Analysis
-
max time kernel
65s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-12-2024 20:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe
-
Size
80KB
-
MD5
35c9ce0256979bd8c4e0b0339b91c5a6
-
SHA1
57fb2090e3e27684099642429056158c4fd68089
-
SHA256
20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd
-
SHA512
4ab9c839d6c2226d777346316117162339ca0ff9605a7e13569a20fd4d5a7d3feb9fd4f15002e1e29305b69ec18ed8928455079cebac4d170ea7956bdd2a712a
-
SSDEEP
1536:C8RtHhND2EdTvOlq3oUgSChl6UDz/DMX41kMNBb0t1cgCe8uvQGYQzlVZgs:9tHbbdTvJwSCh3z/IDMn0tugCe8uvQaX
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aedghf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dechlfkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qomcdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdailaib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Allbpqcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfigdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caomgjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkqnchgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenhfqle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhjfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hobfgcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbfidfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnmcne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibcja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmolkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnqdpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnafjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbckeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colgpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imepgbnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbcha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmnljc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcknqicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooiepnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peoanckj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oofbph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmabaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdaal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnmhajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagcnmie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddgkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmedck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojijha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbbmjhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pockoeeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhcehngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnnpolk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kigkmmql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecdhonoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mffgfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meiedg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpknl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijeinphf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopibdfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iackhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljjkgfig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbflfomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijegeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojjnioae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biiljjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dllnphkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibafhmph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liddljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkbphfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgqoech.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclpdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpmdff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgffpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lppgfkpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihjfm32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1184 Jifkmh32.exe 2920 Jemkai32.exe 2408 Jmkmlk32.exe 2736 Kplfmfmf.exe 2824 Klbfbg32.exe 2536 Kocodbpk.exe 2692 Khkdmh32.exe 2104 Klimcf32.exe 1584 Lkoidcaj.exe 3020 Lolbjahp.exe 2300 Lhegcg32.exe 584 Lndlamke.exe 2244 Lcqdidim.exe 2192 Mfamko32.exe 1968 Mlnbmikh.exe 2012 Mffgfo32.exe 2420 Mmpobi32.exe 456 Nndhpqma.exe 1668 Niilmi32.exe 1624 Nqdaal32.exe 1772 Nnhakp32.exe 1528 Nmnoll32.exe 2372 Ncggifep.exe 876 Nffcebdd.exe 1596 Oclpdf32.exe 2856 Onfadc32.exe 2860 Obdjjb32.exe 2312 Obffpa32.exe 2876 Oakcan32.exe 2724 Pmbdfolj.exe 2772 Pfjiod32.exe 2812 Pdqfnhpa.exe 1172 Pojgnf32.exe 1168 Qomcdf32.exe 3064 Qoopie32.exe 3068 Aapikqel.exe 1296 Agmacgcc.exe 1148 Agonig32.exe 2096 Acfonhgd.exe 1220 Bfieec32.exe 1124 Blejgm32.exe 612 Babbpc32.exe 1056 Bkjfhile.exe 1488 Bfpkfb32.exe 2008 Cqlhlo32.exe 924 Cgfqii32.exe 1920 Cdjabn32.exe 2360 Cjfjjd32.exe 1620 Cocbbk32.exe 2336 Cqcomn32.exe 2316 Cfpgee32.exe 2636 Cbfhjfdk.exe 2776 Deedfacn.exe 2832 Dnmhogjo.exe 1660 Dfdqpdja.exe 1292 Dbkaee32.exe 2224 Dghjmlnm.exe 2972 Deljfqmf.exe 1524 Dndoof32.exe 2684 Dfpcdh32.exe 2432 Dnfkefad.exe 1052 Ehopnk32.exe 1456 Eagdgaoe.exe 1988 Efdmohmm.exe -
