Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/11/2024, 08:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe
-
Size
45KB
-
MD5
529877279c25cc0c09e3491ae44a0fd0
-
SHA1
84c2a115d5fe48af36b1884ef48f6cdaf49341b7
-
SHA256
ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a
-
SHA512
4cc9203711b6e3f4bfb4a6da1f44ac69cc08d853c944ba62e04e6115beb0643ec45d51dbe8b82953a7eaf03bdc2b5af077eca72d0a9006f53d60cb2c58264155
-
SSDEEP
768:cThNIDF1f4cz5KFYGLBvaJumwN6ZzcdZFW8zaFLZlreKU3oVyULU/1H5Szp:cWTf4czaYGLBv4uGZzE28AbdZHLqQV
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmipdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmfgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhjcec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdadjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbfnjeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjhki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jedehaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbbachm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qejpoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfoeil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblelb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Picojhcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgoff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfeaiime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcknhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oehgjfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gghmmilh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llomfpag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgjgomc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkofg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jijokbfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmegjdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldmopa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahfdihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibkmchbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnhbmpkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhebfck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcjog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngpqfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cogfqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmaeho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmkihbho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbkfdba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhkopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqgddm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keeeje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cglalbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqnapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohipla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgqlafap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijkocg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfjpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmneg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhljkm32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2768 Eipgjaoi.exe 2720 Flocfmnl.exe 2724 Fchkbg32.exe 2624 Fmnopp32.exe 2068 Fplllkdc.exe 1716 Fgfdie32.exe 3048 Fiepea32.exe 2412 Foahmh32.exe 1104 Fapeic32.exe 2200 Figmjq32.exe 2876 Fhjmfnok.exe 1584 Fcpacf32.exe 1632 Fennoa32.exe 2264 Fhljkm32.exe 112 Fofbhgde.exe 1980 Fepjea32.exe 2508 Ggagmjbq.exe 2808 Goiongbc.exe 1692 Gagkjbaf.exe 2524 Gpjkeoha.exe 1988 Ghacfmic.exe 1816 Gjbpne32.exe 2340 Gnnlocgk.exe 2324 Gkalhgfd.exe 2640 Gnphdceh.exe 1708 Glchpp32.exe 2784 Gghmmilh.exe 2696 Gjgiidkl.exe 1080 Gnbejb32.exe 2248 Gfnjne32.exe 2904 Ghlfjq32.exe 2956 Gqcnln32.exe 2912 Hofngkga.exe 2360 Hcajhi32.exe 2812 Hinbppna.exe 264 Hmjoqo32.exe 776 Hkmollme.exe 2372 Hbggif32.exe 1072 Hdecea32.exe 2228 Hnnhngjf.exe 788 Hbidne32.exe 1316 Hqnapb32.exe 956 Hieiqo32.exe 2272 Hghillnd.exe 1968 Hbnmienj.exe 2908 Haqnea32.exe 2320 Ikfbbjdj.exe 1204 Indnnfdn.exe 2688 Iacjjacb.exe 2932 Ieofkp32.exe 2576 Icafgmbe.exe 1812 Igmbgk32.exe 1292 Ijkocg32.exe 1800 Imjkpb32.exe 1648 Iaegpaao.exe 2036 Iphgln32.exe 1196 Ifbphh32.exe 2648 Ijnkifgp.exe 2792 Iiqldc32.exe 1880 Icfpbl32.exe 1856 Ibipmiek.exe 784 Ifdlng32.exe 568 Imodkadq.exe 1560 Imodkadq.exe -
Loads dropped DLL 64 IoCs
