Analysis
-
max time kernel
108s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 02:18
Behavioral task
behavioral1
Sample
cc1454b245411b23eb18db999c235acd5404892a04247ec2a715a5791f88fed0N.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
cc1454b245411b23eb18db999c235acd5404892a04247ec2a715a5791f88fed0N.exe
-
Size
163KB
-
MD5
6fcb198e0dc3068665f84abdb608d860
-
SHA1
723fa228b747a1852ecfa0775e07711492ddfdd6
-
SHA256
cc1454b245411b23eb18db999c235acd5404892a04247ec2a715a5791f88fed0
-
SHA512
8321283c73968df1826f80bf2cba73600bd18265babbdd9d25a2dc5620bea5df728c41350b93ce45c26c2cfcd7e0c1fc187181ccbe8aebf17b9d13866226c46d
-
SSDEEP
1536:P7wkhHv8JaFCMh+k38eadfl+8+lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:DwkW/M9addB+ltOrWKDBr+yJb
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpofii32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqbncb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfaohbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpjel32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjadje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikbfgppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgccinoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njpdnedf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oelolmnd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coqncejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efepbi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpofii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkgkapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgaokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfglfdkb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbpmb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpkibf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmggfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjafok32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaalblgi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiobceef.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkibgh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcejco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjbcakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdpcal32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phdnngdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnjejjgh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbbffdlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebgpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldgccb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmoag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgclpkac.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmafajfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emmkiclm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gphphj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bochmn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chlflabp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enpmld32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahaceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdokdg32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjoiil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqbdldnq.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokkahlo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfgdpmi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmbanbmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmdcfidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adndoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbhboolf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jilfifme.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difpmfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbfcmhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bochmn32.exe -
Berbew family
-
Gozi family
-
Executes dropped EXE 64 IoCs
