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:1936 -
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe65⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe66⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe67⤵PID:1676
-
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe68⤵PID:2480
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe69⤵PID:1264
-
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe70⤵PID:2344
-
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1440 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe72⤵PID:1588
-
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe73⤵PID:2372
-
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe74⤵PID:2760
-
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe76⤵PID:2664
-
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1196 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe78⤵PID:1756
-
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe79⤵PID:1032
-
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe80⤵
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe81⤵
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe82⤵PID:756
-
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe83⤵PID:1736
-
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe84⤵PID:880
-
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe85⤵PID:948
-
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe86⤵PID:1052
-
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe87⤵PID:624
-
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe88⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe89⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe90⤵PID:2972
-
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe92⤵PID:1804
-
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe93⤵
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe94⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe95⤵PID:1508
-
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe96⤵PID:2172
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe97⤵PID:1892
-
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe98⤵PID:804
-
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:700 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe100⤵PID:2304
-
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe102⤵PID:2072
-
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe104⤵PID:1272
-
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe105⤵PID:1960
-
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe106⤵PID:1512
-
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe107⤵PID:916
-
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe108⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe109⤵PID:1840
-
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe110⤵PID:1536
-
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe111⤵PID:1864
-
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe113⤵PID:1584
-
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe114⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe115⤵PID:2756
-
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe116⤵PID:2824
-
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe117⤵PID:1340
-
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe118⤵PID:2856
-
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe119⤵PID:1532
-
C:\Windows\SysWOW64\Kkdnhi32.exeC:\Windows\system32\Kkdnhi32.exe120⤵PID:3036
-
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe122⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-