Loads dropped DLL 64 IoCs
pid Process 2380 20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe 2380 20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe 1184 Jifkmh32.exe 1184 Jifkmh32.exe 2920 Jemkai32.exe 2920 Jemkai32.exe 2408 Jmkmlk32.exe 2408 Jmkmlk32.exe 2736 Kplfmfmf.exe 2736 Kplfmfmf.exe 2824 Klbfbg32.exe 2824 Klbfbg32.exe 2536 Kocodbpk.exe 2536 Kocodbpk.exe 2692 Khkdmh32.exe 2692 Khkdmh32.exe 2104 Klimcf32.exe 2104 Klimcf32.exe 1584 Lkoidcaj.exe 1584 Lkoidcaj.exe 3020 Lolbjahp.exe 3020 Lolbjahp.exe 2300 Lhegcg32.exe 2300 Lhegcg32.exe 584 Lndlamke.exe 584 Lndlamke.exe 2244 Lcqdidim.exe 2244 Lcqdidim.exe 2192 Mfamko32.exe 2192 Mfamko32.exe 1968 Mlnbmikh.exe 1968 Mlnbmikh.exe 2012 Mffgfo32.exe 2012 Mffgfo32.exe 2420 Mmpobi32.exe 2420 Mmpobi32.exe 456 Nndhpqma.exe 456 Nndhpqma.exe 1668 Niilmi32.exe 1668 Niilmi32.exe 1624 Nqdaal32.exe 1624 Nqdaal32.exe 1772 Nnhakp32.exe 1772 Nnhakp32.exe 1528 Nmnoll32.exe 1528 Nmnoll32.exe 2372 Ncggifep.exe 2372 Ncggifep.exe 876 Nffcebdd.exe 876 Nffcebdd.exe 1596 Oclpdf32.exe 1596 Oclpdf32.exe 2856 Onfadc32.exe 2856 Onfadc32.exe 2860 Obdjjb32.exe 2860 Obdjjb32.exe 2312 Obffpa32.exe 2312 Obffpa32.exe 2876 Oakcan32.exe 2876 Oakcan32.exe 2724 Pmbdfolj.exe 2724 Pmbdfolj.exe 2772 Pfjiod32.exe 2772 Pfjiod32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kekbip32.dll Pmmppm32.exe File created C:\Windows\SysWOW64\Hdonpjbi.exe Hobfgcdb.exe File created C:\Windows\SysWOW64\Inknaqhd.dll Kniaap32.exe File created C:\Windows\SysWOW64\Gpdhiaoi.exe Ggicdo32.exe File opened for modification C:\Windows\SysWOW64\Ggekhhle.exe Gaibpa32.exe File opened for modification C:\Windows\SysWOW64\Hikpnkme.exe Hpckee32.exe File created C:\Windows\SysWOW64\Ildgdpca.dll Jncqlj32.exe File created C:\Windows\SysWOW64\Fqbacl32.dll Bcnomjbg.exe File opened for modification C:\Windows\SysWOW64\Chahin32.exe Cbdpag32.exe File opened for modification C:\Windows\SysWOW64\Aqnjml32.exe Acjjch32.exe File opened for modification C:\Windows\SysWOW64\Elnagijk.exe Efaiobkc.exe File created C:\Windows\SysWOW64\Gdpikmci.exe Gocpcfeb.exe File opened for modification C:\Windows\SysWOW64\Kmnljc32.exe Kgqcam32.exe File created C:\Windows\SysWOW64\Dopdgoif.dll Odbhofjh.exe File opened for modification C:\Windows\SysWOW64\Peoanckj.exe Pobhfl32.exe File opened for modification C:\Windows\SysWOW64\Jncqlj32.exe Jgihopao.exe File created C:\Windows\SysWOW64\Jieqjmnb.dll Nbckeb32.exe File opened for modification C:\Windows\SysWOW64\Fiepga32.exe Fchgnj32.exe File opened for modification C:\Windows\SysWOW64\Nidhfgpl.exe Nfcoel32.exe File created C:\Windows\SysWOW64\Kkaick32.dll Jboanfmm.exe File created C:\Windows\SysWOW64\Oekpna32.dll Mlqakaqi.exe File opened for modification C:\Windows\SysWOW64\Odbhofjh.exe Okjdfq32.exe File created C:\Windows\SysWOW64\Iehcajjc.exe Idffib32.exe File created C:\Windows\SysWOW64\Olafdoej.dll Ilohnopg.exe File created C:\Windows\SysWOW64\Igncjolp.dll Ohofimje.exe File created C:\Windows\SysWOW64\Pdcjhkpn.dll Pnnlfd32.exe File created C:\Windows\SysWOW64\Cpefgj32.dll Mfjaknoe.exe File opened for modification C:\Windows\SysWOW64\Elcbmn32.exe Eeijpdbd.exe File created C:\Windows\SysWOW64\Nlfaag32.exe Nflidmic.exe File created C:\Windows\SysWOW64\Pcokaa32.exe Pfkkhmjn.exe File opened for modification C:\Windows\SysWOW64\Lolbjahp.exe Lkoidcaj.exe File opened for modification C:\Windows\SysWOW64\Nndhpqma.exe Mmpobi32.exe File opened for modification C:\Windows\SysWOW64\Kgqcam32.exe Knhoig32.exe File opened for modification C:\Windows\SysWOW64\Hlliof32.exe Hebqbl32.exe File created C:\Windows\SysWOW64\Lociadma.dll Kaeokg32.exe File created C:\Windows\SysWOW64\Ncggifep.exe Nmnoll32.exe File created C:\Windows\SysWOW64\Ijhmnf32.exe Idkdfo32.exe File opened for modification C:\Windows\SysWOW64\Hgpgae32.exe Hpfoekhm.exe File created C:\Windows\SysWOW64\Eljihn32.exe Eepakc32.exe File created C:\Windows\SysWOW64\Njmhcj32.exe Npecjdaf.exe File created C:\Windows\SysWOW64\Bjekfi32.dll Emadjj32.exe File opened for modification C:\Windows\SysWOW64\Fjhjlm32.exe Emdjbi32.exe File created C:\Windows\SysWOW64\Idffib32.exe Ilpohecc.exe File created C:\Windows\SysWOW64\Iiflgi32.exe Ipmgncii.exe File created C:\Windows\SysWOW64\Napdqm32.dll Ehjbaooe.exe File created C:\Windows\SysWOW64\Iclkhpln.dll Ihfmdm32.exe File created C:\Windows\SysWOW64\Fdjcjebn.dll Hdjnje32.exe File created C:\Windows\SysWOW64\Ekacnjfp.exe Ehpjmoio.exe File opened for modification C:\Windows\SysWOW64\Afdjmo32.exe Aagadh32.exe File opened for modification C:\Windows\SysWOW64\Jkklpk32.exe Jjjohbgl.exe File opened for modification C:\Windows\SysWOW64\Kbonmjph.exe Kleeqp32.exe File created C:\Windows\SysWOW64\Bnmmjd32.exe Afaieb32.exe File opened for modification C:\Windows\SysWOW64\Bnagecdp.exe Bclbhkdj.exe File opened for modification C:\Windows\SysWOW64\Kgoknohj.exe Kdaoacif.exe File created C:\Windows\SysWOW64\Nffcebdd.exe Ncggifep.exe File created C:\Windows\SysWOW64\Aamekk32.exe Qdieaf32.exe File created C:\Windows\SysWOW64\Cnflmc32.dll Iogkaf32.exe File created C:\Windows\SysWOW64\Lfeegfkf.exe Llpajmkq.exe File created C:\Windows\SysWOW64\Iopbaq32.dll Pblkgh32.exe File opened for modification C:\Windows\SysWOW64\Dfpcdh32.exe Dndoof32.exe File opened for modification C:\Windows\SysWOW64\Fhdhqg32.exe Feeldk32.exe File created C:\Windows\SysWOW64\Agmacgcc.exe Aapikqel.exe File created C:\Windows\SysWOW64\Fkdoii32.exe Faljqcmk.exe File created C:\Windows\SysWOW64\Lgfjoqnd.dll Akejdp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3340 4112 WerFault.exe 790 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfjak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbanida.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkfbmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkggel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfigkljk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodikecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdipnedn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghgdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobfgcdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqcqli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpkobnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doflofbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gccjbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdjmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihkoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmaaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjifpdib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcehngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfqomom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qedjib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjpbeecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjmbohhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagqed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oblmom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmnljc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbbmmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpodmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmpkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nolhoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegheghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgoknohj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbcmaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehlbihg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjjebed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbnjphpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjbbbna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odiagj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokccnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaflm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfqii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iofiimkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpmljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odpljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qipmdhcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clehoiam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpcaeghc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khfdcgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gndedhdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhkbqea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onggom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlqakaqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnqanbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meaiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akahokho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjdjghf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngajeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehopnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eagdgaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcfle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlopkmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aefaemqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnocdb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbbckh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfdcdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhegcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agonig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lejppj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdekjmob.dll" Plkchdiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbgjbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfjegl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmpkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjmool32.dll" Fmabaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnnoo32.dll" Qomcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efaiobkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejcaanfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anpekggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klmfmacc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnpknl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fallil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjgoaflj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fddfbm32.dll" Ekjjebed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcejjpfg.dll" Odiagj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiblgb32.dll" Cbjbof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lelnjj32.dll" Efolib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obogji32.dll" Njbanida.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnpknl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfdgpj32.dll" Hpfoekhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afojgiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljdhfnif.dll" Jdoblckh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pidgnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhglpqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcnlppkh.dll" Ojijha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfjbfgk.dll" Cbfhjfdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efdmohmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgfjoqnd.dll" Akejdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaodci32.dll" Belcck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aiaqif32.dll" Cfpgee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neahmj32.dll" Iaknmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faedpdcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnaffpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljljenoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgmap32.dll" Hifdjcif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnnimkif.dll" Feeldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbfple32.dll" Hjglpncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajicf32.dll" Mfamko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaaeegkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alcclb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooelen32.dll" Jgllof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidgnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekhidap.dll" Gnaffpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngajeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oecpeqdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaibpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihfmdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iogkaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcegdl32.dll" Dmaoem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olopjkfk.dll" Caofmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfdcdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cocbbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebnlba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hljljflh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcbaop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihmene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmfblfeb.dll" Jaejfj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1184 2380 20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe 29 PID 2380 wrote to memory of 1184 2380 20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe 29 PID 2380 wrote to memory of 1184 2380 20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe 29 PID 2380 wrote to memory of 1184 2380 20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe 29 PID 1184 wrote to memory of 2920 1184 Jifkmh32.exe 30 PID 1184 wrote to memory of 2920 1184 Jifkmh32.exe 30 PID 1184 wrote to memory of 2920 1184 Jifkmh32.exe 30 PID 1184 wrote to memory of 2920 1184 Jifkmh32.exe 30 PID 2920 wrote to memory of 2408 2920 Jemkai32.exe 31 PID 2920 wrote to memory of 2408 2920 Jemkai32.exe 31 PID 2920 wrote to memory of 2408 2920 Jemkai32.exe 31 PID 2920 wrote to memory of 2408 2920 Jemkai32.exe 31 PID 2408 wrote to memory of 2736 2408 Jmkmlk32.exe 32 PID 2408 wrote to memory of 2736 2408 Jmkmlk32.exe 32 PID 2408 wrote to memory of 2736 2408 Jmkmlk32.exe 32 PID 2408 wrote to memory of 2736 2408 Jmkmlk32.exe 32 PID 2736 wrote to memory of 2824 2736 Kplfmfmf.exe 33 PID 2736 wrote to memory of 2824 2736 Kplfmfmf.exe 33 PID 2736 wrote to memory of 2824 2736 Kplfmfmf.exe 33 PID 2736 wrote to memory of 2824 2736 Kplfmfmf.exe 33 PID 2824 wrote to memory of 2536 2824 Klbfbg32.exe 34 PID 2824 wrote to memory of 2536 2824 Klbfbg32.exe 34 PID 2824 wrote to memory of 2536 2824 Klbfbg32.exe 34 PID 2824 wrote to memory of 2536 2824 Klbfbg32.exe 34 PID 2536 wrote to memory of 2692 2536 Kocodbpk.exe 35 PID 2536 wrote to memory of 2692 2536 Kocodbpk.exe 35 PID 2536 wrote to memory of 2692 2536 Kocodbpk.exe 35 PID 2536 wrote to memory of 2692 2536 Kocodbpk.exe 35 PID 2692 wrote to memory of 2104 2692 Khkdmh32.exe 36 PID 2692 wrote to memory of 2104 2692 Khkdmh32.exe 36 PID 2692 wrote to memory of 2104 2692 Khkdmh32.exe 36 PID 2692 wrote to memory of 2104 2692 Khkdmh32.exe 36 PID 2104 wrote to memory of 1584 2104 Klimcf32.exe 37 PID 2104 wrote to memory of 1584 2104 Klimcf32.exe 37 PID 2104 wrote to memory of 1584 2104 Klimcf32.exe 37 PID 2104 