pid Process 2136 Cmmbbejp.exe 3716 Coknoaic.exe 628 Diccgfpd.exe 2452 Dcigeooj.exe 4200 Difpmfna.exe 2120 Dpphjp32.exe 5008 Dbndfl32.exe 4664 Djelgied.exe 3308 Dcnqpo32.exe 4480 Djhimica.exe 416 Dmfeidbe.exe 4412 Dcpmen32.exe 5004 Dimenegi.exe 2616 Dlkbjqgm.exe 3928 Efafgifc.exe 4476 Eiobceef.exe 1032 Elnoopdj.exe 4556 Ecefqnel.exe 2792 Ebhglj32.exe 3080 Ejoomhmi.exe 4884 Emmkiclm.exe 3336 Elpkep32.exe 4636 Ecgcfm32.exe 220 Ebjcajjd.exe 4224 Efepbi32.exe 676 Ejalcgkg.exe 3948 Eidlnd32.exe 2808 Emphocjj.exe 2276 Elbhjp32.exe 5028 Eciplm32.exe 3912 Eblpgjha.exe 2848 Efhlhh32.exe 1008 Ejchhgid.exe 1640 Eifhdd32.exe 2684 Embddb32.exe 4216 Eppqqn32.exe 2372 Eclmamod.exe 32 Ebommi32.exe 2548 Ejfeng32.exe 4296 Eiieicml.exe 2244 Elgaeolp.exe 3012 Fpbmfn32.exe 4788 Fcniglmb.exe 764 Ffmfchle.exe 1612 Fjhacf32.exe 1404 Fmfnpa32.exe 4752 Flinkojm.exe 1472 Fdqfll32.exe 2336 Fbcfhibj.exe 1984 Fjjnifbl.exe 2612 Fimodc32.exe 636 Fllkqn32.exe 3544 Fpggamqc.exe 3136 Fbfcmhpg.exe 1432 Ffaong32.exe 4380 Fipkjb32.exe 2060 Fmkgkapm.exe 1716 Fpjcgm32.exe 4120 Fdepgkgj.exe 3128 Ffclcgfn.exe 1136 Fjohde32.exe 388 Fmndpq32.exe 3752 Flqdlnde.exe 3236 Fdglmkeg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bhnikc32.exe Bepmoh32.exe File created C:\Windows\SysWOW64\Ibdlakbf.dll Hoobdp32.exe File created C:\Windows\SysWOW64\Hlhefcoo.dll Paeelgnj.exe File opened for modification C:\Windows\SysWOW64\Knhakh32.exe Kkjeomld.exe File opened for modification C:\Windows\SysWOW64\Ilmmni32.exe Iinqbn32.exe File opened for modification C:\Windows\SysWOW64\Kdigadjo.exe Kmaopfjm.exe File opened for modification C:\Windows\SysWOW64\Kclgmq32.exe Kdigadjo.exe File created C:\Windows\SysWOW64\Qaalblgi.exe Pocpfphe.exe File created C:\Windows\SysWOW64\Akqfkp32.exe Aednci32.exe File created C:\Windows\SysWOW64\Effkpc32.dll Cfkmkf32.exe File created C:\Windows\SysWOW64\Elkllcbh.dll Dbbffdlq.exe File created C:\Windows\SysWOW64\Elnoopdj.exe Eiobceef.exe File created C:\Windows\SysWOW64\Ignlbcmf.dll Jgbchj32.exe File created C:\Windows\SysWOW64\Ieoigp32.dll Akblfj32.exe File created C:\Windows\SysWOW64\Iocedcbl.dll Akdilipp.exe File created C:\Windows\SysWOW64\Pjllddpj.dll Bpfkpp32.exe File created C:\Windows\SysWOW64\Bhqndghj.dll Bajqda32.exe File opened for modification C:\Windows\SysWOW64\Flfkkhid.exe Fmcjpl32.exe File created C:\Windows\SysWOW64\Pbjnik32.dll Fdqfll32.exe File opened for modification C:\Windows\SysWOW64\Glengm32.exe Gigaka32.exe File opened for modification C:\Windows\SysWOW64\Jpdhkf32.exe Jjjpnlbd.exe File opened for modification C:\Windows\SysWOW64\Bomkcm32.exe Blnoga32.exe File opened for modification C:\Windows\SysWOW64\Bakgoh32.exe Bomkcm32.exe File created C:\Windows\SysWOW64\Kaofbcjo.dll Eiahnnph.exe File created C:\Windows\SysWOW64\Doepmnag.dll Jniood32.exe File opened for modification C:\Windows\SysWOW64\Fdqfll32.exe Flinkojm.exe File created C:\Windows\SysWOW64\Oghghb32.exe Onocomdo.exe File created C:\Windows\SysWOW64\Lnoaaaad.exe Lcimdh32.exe File created C:\Windows\SysWOW64\Mqimikfj.exe Mfchlbfd.exe File created C:\Windows\SysWOW64\Apaadpng.exe Akdilipp.exe File opened for modification C:\Windows\SysWOW64\Lknojl32.exe Lgccinoe.exe File opened for modification C:\Windows\SysWOW64\Efepbi32.exe Ebjcajjd.exe File created C:\Windows\SysWOW64\Haaaidfk.dll Lnohlgep.exe File created C:\Windows\SysWOW64\Mmnhcb32.exe Mgaokl32.exe File created C:\Windows\SysWOW64\Lnjgfb32.exe Lgpoihnl.exe File created C:\Windows\SysWOW64\Dbfpagon.dll Afpjel32.exe File opened for modification C:\Windows\SysWOW64\Cdbpgl32.exe Cacckp32.exe File created C:\Windows\SysWOW64\Dcpmen32.exe Dmfeidbe.exe File opened for modification C:\Windows\SysWOW64\Jlkipgpe.exe Jjlmclqa.exe File created C:\Windows\SysWOW64\Ajfmkfhq.dll Jjafok32.exe File created C:\Windows\SysWOW64\Gphphj32.exe Gmiclo32.exe File created C:\Windows\SysWOW64\Eoaedogc.dll Popbpqjh.exe File opened for modification C:\Windows\SysWOW64\Akqfkp32.exe Aednci32.exe File opened for modification C:\Windows\SysWOW64\Fbbpmb32.exe Fligqhga.exe File opened for modification C:\Windows\SysWOW64\Cmmbbejp.exe cc1454b245411b23eb18db999c235acd5404892a04247ec2a715a5791f88fed0N.exe File created C:\Windows\SysWOW64\Hdjgko32.dll Knooej32.exe File created C:\Windows\SysWOW64\Kkeldnpi.exe Kgipcogp.exe File opened for modification C:\Windows\SysWOW64\Lddgmbpb.exe Lmmolepp.exe File opened for modification C:\Windows\SysWOW64\Lqbncb32.exe Lndagg32.exe File opened for modification C:\Windows\SysWOW64\Bkjiao32.exe Blgifbil.exe File opened for modification C:\Windows\SysWOW64\Gphphj32.exe Gmiclo32.exe File created C:\Windows\SysWOW64\Ladfllde.dll Hloqml32.exe File created C:\Windows\SysWOW64\Jhdnigno.dll Ipoopgnf.exe File created C:\Windows\SysWOW64\Kcejco32.exe Kqfngd32.exe File created C:\Windows\SysWOW64\Dfookdli.dll Nnicid32.exe File opened for modification C:\Windows\SysWOW64\Qlgpod32.exe Qdphngfl.exe File created C:\Windows\SysWOW64\Ncpgam32.dll Lnjgfb32.exe File created C:\Windows\SysWOW64\Onkidm32.exe Ngqagcag.exe