pid Process 2260 ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe 2260 ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe 2768 Eipgjaoi.exe 2768 Eipgjaoi.exe 2720 Flocfmnl.exe 2720 Flocfmnl.exe 2724 Fchkbg32.exe 2724 Fchkbg32.exe 2624 Fmnopp32.exe 2624 Fmnopp32.exe 2068 Fplllkdc.exe 2068 Fplllkdc.exe 1716 Fgfdie32.exe 1716 Fgfdie32.exe 3048 Fiepea32.exe 3048 Fiepea32.exe 2412 Foahmh32.exe 2412 Foahmh32.exe 1104 Fapeic32.exe 1104 Fapeic32.exe 2200 Figmjq32.exe 2200 Figmjq32.exe 2876 Fhjmfnok.exe 2876 Fhjmfnok.exe 1584 Fcpacf32.exe 1584 Fcpacf32.exe 1632 Fennoa32.exe 1632 Fennoa32.exe 2264 Fhljkm32.exe 2264 Fhljkm32.exe 112 Fofbhgde.exe 112 Fofbhgde.exe 1980 Fepjea32.exe 1980 Fepjea32.exe 2508 Ggagmjbq.exe 2508 Ggagmjbq.exe 2808 Goiongbc.exe 2808 Goiongbc.exe 1692 Gagkjbaf.exe 1692 Gagkjbaf.exe 2524 Gpjkeoha.exe 2524 Gpjkeoha.exe 1988 Ghacfmic.exe 1988 Ghacfmic.exe 1816 Gjbpne32.exe 1816 Gjbpne32.exe 2340 Gnnlocgk.exe 2340 Gnnlocgk.exe 2324 Gkalhgfd.exe 2324 Gkalhgfd.exe 2640 Gnphdceh.exe 2640 Gnphdceh.exe 1708 Glchpp32.exe 1708 Glchpp32.exe 2784 Gghmmilh.exe 2784 Gghmmilh.exe 2696 Gjgiidkl.exe 2696 Gjgiidkl.exe 1080 Gnbejb32.exe 1080 Gnbejb32.exe 2248 Gfnjne32.exe 2248 Gfnjne32.exe 2904 Ghlfjq32.exe 2904 Ghlfjq32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pcdapknb.dll Keioca32.exe File created C:\Windows\SysWOW64\Gagkjbaf.exe Goiongbc.exe File created C:\Windows\SysWOW64\Jamkdghb.dll Kalipcmb.exe File opened for modification C:\Windows\SysWOW64\Mjcjog32.exe Mblbnj32.exe File created C:\Windows\SysWOW64\Ellqil32.dll Dhpgfeao.exe File opened for modification C:\Windows\SysWOW64\Gagkjbaf.exe Goiongbc.exe File opened for modification C:\Windows\SysWOW64\Jjkkbjln.exe Jijokbfp.exe File created C:\Windows\SysWOW64\Mhhgpc32.exe Mdmkoepk.exe File opened for modification C:\Windows\SysWOW64\Mbqkiind.exe Mneohj32.exe File opened for modification C:\Windows\SysWOW64\Oimmjffj.exe Oeaqig32.exe File created C:\Windows\SysWOW64\Ginaep32.dll Bjjaikoa.exe File created C:\Windows\SysWOW64\Bkbdabog.exe Bhdhefpc.exe File created C:\Windows\SysWOW64\Cbpjnb32.dll Deakjjbk.exe File opened for modification C:\Windows\SysWOW64\Hkmollme.exe Hmjoqo32.exe File created C:\Windows\SysWOW64\Ofkggbgh.dll Jfdhmk32.exe File opened for modification C:\Windows\SysWOW64\Lcblan32.exe Ldokfakl.exe File opened for modification C:\Windows\SysWOW64\Gkebafoa.exe Ghgfekpn.exe File created C:\Windows\SysWOW64\Ijcngenj.exe Igebkiof.exe File created C:\Windows\SysWOW64\Ocimkc32.dll Cmhjdiap.exe File created C:\Windows\SysWOW64\Kndccd32.dll Fofbhgde.exe File created C:\Windows\SysWOW64\Fogalkad.dll Njpihk32.exe File created C:\Windows\SysWOW64\Qbnphngk.exe Qkghgpfi.exe File created C:\Windows\SysWOW64\Acfdii32.dll Oejcpf32.exe File opened for modification C:\Windows\SysWOW64\Eojlbb32.exe Elkofg32.exe File created C:\Windows\SysWOW64\Ocfqdk32.dll Fdiqpigl.exe File created C:\Windows\SysWOW64\Pjddaagq.dll Gajqbakc.exe File created C:\Windows\SysWOW64\Gjbpne32.exe Ghacfmic.exe File opened for modification C:\Windows\SysWOW64\Jdhifooi.exe Jpmmfp32.exe File created C:\Windows\SysWOW64\Oimmjffj.exe Oeaqig32.exe File opened for modification C:\Windows\SysWOW64\Dnefhpma.exe Djjjga32.exe File created C:\Windows\SysWOW64\Hjaeba32.exe Hgciff32.exe File created C:\Windows\SysWOW64\Ghndpi32.dll Jjkkbjln.exe File created C:\Windows\SysWOW64\Bqolji32.exe Bbllnlfd.exe File created C:\Windows\SysWOW64\Cogfqe32.exe Cmhjdiap.exe File created C:\Windows\SysWOW64\Cqfbjhgf.exe Ciokijfd.exe File created C:\Windows\SysWOW64\Cbamip32.dll Llpfjomf.exe File created C:\Windows\SysWOW64\Pdlkggmp.dll Laleof32.exe File opened for modification C:\Windows\SysWOW64\Ldokfakl.exe Lpcoeb32.exe File created C:\Windows\SysWOW64\Blfapfpg.exe Ajhddk32.exe File created C:\Windows\SysWOW64\Hdbpekam.exe Hqgddm32.exe File created C:\Windows\SysWOW64\Kljdkpfl.exe Khohkamc.exe File created C:\Windows\SysWOW64\Paaddgkj.exe Pmehdh32.exe File opened for modification C:\Windows\SysWOW64\Fefqdl32.exe Fmohco32.exe File created C:\Windows\SysWOW64\Flfifa32.dll Addfkeid.exe File created C:\Windows\SysWOW64\Ikgkei32.exe Hmdkjmip.exe File created C:\Windows\SysWOW64\Kdphjm32.exe Kablnadm.exe File created C:\Windows\SysWOW64\Ghacfmic.exe Gpjkeoha.exe File created C:\Windows\SysWOW64\Fgmkef32.dll Imaapa32.exe File created C:\Windows\SysWOW64\Bipalg32.dll Mkdffoij.exe File created C:\Windows\SysWOW64\Dnhbmpkn.exe Dlifadkk.exe File created C:\Windows\SysWOW64\Gonale32.exe Gkcekfad.exe File created C:\Windows\SysWOW64\Gncnmane.exe Gkebafoa.exe File created C:\Windows\SysWOW64\Ikjhki32.exe Imggplgm.exe File opened for modification C:\Windows\SysWOW64\Oejcpf32.exe Omckoi32.exe File created C:\Windows\SysWOW64\Bhonjg32.exe Bfabnl32.exe File opened for modification C:\Windows\SysWOW64\Bkbdabog.exe Bhdhefpc.exe File created C:\Windows\SysWOW64\Moibemdg.dll Ggapbcne.exe File created C:\Windows\SysWOW64\Gqdgom32.exe Gaagcpdl.exe File opened for modification C:\Windows\SysWOW64\Jfieigio.exe Inbnhihl.exe File created C:\Windows\SysWOW64\Kmqmod32.exe Jieaofmp.exe File created C:\Windows\SysWOW64\Bmbhcoif.dll Aognbnkm.exe File created C:\Windows\SysWOW64\Apoahgqd.dll Plmbkd32.exe File created C:\Windows\SysWOW64\Lkhkagoh.dll Cbgobp32.exe File created C:\Windows\SysWOW64\Hgqlafap.exe Hdbpekam.