wrote to memory of 1584 2104 Klimcf32.exe 37 PID 1584 wrote to memory of 3020 1584 Lkoidcaj.exe 38 PID 1584 wrote to memory of 3020 1584 Lkoidcaj.exe 38 PID 1584 wrote to memory of 3020 1584 Lkoidcaj.exe 38 PID 1584 wrote to memory of 3020 1584 Lkoidcaj.exe 38 PID 3020 wrote to memory of 2300 3020 Lolbjahp.exe 39 PID 3020 wrote to memory of 2300 3020 Lolbjahp.exe 39 PID 3020 wrote to memory of 2300 3020 Lolbjahp.exe 39 PID 3020 wrote to memory of 2300 3020 Lolbjahp.exe 39 PID 2300 wrote to memory of 584 2300 Lhegcg32.exe 40 PID 2300 wrote to memory of 584 2300 Lhegcg32.exe 40 PID 2300 wrote to memory of 584 2300 Lhegcg32.exe 40 PID 2300 wrote to memory of 584 2300 Lhegcg32.exe 40 PID 584 wrote to memory of 2244 584 Lndlamke.exe 41 PID 584 wrote to memory of 2244 584 Lndlamke.exe 41 PID 584 wrote to memory of 2244 584 Lndlamke.exe 41 PID 584 wrote to memory of 2244 584 Lndlamke.exe 41 PID 2244 wrote to memory of 2192 2244 Lcqdidim.exe 42 PID 2244 wrote to memory of 2192 2244 Lcqdidim.exe 42 PID 2244 wrote to memory of 2192 2244 Lcqdidim.exe 42 PID 2244 wrote to memory of 2192 2244 Lcqdidim.exe 42 PID 2192 wrote to memory of 1968 2192 Mfamko32.exe 43 PID 2192 wrote to memory of 1968 2192 Mfamko32.exe 43 PID 2192 wrote to memory of 1968 2192 Mfamko32.exe 43 PID 2192 wrote to memory of 1968 2192 Mfamko32.exe 43 PID 1968 wrote to memory of 2012 1968 Mlnbmikh.exe 44 PID 1968 wrote to memory of 2012 1968 Mlnbmikh.exe 44 PID 1968 wrote to memory of 2012 1968 Mlnbmikh.exe 44 PID 1968 wrote to memory of 2012 1968 Mlnbmikh.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe"C:\Users\Admin\AppData\Local\Temp\20b2be40f9ec0a13ba049706b043f21d038f1e2e10a13409be442c1671a0ccbd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Jifkmh32.exeC:\Windows\system32\Jifkmh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Jemkai32.exeC:\Windows\system32\Jemkai32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Jmkmlk32.exeC:\Windows\system32\Jmkmlk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Kplfmfmf.exeC:\Windows\system32\Kplfmfmf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Klbfbg32.exeC:\Windows\system32\Klbfbg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Kocodbpk.exeC:\Windows\system32\Kocodbpk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Khkdmh32.exeC:\Windows\system32\Khkdmh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Klimcf32.exeC:\Windows\system32\Klimcf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Lkoidcaj.exeC:\Windows\system32\Lkoidcaj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Lolbjahp.exeC:\Windows\system32\Lolbjahp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Lhegcg32.exeC:\Windows\system32\Lhegcg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Lndlamke.exeC:\Windows\system32\Lndlamke.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Lcqdidim.exeC:\Windows\system32\Lcqdidim.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Mfamko32.exeC:\Windows\system32\Mfamko32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Mlnbmikh.exeC:\Windows\system32\Mlnbmikh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Mffgfo32.exeC:\Windows\system32\Mffgfo32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Mmpobi32.exeC:\Windows\system32\Mmpobi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2420 -
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:456 -
C:\Windows\SysWOW64\Niilmi32.exeC:\Windows\system32\Niilmi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Nqdaal32.exeC:\Windows\system32\Nqdaal32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Nnhakp32.exeC:\Windows\system32\Nnhakp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Nffcebdd.exeC:\Windows\system32\Nffcebdd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Oclpdf32.exeC:\Windows\system32\Oclpdf32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Onfadc32.exeC:\Windows\system32\Onfadc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Obffpa32.exeC:\Windows\system32\Obffpa32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Pmbdfolj.exeC:\Windows\system32\Pmbdfolj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Pdqfnhpa.exeC:\Windows\system32\Pdqfnhpa.exe33⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe34⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Qoopie32.exeC:\Windows\system32\Qoopie32.exe36⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe38⤵
- Executes dropped EXE
PID:1296 -
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1148 -
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe40⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe41⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe42⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Babbpc32.exeC:\Windows\system32\Babbpc32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe44⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe45⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Cqlhlo32.exeC:\Windows\system32\Cqlhlo32.exe46⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe48⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Cjfjjd32.exeC:\Windows\system32\Cjfjjd32.exe49⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe51⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe52⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Cfpgee32.exeC:\Windows\system32\Cfpgee32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Deedfacn.exeC:\Windows\system32\Deedfacn.exe55⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe56⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Dfdqpdja.exeC:\Windows\system32\Dfdqpdja.exe57⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe58⤵