File created C:\Windows\SysWOW64\Dimenegi.exe Dcpmen32.exe File opened for modification C:\Windows\SysWOW64\Dmfeidbe.exe Djhimica.exe File created C:\Windows\SysWOW64\Ajmdgelp.dll Dcpmen32.exe File created C:\Windows\SysWOW64\Fcniglmb.exe Fpbmfn32.exe File opened for modification C:\Windows\SysWOW64\Kqphfe32.exe Knalji32.exe File opened for modification C:\Windows\SysWOW64\Olfghg32.exe Oelolmnd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11292 11920 WerFault.exe 605 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpffeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckqbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejoomhmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjfnedho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbmqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcejco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcnfohmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpaleglc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmqfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcimdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akblfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpmen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkbjqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbojee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddnfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfnaicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmdecbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokgdkeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlglidlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpoihnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aokkahlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flinkojm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phdnngdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgqmnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdaadln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jphkkpbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddgmbpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkbjjbda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baannc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfnlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomoenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaenbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebommi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neclenfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Popbpqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coknoaic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqfngd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqknkedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jleijb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjola32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnjejjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbdcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedjmioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpcjgnhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfcok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoopgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcain32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknifq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfaohbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndnpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbfgppo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonoao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhboolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbhjp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmbhoeid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcleml32.dll" Jcikgacl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldkg32.dll" Nlfnaicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdbfab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Felbnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baadiiif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nohffe32.dll" Dokgdkeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcjdoc32.dll" Lgqfdnah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maggnali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkegpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdbdcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjjojj32.dll" Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmfcok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnokgcbe.dll" Ofkgcobj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmkdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclnnc32.dll" Ffmfchle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chlflabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokpod32.dll" Ickglm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmjob32.dll" Lcnfohmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnbjama.dll" Pjbcplpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcanll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Koodbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npbceggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njmqnobn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejain32.dll" Onkidm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjfnedho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pddhbipj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lckiihok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmhgmmbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chdialdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faimhjhp.dll" Ebommi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpbmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkdjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddgpk32.dll" Ipflihfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojigdcll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njfagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dibkjmof.dll" Gikdkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aknbkjfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbofcghl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkchelci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oelolmnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbqdpi32.dll" Iedjmioj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcmdgodo.dll" Cdpcal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} cc1454b245411b23eb18db999c235acd5404892a04247ec2a715a5791f88fed0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnlhc32.dll" Gmdjapgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgaokl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikdcj32.dll" Mgclpkac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eejeiocj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lddgmbpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbandhne.dll" Qodeajbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhefhha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfjcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjnkpdc.dll" Gpbpbecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqknkedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfoqnae.dll" Lqbncb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfhndpol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghdfilo.dll" Dlkbjqgm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2136 2436 cc1454b245411b23eb18db999c235acd5404892a04247ec2a715a5791f88fed0N.exe 86 PID 2436 wrote to memory of 2136 2436 cc1454b245411b23eb18db999c235acd5404892a04247ec2a715a5791f88fed0N.exe 86 PID 2436 wrote to memory of 2136 2436 cc1454b245411b23eb18db999c235acd5404892a04247ec2a715a5791f88fed0N.exe 86 PID 2136 wrote to memory of 3716 2136 Cmmbbejp.exe 87 PID 2136 wrote to memory of 3716 2136 Cmmbbejp.exe 87 PID 2136 wrote to memory of 3716 2136 Cmmbbejp.exe 87 PID 3716 wrote to memory of 628 3716 Coknoaic.exe 88 PID 3716 wrote to memory of 628 3716 Coknoaic.exe 88 PID 3716 wrote to memory of 628 3716 Coknoaic.exe 88 PID 628 wrote to memory of 2452 628 Diccgfpd.exe 89 PID 628 wrote to memory of 2452 628 Diccgfpd.exe 89 PID 628 wrote to memory of 2452 628 Diccgfpd.exe 89 PID 2452 wrote to memory of 4200 2452 Dcigeooj.exe 90 PID 2452 wrote to memory of 4200 2452 Dcigeooj.exe 90 PID 2452 wrote to memory of 4200 2452 Dcigeooj.exe 90 PID 4200 wrote to memory of 2120 4200 Difpmfna.exe 91 PID 4200 wrote to memory of 2120 4200 Difpmfna.exe 91 PID 4200 wrote to memory of 2120 4200 Difpmfna.exe 91 PID 2120 wrote to memory of 5008 2120 Dpphjp32.exe 93 PID 2120 wrote to memory of 5008 2120 Dpphjp32.exe 93 PID 2120 wrote to memory of 5008 2120 Dpphjp32.exe 93 PID 5008 wrote to memory of 4664 5008 Dbndfl32.exe 94 PID 5008 wrote to memory of 4664 5008 Dbndfl32.exe 94 PID 5008 wrote to memory of 4664 5008 Dbndfl32.exe 94 PID 4664 wrote to memory of 3308 4664 Djelgied.exe 95 