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5564 5452 WerFault.exe 547 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addfkeid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakhdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnfkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghmmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkkbjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacajg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkdjglfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajehnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflchkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjilgdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llomfpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbnphngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplfkjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefjdgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onnnml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iladfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kokmmkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpdglhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdgipkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghacfmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadcipbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhkin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baefnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhcafa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhbmpkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elibpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaeho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kalipcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqkiind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahfdihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbemboof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjkeoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnapb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbaci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqnjek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmjoec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeoijidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpglbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekfnoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakino32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphgln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacfidem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehgjfhi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedehaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbllnlfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfilffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibipmiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfigck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkicbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhigkm32.dll" Oajndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agpeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Libjncnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpboqdk.dll" Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apimlcdc.dll" Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfglml32.dll" Bqolji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnopp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcajhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npdfik32.dll" Nbpghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odmckcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adiijqhm.dll" Phklaacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckfklnl.dll" Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgejcl32.dll" Hjohmbpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phfoee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjigmkld.dll" Ajckilei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldaomc32.dll" Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fahhnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plcpehgf.dll" Fgocmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdeaelok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqcnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjnkj32.dll" Kekkiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gghmmilh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keeeje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onlahm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll" Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbjbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnphdceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllnnkld.dll" Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqdhpbib.dll" Mgmdapml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fieacp32.dll" Oecmogln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eblelb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imggplgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mphiqbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nckkgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijcngenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghlfjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egncgo32.dll" Olbogqoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll" Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaephc32.dll" Foahmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfnidhlj.dll" Fennoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fofbhgde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igiani32.dll" Ghacfmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flfifa32.dll" Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmihbe32.dll" Jhjbqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhahanie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfgjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdiedagc.dll" Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldiehbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njjkajop.dll" Kbmfgk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2260 wrote to memory of 2768 2260 ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe 31 PID 2260 wrote to memory of 2768 2260 ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe 31 PID 2260 wrote to memory of 2768 2260 ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe 31 PID 2260 wrote to memory of 2768 2260 ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe 31 PID 2768 wrote to memory of 2720 2768 Eipgjaoi.exe 32 PID 2768 wrote to memory of 2720 2768 Eipgjaoi.exe 32 PID 2768 wrote to memory of 2720 2768 Eipgjaoi.exe 32 PID 2768 wrote to memory of 2720 2768 Eipgjaoi.exe 32 PID 2720 wrote to memory of 2724 2720 Flocfmnl.exe 33 PID 2720 wrote to memory of 2724 2720 Flocfmnl.exe 33 PID 2720 wrote to memory of 2724 2720 Flocfmnl.exe 33 PID 2720 wrote to memory of 2724 2720 Flocfmnl.exe 33 PID 2724 wrote to memory of 2624 2724 Fchkbg32.exe 34 PID 2724 wrote to memory of 2624 2724 Fchkbg32.exe 34 PID 2724 wrote to memory of 2624 2724 Fchkbg32.exe 34 PID 2724 wrote to memory of 2624 2724 Fchkbg32.exe 34 PID 2624 wrote to memory of 2068 2624 Fmnopp32.exe 35 PID 2624 wrote to memory of 2068 2624 Fmnopp32.exe 35 PID 2624 wrote to memory of 2068 2624 Fmnopp32.exe 35 PID 2624 wrote to memory of 2068 2624 Fmnopp32.exe 35 PID 2068 wrote to memory of 1716 2068 Fplllkdc.exe 36 PID 2068 wrote to memory of 1716 2068 Fplllkdc.exe 36 PID 2068 wrote to memory of 1716 2068 Fplllkdc.exe 36 PID 2068 wrote to memory of 1716 2068 Fplllkdc.exe 36 PID 1716 wrote to memory of 3048 1716 Fgfdie32.exe 37 PID 1716 wrote to memory of 3048 1716 Fgfdie32.exe 37 PID 1716 wrote to memory of 3048 1716 Fgfdie32.exe 37 PID 1716 wrote to memory of 3048 1716 Fgfdie32.exe 37 PID 3048 wrote to memory of 2412 3048 Fiepea32.exe 38 PID 3048 wrote to memory of 2412 3048 Fiepea32.exe 38 PID 3048 wrote to memory of 2412 3048 Fiepea32.exe 38 PID 3048 wrote to memory of 2412 3048 Fiepea32.exe 38 PID 2412 wrote to memory of 1104 2412 Foahmh32.exe 39 PID 2412 wrote to memory of 1104 2412 Foahmh32.exe 39 PID 2412 wrote to memory of 1104 2412 Foahmh32.exe 39 PID 2412 wrote to memory of 1104 2412 Foahmh32.exe 39 PID 1104 wrote to memory of 2200 1104 Fapeic32.exe 40 PID 1104 wrote to memory of 2200 1104 Fapeic32.exe 40 PID 1104 wrote to memory of 2200 1104 Fapeic32.exe 40 PID 1104 wrote to memory of 2200 1104 Fapeic32.exe 40 PID 2200 wrote to memory of 2876 2200 Figmjq32.exe 41 PID 2200 wrote to memory of 2876 2200 Figmjq32.exe 41 PID 2200 wrote to memory of 2876 2200 Figmjq32.exe 41 PID 2200 wrote to memory of 2876 2200 Figmjq32.exe 41 PID 2876 wrote to memory of 1584 2876 Fhjmfnok.exe 42 PID 2876 wrote to memory of 1584 2876 Fhjmfnok.exe 42 PID 2876 wrote to memory of 1584 2876 Fhjmfnok.exe 42 PID 2876 wrote to memory of 1584 2876 Fhjmfnok.exe 42 PID 1584 wrote to memory of 1632 1584 Fcpacf32.exe 43 PID 1584 wrote to memory of 1632 1584 Fcpacf32.exe 43 PID 1584 wrote to memory of 1632 1584 Fcpacf32.exe 43 PID 1584 wrote to memory of 1632 1584 Fcpacf32.exe 43 PID 1632 wrote to memory of 2264 1632 Fennoa32.exe 44 PID 1632 wrote to memory of 2264 1632 Fennoa32.exe 44 PID 1632 wrote to memory of 2264 1632 Fennoa32.exe 44 PID 1632 wrote to memory of 2264 1632 Fennoa32.exe 44 PID 2264 wrote to memory of 112 2264 Fhljkm32.exe 45 PID 2264 wrote to memory of 112 2264 Fhljkm32.exe 45 PID 2264 wrote to memory of 112 2264 Fhljkm32.exe 45 PID 2264 wrote to memory of 112 2264 Fhljkm32.exe 45 PID 112 wrote to memory of 1980 112 Fofbhgde.exe 46 PID 112 wrote to memory of 1980 112 Fofbhgde.exe 46 PID 112 wrote to memory of 1980 112 Fofbhgde.exe 46 PID 112 wrote to memory of 1980 112 Fofbhgde.