- Executes dropped EXE
PID:1292 -
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe59⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe60⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe62⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Dnfkefad.exeC:\Windows\system32\Dnfkefad.exe63⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\Efdmohmm.exeC:\Windows\system32\Efdmohmm.exe66⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Emnelbdi.exeC:\Windows\system32\Emnelbdi.exe67⤵PID:884
-
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe68⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe69⤵PID:2816
-
C:\Windows\SysWOW64\Efifjg32.exeC:\Windows\system32\Efifjg32.exe70⤵PID:2984
-
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe71⤵
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Ebpgoh32.exeC:\Windows\system32\Ebpgoh32.exe72⤵PID:2588
-
C:\Windows\SysWOW64\Fijolbfh.exeC:\Windows\system32\Fijolbfh.exe73⤵PID:2264
-
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe74⤵
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe75⤵PID:2064
-
C:\Windows\SysWOW64\Fagqed32.exeC:\Windows\system32\Fagqed32.exe76⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe77⤵PID:1812
-
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe78⤵PID:2076
-
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Faljqcmk.exeC:\Windows\system32\Faljqcmk.exe80⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Fkdoii32.exeC:\Windows\system32\Fkdoii32.exe81⤵PID:2620
-
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe82⤵PID:1396
-
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe83⤵PID:1780
-
C:\Windows\SysWOW64\Gilhpe32.exeC:\Windows\system32\Gilhpe32.exe84⤵PID:1132
-
C:\Windows\SysWOW64\Ggphji32.exeC:\Windows\system32\Ggphji32.exe85⤵PID:780
-
C:\Windows\SysWOW64\Gokmnlcf.exeC:\Windows\system32\Gokmnlcf.exe86⤵PID:2864
-
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe87⤵PID:2936
-
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe88⤵PID:2760
-
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe89⤵PID:2600
-
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe90⤵PID:1136
-
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe91⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Hqcpfcbl.exeC:\Windows\system32\Hqcpfcbl.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe93⤵PID:2672
-
C:\Windows\SysWOW64\Hdailaib.exeC:\Windows\system32\Hdailaib.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:976 -
C:\Windows\SysWOW64\Hgpeimhf.exeC:\Windows\system32\Hgpeimhf.exe95⤵PID:1244
-
C:\Windows\SysWOW64\Hmlmacfn.exeC:\Windows\system32\Hmlmacfn.exe96⤵PID:2284
-
C:\Windows\SysWOW64\Hfdbji32.exeC:\Windows\system32\Hfdbji32.exe97⤵PID:964
-
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe98⤵PID:1072
-
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe99⤵PID:2144
-
C:\Windows\SysWOW64\Ijegeg32.exeC:\Windows\system32\Ijegeg32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe101⤵PID:2616
-
C:\Windows\SysWOW64\Imepgbnc.exeC:\Windows\system32\Imepgbnc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe103⤵PID:2888
-
C:\Windows\SysWOW64\Iofiimkd.exeC:\Windows\system32\Iofiimkd.exe104⤵
- System Location Discovery: System Language Discovery
PID:2480 -
C:\Windows\SysWOW64\Iecaad32.exeC:\Windows\system32\Iecaad32.exe105⤵PID:1776
-
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe106⤵PID:2604
-
C:\Windows\SysWOW64\Jeenfd32.exeC:\Windows\system32\Jeenfd32.exe107⤵PID:388
-
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe108⤵PID:1560
-
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe109⤵PID:1748
-
C:\Windows\SysWOW64\Jfigdl32.exeC:\Windows\system32\Jfigdl32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2552 -
C:\Windows\SysWOW64\Jpalmaad.exeC:\Windows\system32\Jpalmaad.exe111⤵PID:2752
-
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe112⤵PID:3000
-
C:\Windows\SysWOW64\Klmfmacc.exeC:\Windows\system32\Klmfmacc.exe113⤵
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe114⤵PID:2180
-
C:\Windows\SysWOW64\Kononm32.exeC:\Windows\system32\Kononm32.exe115⤵PID:800
-
C:\Windows\SysWOW64\Kiccle32.exeC:\Windows\system32\Kiccle32.exe116⤵PID:1652
-
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe117⤵PID:2652
-
C:\Windows\SysWOW64\Kejdqffo.exeC:\Windows\system32\Kejdqffo.exe118⤵PID:2436
-
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe119⤵PID:2680
-
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe120⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Kfnmnojj.exeC:\Windows\system32\Kfnmnojj.exe121⤵PID:2872
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-