PID 4664 wrote to memory of 3308 4664 Djelgied.exe 95 PID 4664 wrote to memory of 3308 4664 Djelgied.exe 95 PID 3308 wrote to memory of 4480 3308 Dcnqpo32.exe 96 PID 3308 wrote to memory of 4480 3308 Dcnqpo32.exe 96 PID 3308 wrote to memory of 4480 3308 Dcnqpo32.exe 96 PID 4480 wrote to memory of 416 4480 Djhimica.exe 98 PID 4480 wrote to memory of 416 4480 Djhimica.exe 98 PID 4480 wrote to memory of 416 4480 Djhimica.exe 98 PID 416 wrote to memory of 4412 416 Dmfeidbe.exe 99 PID 416 wrote to memory of 4412 416 Dmfeidbe.exe 99 PID 416 wrote to memory of 4412 416 Dmfeidbe.exe 99 PID 4412 wrote to memory of 5004 4412 Dcpmen32.exe 100 PID 4412 wrote to memory of 5004 4412 Dcpmen32.exe 100 PID 4412 wrote to memory of 5004 4412 Dcpmen32.exe 100 PID 5004 wrote to memory of 2616 5004 Dimenegi.exe 101 PID 5004 wrote to memory of 2616 5004 Dimenegi.exe 101 PID 5004 wrote to memory of 2616 5004 Dimenegi.exe 101 PID 2616 wrote to memory of 3928 2616 Dlkbjqgm.exe 102 PID 2616 wrote to memory of 3928 2616 Dlkbjqgm.exe 102 PID 2616 wrote to memory of 3928 2616 Dlkbjqgm.exe 102 PID 3928 wrote to memory of 4476 3928 Efafgifc.exe 103 PID 3928 wrote to memory of 4476 3928 Efafgifc.exe 103 PID 3928 wrote to memory of 4476 3928 Efafgifc.exe 103 PID 4476 wrote to memory of 1032 4476 Eiobceef.exe 105 PID 4476 wrote to memory of 1032 4476 Eiobceef.exe 105 PID 4476 wrote to memory of 1032 4476 Eiobceef.exe 105 PID 1032 wrote to memory of 4556 1032 Elnoopdj.exe 106 PID 1032 wrote to memory of 4556 1032 Elnoopdj.exe 106 PID 1032 wrote to memory of 4556 1032 Elnoopdj.exe 106 PID 4556 wrote to memory of 2792 4556 Ecefqnel.exe 107 PID 4556 wrote to memory of 2792 4556 Ecefqnel.exe 107 PID 4556 wrote to memory of 2792 4556 Ecefqnel.exe 107 PID 2792 wrote to memory of 3080 2792 Ebhglj32.exe 108 PID 2792 wrote to memory of 3080 2792 Ebhglj32.exe 108 PID 2792 wrote to memory of 3080 2792 Ebhglj32.exe 108 PID 3080 wrote to memory of 4884 3080 Ejoomhmi.exe 109 PID 3080 wrote to memory of 4884 3080 Ejoomhmi.exe 109 PID 3080 wrote to memory of 4884 3080 Ejoomhmi.exe 109 PID 4884 wrote to memory of 3336 4884 Emmkiclm.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc1454b245411b23eb18db999c235acd5404892a04247ec2a715a5791f88fed0N.exe"C:\Users\Admin\AppData\Local\Temp\cc1454b245411b23eb18db999c235acd5404892a04247ec2a715a5791f88fed0N.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Coknoaic.exeC:\Windows\system32\Coknoaic.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716 -
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\Dcigeooj.exeC:\Windows\system32\Dcigeooj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Difpmfna.exeC:\Windows\system32\Difpmfna.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4200 -
C:\Windows\SysWOW64\Dpphjp32.exeC:\Windows\system32\Dpphjp32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Dbndfl32.exeC:\Windows\system32\Dbndfl32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5008 -
C:\Windows\SysWOW64\Djelgied.exeC:\Windows\system32\Djelgied.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\SysWOW64\Dcnqpo32.exeC:\Windows\system32\Dcnqpo32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Windows\SysWOW64\Djhimica.exeC:\Windows\system32\Djhimica.exe11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\SysWOW64\Dmfeidbe.exeC:\Windows\system32\Dmfeidbe.exe12⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:416 -
C:\Windows\SysWOW64\Dcpmen32.exeC:\Windows\system32\Dcpmen32.exe13⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Dimenegi.exeC:\Windows\system32\Dimenegi.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\Dlkbjqgm.exeC:\Windows\system32\Dlkbjqgm.exe15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4476 -
C:\Windows\SysWOW64\Elnoopdj.exeC:\Windows\system32\Elnoopdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Ecefqnel.exeC:\Windows\system32\Ecefqnel.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\SysWOW64\Ebhglj32.exeC:\Windows\system32\Ebhglj32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3080 -
C:\Windows\SysWOW64\Emmkiclm.exeC:\Windows\system32\Emmkiclm.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4884 -
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe23⤵
- Executes dropped EXE
PID:3336 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe24⤵
- Executes dropped EXE
PID:4636 -
C:\Windows\SysWOW64\Ebjcajjd.exeC:\Windows\system32\Ebjcajjd.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:220 -