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe"C:\Users\Admin\AppData\Local\Temp\ea60d6ae6c416bdd7ae0cbcf6593ae1f3a6d00bc336a0e9d355172683f27351a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Goiongbc.exeC:\Windows\system32\Goiongbc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe34⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe36⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe38⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2372 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe40⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe41⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe42⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe44⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe45⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe46⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe47⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe48⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Indnnfdn.exeC:\Windows\system32\Indnnfdn.exe49⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe50⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe51⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe52⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe53⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe55⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe56⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe58⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe60⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe61⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe63⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe64⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe65⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe66⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe67⤵PID:1756
-
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:988 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe69⤵PID:1000
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe70⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe71⤵
- Drops file in System32 directory
PID:2568 -
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe72⤵PID:1620
-
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe73⤵PID:864
-
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe74⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe75⤵PID:2916
-
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe76⤵PID:2032
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe77⤵
- System Location Discovery: System Language Discovery
PID:2900 -
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe78⤵PID:1296
-
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe81⤵PID:2496
-
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe82⤵PID:2988
-
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe83⤵PID:2380
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe84⤵PID:2148
-
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe85⤵PID:1596
-
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe86⤵PID:2556
-
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe87⤵PID:2880
-
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe88⤵PID:2692
-
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe89⤵
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe90⤵
- Drops file in System32 directory
PID:1656 -
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe91⤵PID:2428
-
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe92⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe93⤵PID:2536
-
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe94⤵
- System Location Discovery: System Language Discovery
PID:972 -
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe95⤵
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe96⤵PID:1372
-
C:\Windows\SysWOW64\Kalipcmb.exeC:\Windows\system32\Kalipcmb.exe97⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1796 -
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe98⤵PID:1520
-
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe100⤵PID:2620
-
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:592 -
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe102⤵PID:992
-
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe103⤵PID:2176
-
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe104⤵PID:2960
-
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe107⤵PID:2024
-
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1848 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe109⤵PID:1512
-
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe110⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe111⤵PID:2572
-
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe112⤵
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe113⤵PID:304
-
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe114⤵PID:1064
-
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe115⤵PID:1864
-
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe116⤵PID:2396
-
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe117⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe118⤵PID:2156
-
C:\Windows\SysWOW64\Keeeje32.exeC:\Windows\system32\Keeeje32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3040 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1424 -
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-