C:\Windows\SysWOW64\Efepbi32.exeC:\Windows\system32\Efepbi32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4224 -
C:\Windows\SysWOW64\Ejalcgkg.exeC:\Windows\system32\Ejalcgkg.exe27⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Eidlnd32.exeC:\Windows\system32\Eidlnd32.exe28⤵
- Executes dropped EXE
PID:3948 -
C:\Windows\SysWOW64\Emphocjj.exeC:\Windows\system32\Emphocjj.exe29⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Eciplm32.exeC:\Windows\system32\Eciplm32.exe31⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Eblpgjha.exeC:\Windows\system32\Eblpgjha.exe32⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\Efhlhh32.exeC:\Windows\system32\Efhlhh32.exe33⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ejchhgid.exeC:\Windows\system32\Ejchhgid.exe34⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Eifhdd32.exeC:\Windows\system32\Eifhdd32.exe35⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe36⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Eppqqn32.exeC:\Windows\system32\Eppqqn32.exe37⤵
- Executes dropped EXE
PID:4216 -
C:\Windows\SysWOW64\Eclmamod.exeC:\Windows\system32\Eclmamod.exe38⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Ebommi32.exeC:\Windows\system32\Ebommi32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:32 -
C:\Windows\SysWOW64\Ejfeng32.exeC:\Windows\system32\Ejfeng32.exe40⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Eiieicml.exeC:\Windows\system32\Eiieicml.exe41⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Elgaeolp.exeC:\Windows\system32\Elgaeolp.exe42⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Fpbmfn32.exeC:\Windows\system32\Fpbmfn32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe44⤵
- Executes dropped EXE
PID:4788 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Fjhacf32.exeC:\Windows\system32\Fjhacf32.exe46⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Fmfnpa32.exeC:\Windows\system32\Fmfnpa32.exe47⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4752 -
C:\Windows\SysWOW64\Fdqfll32.exeC:\Windows\system32\Fdqfll32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1472 -
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe50⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Fjjnifbl.exeC:\Windows\system32\Fjjnifbl.exe51⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Fllkqn32.exeC:\Windows\system32\Fllkqn32.exe53⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe54⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Fbfcmhpg.exeC:\Windows\system32\Fbfcmhpg.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\Ffaong32.exeC:\Windows\system32\Ffaong32.exe56⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Fipkjb32.exeC:\Windows\system32\Fipkjb32.exe57⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Fmkgkapm.exeC:\Windows\system32\Fmkgkapm.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Fpjcgm32.exeC:\Windows\system32\Fpjcgm32.exe59⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe60⤵
- Executes dropped EXE
PID:4120 -
C:\Windows\SysWOW64\Ffclcgfn.exeC:\Windows\system32\Ffclcgfn.exe61⤵
- Executes dropped EXE
PID:3128 -
C:\Windows\SysWOW64\Fjohde32.exeC:\Windows\system32\Fjohde32.exe62⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Fmndpq32.exeC:\Windows\system32\Fmndpq32.exe63⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Flqdlnde.exeC:\Windows\system32\Flqdlnde.exe64⤵
- Executes dropped EXE
PID:3752 -
C:\Windows\SysWOW64\Fdglmkeg.exeC:\Windows\system32\Fdglmkeg.exe65⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Fbjmhh32.exeC:\Windows\system32\Fbjmhh32.exe66⤵PID:3644
-
C:\Windows\SysWOW64\Fjadje32.exeC:\Windows\system32\Fjadje32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3464 -
C:\Windows\SysWOW64\Gpnmbl32.exeC:\Windows\system32\Gpnmbl32.exe68⤵PID:1308
-
C:\Windows\SysWOW64\Gfheof32.exeC:\Windows\system32\Gfheof32.exe69⤵PID:1480
-
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe70⤵
- Drops file in System32 directory
PID:4852 -
C:\Windows\SysWOW64\Glengm32.exeC:\Windows\system32\Glengm32.exe71⤵PID:3292
-
C:\Windows\SysWOW64\Gbofcghl.exeC:\Windows\system32\Gbofcghl.exe72⤵
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Gjfnedho.exeC:\Windows\system32\Gjfnedho.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4720 -
C:\Windows\SysWOW64\Gmdjapgb.exeC:\Windows\system32\Gmdjapgb.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Gpcfmkff.exeC:\Windows\system32\Gpcfmkff.exe75⤵PID:5000
-
C:\Windows\SysWOW64\Gbabigfj.exeC:\Windows\system32\Gbabigfj.exe76⤵PID:472
-
C:\Windows\SysWOW64\Gmggfp32.exeC:\Windows\system32\Gmggfp32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3524 -
C:\Windows\SysWOW64\Gbdoof32.exeC:\Windows\system32\Gbdoof32.exe78⤵PID:4804
-
C:\Windows\SysWOW64\Gmiclo32.exeC:\Windows\system32\Gmiclo32.exe79⤵
- Drops file in System32 directory
PID:1768 -
C:\Windows\SysWOW64\Gphphj32.exeC:\Windows\system32\Gphphj32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3864 -
C:\Windows\SysWOW64\Gkmdecbg.exeC:\Windows\system32\Gkmdecbg.exe81⤵
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Windows\SysWOW64\Hloqml32.exeC:\Windows\system32\Hloqml32.exe82⤵
- Drops file in System32 directory
PID:4220 -
C:\Windows\SysWOW64\Hbhijepa.exeC:\Windows\system32\Hbhijepa.exe83⤵PID:3172
-
C:\Windows\SysWOW64\Hmnmgnoh.exeC:\Windows\system32\Hmnmgnoh.exe84⤵PID:1284
-
C:\Windows\SysWOW64\Hdhedh32.exeC:\Windows\system32\Hdhedh32.exe85⤵PID:4604
-
C:\Windows\SysWOW64\Hkbmqb32.exeC:\Windows\system32\Hkbmqb32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1172 -
C:\Windows\SysWOW64\Hpofii32.exeC:\Windows\system32\Hpofii32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Hkdjfb32.exeC:\Windows\system32\Hkdjfb32.exe88⤵
- Modifies registry class
PID:5040 -
C:\Windows\SysWOW64\Higjaoci.exeC:\Windows\system32\Higjaoci.exe89⤵PID:3852
-
C:\Windows\SysWOW64\Hpabni32.exeC:\Windows\system32\Hpabni32.exe90⤵PID:864
-
C:\Windows\SysWOW64\Hcpojd32.exeC:\Windows\system32\Hcpojd32.exe91⤵PID:4456
-
C:\Windows\SysWOW64\Hkfglb32.exeC:\Windows\system32\Hkfglb32.exe92⤵PID:4848
-
C:\Windows\SysWOW64\Hdokdg32.exeC:\Windows\system32\Hdokdg32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:420 -
C:\Windows\SysWOW64\Ingpmmgm.exeC:\Windows\system32\Ingpmmgm.exe94⤵PID:5088
-
C:\Windows\SysWOW64\Ipflihfq.exeC:\Windows\system32\Ipflihfq.exe95⤵
- Modifies registry class
PID:4900 -
C:\Windows\SysWOW64\Icdheded.exeC:\Windows\system32\Icdheded.exe96⤵
- Modifies registry class
PID:4832 -
C:\Windows\SysWOW64\Iinqbn32.exeC:\Windows\system32\Iinqbn32.exe97⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Ilmmni32.exeC:\Windows\system32\Ilmmni32.exe98⤵
- System Location Discovery: System Language Discovery
PID:3992 -
C:\Windows\SysWOW64\Idcepgmg.exeC:\Windows\system32\Idcepgmg.exe99⤵PID:3088
-
C:\Windows\SysWOW64\Iknmla32.exeC:\Windows\system32\Iknmla32.exe100⤵PID:4188
-
C:\Windows\SysWOW64\Ijqmhnko.exeC:\Windows\system32\Ijqmhnko.exe101⤵PID:5140
-
C:\Windows\SysWOW64\Iloidijb.exeC:\Windows\system32\Iloidijb.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5180 -
C:\Windows\SysWOW64\Idfaefkd.exeC:\Windows\system32\Idfaefkd.exe103⤵PID:5224
-
C:\Windows\SysWOW64\Igdnabjh.exeC:\Windows\system32\Igdnabjh.exe104⤵PID:5268
-
C:\Windows\SysWOW64\Ijcjmmil.exeC:\Windows\system32\Ijcjmmil.exe105⤵PID:5312
-
C:\Windows\SysWOW64\Idhnkf32.exeC:\Windows\system32\Idhnkf32.exe106⤵PID:5360
-
C:\Windows\SysWOW64\Iggjga32.exeC:\Windows\system32\Iggjga32.exe107⤵PID:5404
-
C:\Windows\SysWOW64\Ikbfgppo.exeC:\Windows\system32\Ikbfgppo.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5444 -
C:\Windows\SysWOW64\Ilccoh32.exeC:\Windows\system32\Ilccoh32.exe109⤵PID:5480
-
C:\Windows\SysWOW64\Ipoopgnf.exeC:\Windows\system32\Ipoopgnf.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5528 -
C:\Windows\SysWOW64\Icnklbmj.exeC:\Windows\system32\Icnklbmj.exe111⤵PID:5560
-
C:\Windows\SysWOW64\Jpaleglc.exeC:\Windows\system32\Jpaleglc.exe112⤵
- System Location Discovery: System Language Discovery
PID:5644 -
C:\Windows\SysWOW64\Jcphab32.exeC:\Windows\system32\Jcphab32.exe113⤵PID:5688
-
C:\Windows\SysWOW64\Jjjpnlbd.exeC:\Windows\system32\Jjjpnlbd.exe114⤵
- Drops file in System32 directory
PID:5736 -
C:\Windows\SysWOW64\Jpdhkf32.exeC:\Windows\system32\Jpdhkf32.exe115⤵PID:5780
-
C:\Windows\SysWOW64\Jjlmclqa.exeC:\Windows\system32\Jjlmclqa.exe116⤵
- Drops file in System32 directory
PID:5840 -
C:\Windows\SysWOW64\Jlkipgpe.exeC:\Windows\system32\Jlkipgpe.exe117⤵PID:5896
-
C:\Windows\SysWOW64\Jpfepf32.exeC:\Windows\system32\Jpfepf32.exe118⤵PID:5956
-
C:\Windows\SysWOW64\Jdaaaeqg.exeC:\Windows\system32\Jdaaaeqg.exe119⤵PID:5992
-
C:\Windows\SysWOW64\Jgpmmp32.exeC:\Windows\system32\Jgpmmp32.exe120⤵PID:6036
-
C:\Windows\SysWOW64\Jjoiil32.exeC:\Windows\system32\Jjoiil32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:6080
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-